Also of note: firewall6.rules doesn't exist on any of the hosts I'm running
this playbook against, so it should be skipping the entire block, but it's
not.
On Thursday, 11 October 2018 14:14:15 UTC-7, Guy Knights wrote:
>
> I have the following tasks in a block, which I've modified to use the new
> 'loop' structure:
>
> - name: process ipv6 rules if they exist
> block:
> - name: create all ipv6 firewall log statements from 'firewall'
> variable
> iptables:
> ip_version: ipv6
> comment: "{{ item.0.comment|default(omit) }}"
> destination: "{{ item.0.destination|default(omit) }}"
> destination_port: "{{ item.0.destination_port|default(omit) }}"
> source: "{{ item.1 }}"
> source_port: "{{ item.0.source_port|default(omit) }}"
> protocol: "{{ item.0.protocol|default(omit) }}"
> jump: "LOG"
> chain: "{{ item.0.chain|default('INPUT') }}"
> ctstate: "{{ item.0.state|default('NEW') }}"
> in_interface: "{{ item.0.in_interface|default(omit) }}"
> out_interface: "{{ item.0.out_interface|default(omit) }}"
> limit: "3/minute"
> limit_burst: 10
> # log_prefix: "[ FIREWALL ] " # ( will be added in ansible 2.5 )
> state: present
> when: item.0.log is defined and item.0.log == 'yes'
> loop: "{{ firewall6.rules|subelements('source') }}"
> notify:
> - save ip6tables
>
> - name: apply ipv6 rules using 'firewall' variable defined in
> inventory vars
> iptables:
> ip_version: ipv6
> comment: "{{ item.0.comment|default(omit) }}"
> destination: "{{ item.0.destination|default(omit) }}"
> destination_port: "{{ item.0.destination_port|default(omit) }}"
> source: "{{ item.1 }}"
> source_port: "{{ item.0.source_port|default(omit) }}"
> protocol: "{{ item.0.protocol|default(omit) }}"
> jump: "{{ item.0.rule|default('ACCEPT') }}"
> chain: "{{ item.0.chain|default('INPUT') }}"
> ctstate: "{{ item.0.state|default(omit) }}"
> in_interface: "{{ item.0.in_interface|default(omit) }}"
> out_interface: "{{ item.0.out_interface|default(omit) }}"
> state: present
> loop: "{{ firewall6.rules|subelements('source') }}"
> notify:
> - save ip6tables
>
> when: firewall6 is defined and firewall6.rules is defined
>
> When I run this I get the following error:
>
> TASK [firewall : create all ipv6 firewall log statements from 'firewall'
> variable] *************************************
> fatal: [172.20.0.88]: FAILED! => {"msg": "obj must be a list of dicts or
> a nested dict"}
> fatal: [172.20.0.77]: FAILED! => {"msg": "obj must be a list of dicts or
> a nested dict"}
> fatal: [172.20.0.55]: FAILED! => {"msg": "obj must be a list of dicts or
> a nested dict"}
>
>
> I changed the first task to use 'with_subelements' as follows:
>
> - name: create all ipv6 firewall log statements from 'firewall'
> variable
> iptables:
> ip_version: ipv6
> comment: "{{ item.0.comment|default(omit) }}"
> destination: "{{ item.0.destination|default(omit) }}"
> destination_port: "{{ item.0.destination_port|default(omit) }}"
> source: "{{ item.1 }}"
> source_port: "{{ item.0.source_port|default(omit) }}"
> protocol: "{{ item.0.protocol|default(omit) }}"
> jump: "LOG"
> chain: "{{ item.0.chain|default('INPUT') }}"
> ctstate: "{{ item.0.state|default('NEW') }}"
> in_interface: "{{ item.0.in_interface|default(omit) }}"
> out_interface: "{{ item.0.out_interface|default(omit) }}"
> limit: "3/minute"
> limit_burst: 10
> # log_prefix: "[ FIREWALL ] " # ( will be added in ansible 2.5 )
> state: present
> when: item.0.log is defined and item.0.log == 'yes'
> with_subelements:
> - "{{ firewall6.rules }}"
> - source
> notify:
> - save ip6tables
>
> When I re-run the playbook it now skips the task, as intended:
>
> TASK [firewall : create all ipv6 firewall log statements from 'firewall'
> variable] *************************************
> skipping: [172.20.0.88]
> skipping: [172.20.0.77]
> skipping: [172.20.0.55]
>
> Can anyone tell me why this is happening?
>
> Thanks,
> Guy
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5c12525b-c603-4068-8b7e-39a22b647244%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
