From 909e9fe9508804b2e18b755ef36060861cde5228 Mon Sep 17 00:00:00 2001 From: quidame Date: Thu, 27 May 2021 08:47:16 +0200 Subject: [PATCH] fix a regression in initialization_from_null_state() (iptables-nft > 1.8.2) (#2604) --- plugins/modules/system/iptables_state.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/plugins/modules/system/iptables_state.py b/plugins/modules/system/iptables_state.py index 326db862bc..66ba2c9b20 100644 --- a/plugins/modules/system/iptables_state.py +++ b/plugins/modules/system/iptables_state.py @@ -304,7 +304,7 @@ def write_state(b_path, lines, changed): return changed -def initialize_from_null_state(initializer, initcommand, table): +def initialize_from_null_state(initializer, initcommand, fallbackcmd, table): ''' This ensures iptables-state output is suitable for iptables-restore to roll back to it, i.e. iptables-save output is not empty. This also works for the @@ -315,8 +315,14 @@ def initialize_from_null_state(initializer, initcommand, table): commandline = list(initializer) commandline += ['-t', table] - (rc, out, err) = module.run_command(commandline, check_rc=True) + dummy = module.run_command(commandline, check_rc=True) (rc, out, err) = module.run_command(initcommand, check_rc=True) + if '*%s' % table not in out.splitlines(): + # The last resort. + iptables_input = '*%s\n:OUTPUT ACCEPT\nCOMMIT\n' % table + dummy = module.run_command(fallbackcmd, data=iptables_input, check_rc=True) + (rc, out, err) = module.run_command(initcommand, check_rc=True) + return rc, out, err @@ -401,6 +407,7 @@ def main(): INITCOMMAND = [bin_iptables_save] INITIALIZER = [bin_iptables, '-L', '-n'] TESTCOMMAND = [bin_iptables_restore, '--test'] + FALLBACKCMD = [bin_iptables_restore] if counters: COMMANDARGS.append('--counters') @@ -425,6 +432,7 @@ def main(): INITIALIZER.extend(['--modprobe', modprobe]) INITCOMMAND.extend(['--modprobe', modprobe]) TESTCOMMAND.extend(['--modprobe', modprobe]) + FALLBACKCMD.extend(['--modprobe', modprobe]) SAVECOMMAND = list(COMMANDARGS) SAVECOMMAND.insert(0, bin_iptables_save) @@ -458,15 +466,15 @@ def main(): for t in TABLES: if '*%s' % t in state_to_restore: if len(stdout) == 0 or '*%s' % t not in stdout.splitlines(): - (rc, stdout, stderr) = initialize_from_null_state(INITIALIZER, INITCOMMAND, t) + (rc, stdout, stderr) = initialize_from_null_state(INITIALIZER, INITCOMMAND, FALLBACKCMD, t) elif len(stdout) == 0: - (rc, stdout, stderr) = initialize_from_null_state(INITIALIZER, INITCOMMAND, 'filter') + (rc, stdout, stderr) = initialize_from_null_state(INITIALIZER, INITCOMMAND, FALLBACKCMD, 'filter') elif state == 'restored' and '*%s' % table not in state_to_restore: module.fail_json(msg="Table %s to restore not defined in %s" % (table, path)) elif len(stdout) == 0 or '*%s' % table not in stdout.splitlines(): - (rc, stdout, stderr) = initialize_from_null_state(INITIALIZER, INITCOMMAND, table) + (rc, stdout, stderr) = initialize_from_null_state(INITIALIZER, INITCOMMAND, FALLBACKCMD, table) initial_state = filter_and_format_state(stdout) if initial_state is None: