Iptables module fragment option

Archives Ansible Project
1

I’m trying to add an iptables rule that uses the fragment option, and I cannot work out how to get it working using Ansible’s iptables module.

Here’s my task:

  • name: drop fragmented packets
    iptables:
    jump: DROP
    chain: INPUT
    fragment: True
    action: append
    state: present

When I run this it fails with the following error:

FAILED! => {“changed”: false, “cmd”: “/sbin/iptables -t filter -A INPUT -j DROP -f True”, “msg”: “Bad argument True'\nTry iptables -h’ or ‘iptables --help’ for more information.”, “rc”: 2, “stderr”: “Bad argument True'\nTry iptables -h’ or ‘iptables --help’ for more information.\n”, “stderr_lines”: [“Bad argument True'", "Try iptables -h’ or ‘iptables --help’ for more information.”], “stdout”: “”, “stdout_lines”: }

So it’s trying to add the ‘True’ as an parameter to the ‘-f’ flag in the iptables command.

I tried again, this time removing the ‘True’ from the fragment option:

  • name: drop fragmented packets
    iptables:
    jump: DROP
    chain: INPUT
    fragment:
    action: append
    state: present

This time it just adds the rule without the ‘-f’ option to iptables, so the rule just drops everything - obviously not the behaviour I want.

So I looked at the module’s code and saw that it expects a string, so next I tried the following:

  • name: drop fragmented packets
    iptables:
    jump: DROP
    chain: INPUT
    fragment: ‘’
    action: append
    state: present

This time, it fails with the following error:

FAILED! => {“changed”: false, “module_stderr”: “Traceback (most recent call last):\n File "master:/root/mitogen/ansible_mitogen/runner.py", line 883, in _run\n self._run_code(code, mod)\n File "master:/root/mitogen/ansible_mitogen/runner.py", line 862, in _run_code\n exec(‘exec code in vars(mod)’)\n File "", line 1, in \n File "master:/usr/local/ansible/lib/ansible/modules/system/iptables.py", line 634, in \n File "master:/usr/local/ansible/lib/ansible/modules/system/iptables.py", line 581, in main\n File "master:/usr/local/ansible/lib/ansible/modules/system/iptables.py", line 434, in construct_rule\n File "master:/usr/local/ansible/lib/ansible/modules/system/iptables.py", line 386, in append_param\nIndexError: string index out of range\n”, “module_stdout”: “”, “msg”: “MODULE FAILURE”, “rc”: 1}

The problem in this case is that the code is using the first character of the parameter to check for the negation/! option for the -f flag in iptables, so it fails due to the empty string.

How do I use the fragment option correctly?

Thanks,
Guy