community.general.iptables_state – Save iptables state into a file or restore it from a file¶
Note
This plugin is part of the community.general collection (version 2.5.1).
To install it use: ansible-galaxy collection install community.general
.
To use it in a playbook, specify: community.general.iptables_state
.
New in version 1.1.0: of community.general
Synopsis¶
iptables
is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.This module handles the saving and/or loading of rules. This is the same as the behaviour of the
iptables-save
andiptables-restore
(orip6tables-save
andip6tables-restore
for IPv6) commands which this module uses internally.Modifying the state of the firewall remotely may lead to loose access to the host in case of mistake in new ruleset. This module embeds a rollback feature to avoid this, by telling the host to restore previous rules if a cookie is still there after a given delay, and all this time telling the controller to try to remove this cookie on the host through a new connection.
Note
This module has a corresponding action plugin.
Requirements¶
The below requirements are needed on the host that executes this module.
iptables
ip6tables
Parameters¶
Notes¶
Note
The rollback feature is not a module option and depends on task’s attributes. To enable it, the module must be played asynchronously, i.e. by setting task attributes poll to
0
, and async to a value less or equal toANSIBLE_TIMEOUT
. If async is greater, the rollback will still happen if it shall happen, but you will experience a connection timeout instead of more relevant info returned by the module after its failure.This module supports check_mode.
Examples¶
# This will apply to all loaded/active IPv4 tables.
- name: Save current state of the firewall in system file
community.general.iptables_state:
state: saved
path: /etc/sysconfig/iptables
# This will apply only to IPv6 filter table.
- name: save current state of the firewall in system file
community.general.iptables_state:
ip_version: ipv6
table: filter
state: saved
path: /etc/iptables/rules.v6
# This will load a state from a file, with a rollback in case of access loss
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
async: "{{ ansible_timeout }}"
poll: 0
# This will load new rules by appending them to the current ones
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /run/iptables.apply
noflush: true
async: "{{ ansible_timeout }}"
poll: 0
# This will only retrieve information
- name: get current state of the firewall
community.general.iptables_state:
state: saved
path: /tmp/iptables
check_mode: yes
changed_when: false
register: iptables_state
- name: show current state of the firewall
ansible.builtin.debug:
var: iptables_state.initial_state
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Authors¶
quidame (@quidame)