search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
834 stars 1.54k forks source link

ufw: changing policy ignores state #1843

Open FloMiau opened 3 years ago

FloMiau commented 3 years ago

Summary

A policy change is executed even if the same policy is set causing delays and disconnects

Issue Type

Bug Report

Component Name

ufw

Ansible Version

ansible 2.10.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/florian/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/florian/py_venv/lib/python3.6/site-packages/ansible
  executable location = /home/florian/py_venv/bin/ansible
  python version = 3.6.9 (default, Oct  8 2020, 12:12:24) [GCC 8.4.0]

2.9.13 is also affected

Configuration

ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -o ControlMaster=auto -o ControlPersist=5m
DEFAULT_CALLBACK_WHITELIST(/etc/ansible/ansible.cfg) = ['timer', 'profile_tasks', 'profile_roles']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 20

OS / Environment

Source Ubuntu 18.04 Target Debian 10.8, Ubuntu 18.04/20.04

Steps To Reproduce

---
- name: ufw test
  hosts: all
  remote_user: test
  strategy: linear
  tasks:
  - name: Configure ufw defaults
    ufw:
      direction: "{{ item.direction }}"
      policy: "{{ item.policy }}"
    with_items:
      - { direction: 'incoming', policy: 'deny' }
      - { direction: 'outgoing', policy: 'allow' }
    become: true

Expected Results

Nothing happens, since the state before is this:

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)

Actual Results

Here are the commands, that are used for a policy change.


        "/usr/sbin/ufw status verbose",
        "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules",
        "/usr/sbin/ufw default allow outgoing",
        "/usr/sbin/ufw status verbose",
        "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules"

The "/usr/sbin/ufw default allow outgoing" causes ufw - I think - to drop all or some connections.

Changing the policy takes about 6 seconds, it takes Ansible a lot of time to reconnect. If I have a lot of hosts in my list some of them are failing this task with a disconnect.

ansibullbot commented 3 years ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 3 years ago

cc @ahtik @ovcharenko @pyykkis click here for bot help

felixfontein commented 3 years ago

From the code, it looks like the current state is only looked at for check mode, but for non-check mode, it simply calls ufw and compares output before and after to determine whether something changed.

ansibullbot commented 2 years ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help