search

debops / ansible-ferm

Manage iptables firewall using ferm
GNU General Public License v3.0
33 stars 20 forks source link

comma-separated Connection state doesn't work #115

Closed laukaichung closed 6 years ago

laukaichung commented 6 years ago

From the document

state

Optional. Connection state which should be matched. 
Possible values: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED 
or comma-separated combination thereof.

So I tried this:

ferm__rules:
  - type: 'accept'
    name: 'allow_tcp_9200'
    comment: 'Allow outgoing Elasticsearch api port'
    dport: '9200'
    chain: 'INPUT'
    protocol: 'tcp'
    target: 'ACCEPT'
    state: 'NEW,ESTABLISHED'

But it complained that the comma is invalid. I had to put the states in () without a comma to get it to work.

ferm__rules:
  - type: 'accept'
    name: 'allow_tcp_9200'
    comment: 'Allow outgoing Elasticsearch api port'
    dport: '9200'
    chain: 'INPUT'
    protocol: 'tcp'
    target: 'ACCEPT'
    state: '(NEW ESTABLISHED)'
drybjed commented 6 years ago

Hi. I checked your example and you're right, it breaks. It seems to be a documentation bug; this section of the documentation was added about two years ago and hasn't been updated since.

You should be able to use a YAML list instead of this awkward string:

---
ferm__rules:
  - type: 'accept'
    name: 'allow_tcp_9200'
    state: [ 'NEW', 'ESTABILISHED' ]

This syntax works OK.