Rewrite iptables rules with Ansible module

The iptables module in Ansible checks if the rule already exists and is therefore idempotent. The original iptables rule is not, so the rules get longer and longer. Change-Id: Id3162bd9b53a2fcda57aace484706c1cc4217578 Signed-off-by: Tapio Tallgren <tapio.tallgren@nokia.com>
2018-01-23 19:31:57 +02:00 · 2018-01-23 19:31:57 +02:00 · 7676c5bc52
parent 2129f9264c
commit 7676c5bc52
1 changed files with 12 additions and 8 deletions
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -266,14 +266,18 @@
    dest: "{{ deploy_image }}"
  when: use_cirros | bool == true
 - name: >
-    "Explicitly permit nginx port (TCP) for
-    file downloads from nodes to be provisioned"
-  command: >
-    iptables -I INPUT -p tcp --dport {{file_url_port}}
-    -i {{network_interface}} -j ACCEPT
- name: "Explicitly permit TCP/6385 for IPA callback"
-  command: >
-    iptables -I INPUT -p tcp --dport 6385 -i {{ network_interface }} -j ACCEPT
+    "Explicitly permit nginx port (TCP) for file downloads from nodes to be provisioned
+     and TCP/6385 for IPA callback"
+  iptables:
+    chain: INPUT
+    action: insert
+    protocol: tcp
+    destination_port: "{{ item }}"
+    in_interface: "{{ network_interface }}"
+    jump: ACCEPT
+  with_items:
+    - "{{ file_url_port }}"
+    - 6385
 - block:
    - name: "Explicitly allow nginx and IPA port (TCP) on selinux"
      seport: