Possible bug in iptables module

Hello everybody!

I’m having problems with the iptables module trying to execute this task:

• iptables:
  chain: INPUT
  match: conntrack
  ctstate: ESTABLISHED,RELATED
  jump: ACCEPT

This leads to this error:

TASK [iptables] ****************************************************************
fatal: [default]: FAILED! => {“changed”: false, “cmd”: “/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT -m state --state ESTABLISHED,RELATED”, “failed”: true, “msg”: “iptables v1.4.21: conntrack: At least one option is required\nTry iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.4.21: conntrack: At least one option is required\nTry iptables -h’ or ‘iptables --help’ for more information.\n”, “stdout”: “”, “stdout_lines”: }

Did anyone hit this issue and have a solution? If not I can submit a bug report.

Thank you!

Seems like a bug to me.

Technically, the conntrack match supersedes - and so obsoletes - the
state match. But practically the state match is not obsoleted in any
way.

The ansible iptables module is doing:

/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT -m state
--state ESTABLISHED,RELATED

So, there is no argument passed to the conntrack match. Ideally, it
should have been:

/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctstate
ESTABLISHED,RELATED

For now it seems that you can get around this problem by
removing/commenting 'match: conntrack' and then the module will
produce:

/sbin/iptables -t filter -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

Right!

Ok, so I just filed an issue in the Ansible repo: https://github.com/ansible/ansible/issues/21467

Thanks for the feedback, Nehal!