Make path for saving rules configurable

Question

Make path for saving rules configurable

Opened this issue 8 years ago · 6 comments

For example, on ubuntu with iptables-persistent package, it should be /etc/iptables/rules.v{4,6}. This can be solved by creating symlinks, but that is sloppy solution.

Answer 1 · 2016-07-08T07:37:59.000Z

We don't want to make it configurable, because it would make using the module a lot harder. If you have to write a parameter e.g. save_path=/etc/iptables/rules.v4 every time you write an iptables_raw task, it is too error prone, since if you forget it once, it won't work correctly. It's a lot easier to create a symlink once and you are done.

But, we do want to make the module detect what distribution it is and save the rules in a different location depending on the detected distribution. This should be relatively easy to do, since Ansible has support for detecting distributions, but we will have to check where each distribution stores this file.

I guess on Ubuntu/Debian systems iptables-persistent is the only way and that is the correct location to save the file?

Answer 2 · 2016-07-08T09:00:36.000Z

I guess on Ubuntu/Debian systems iptables-persistent is the only way and that is the correct location to save the file?

Nope :( Unlike RedHat, in Debian there is no default way to save iptables rules. AFAIK, very popular solution is putting into interfaces file this:

auto lo 
iface lo inet loopback
post-up /sbin/iptables-restore /etc/network/iptables

iptables-persistent is only standard way that you can find in repositories, but it is optional. For example, it won't be enough for guys using ipset.

Also, in Ubuntu ufw may be used, and in RedHat - firewalld.

So, I think best algorithm would be this:

create rules.v{4,6} in /etc/ansible-iptables
if ansible_os_family='RedHat', create symlinks in /etc/sysconfig/iptables
if ansible_os_family='Debian' and iptables-persistent package is installed, create symlinks in /etc/iptables/rules.v{4,6}

Answer 3 · 2016-07-08T14:01:58.000Z

Nope :( Unlike RedHat, in Debian there is no default way to save iptables rules. AFAIK, very popular solution is putting into interfaces file this:
auto lo 
iface lo inet loopback
post-up /sbin/iptables-restore /etc/network/iptables
If there is no default way in Debian, then it doesn't matter that much where are we going to put file, since you have to setup this manually anyway, if you can set it up manually, than you can make it use a path this module creates.

If iptables-persistent is the only standard way found in repositories, than it makes sense to use its path always, since custom solutions can adjust to it.

Also, in Ubuntu ufw may be used, and in RedHat - firewalld.
Of course, but if you are using ufw or firewalld, you won't be using this module anyway.

So, I think best algorithm would be this:

create rules.v{4,6} in /etc/ansible-iptables

if ansible_os_family='RedHat', create symlinks in /etc/sysconfig/iptables

if ansible_os_family='Debian' and iptables-persistent package is installed, create symlinks in /etc/iptables/rules.v{4,6}
I don't want the module to check if the package is installed or not, since that could make the whole module a lot slower. Also there isn't much point in creating symlinks, instead of saving them directly into a specific location for a distribution, since it's not like that location is going to change for a specific host.

The documentation would state where will the file be saved for all supported distributions, we could even make the module return the path to the rules file, so that you can register this, and e.g. to use it in your custom solution (since that should also be automated with Ansible).

Answer 4 · 2016-07-08T14:39:28.000Z

we could even make the module return the path to the rules file

Returning rules file path is good idea.

The documentation would state where will the file be saved for all supported distributions

For ansible_os_family='RedHat' it definitely should be /etc/sysconfig/ip{,6}tables, it is default that comes with iptables package. For ansible_os_family='Debian' it is little tricky, because iptables-persistent package is optional and lot of installations don't use it, but /etc/iptables/rules.v{4,6} may be reasonable default.

Anyway, I don't like idea of fixed path anywhere, it reduces flexibility. For example, some embedded system may have /etc mounted read-only, and small bunch of writable files mounted somewhere in /var/config IMHO having reasonable default is good, but option to change it should still exist. If user chooses to store rules in non-default location, then he gets responsibility to point this location in every task.

Answer 5 · 2016-07-08T15:21:41.000Z

Anyway, I don't like idea of fixed path anywhere, it reduces flexibility. For example, some embedded system may have /etc mounted read-only, and small bunch of writable files mounted somewhere in /var/config IMHO having reasonable default is good, but option to change it should still exist. If user chooses to store rules in non-default location, then he gets responsibility to point this location in every task.
I agree. Having good defaults per distribution is good, but making it configurable gives you more flexibility. I checked the Ansible core a little bit and we'll probably add this feature when 2.2 is released, since they changed the code for gathering distribution facts, so we would have to write a different code for 2.1 and 2.2+.

We might add a new parameter for a custom save path, sooner since it's very easy to add it, but first I would like the users to try the module a little and see how it works for them.

Answer 6 · 2017-02-24T09:55:51.000Z

👍 because I'm managing a custom linux where the rules path is /usr/share/iptables-settings by default.
It is possible o change the default but I think it limits the module too much. We might default to using either Ubuntu's or RedHat's convention if no path is defined IMHO.