ufw ordered rules

[markuman]

Summary

The insert parameter does not work in many ways.

tabula rasa ufw and insert 1

When ufw is resetted and empty, it's simply not possible to insert a rule at position 1.

The ansible ufw module must handle this as an abstration layer.

it's impossible to insert IPv6 rules before IPv4 or numbered in general

I've no idea how to handle this....

Issue Type

Bug Report

Component Name

community.general.ufw

Ansible Version

$ ansible --version
ansible [core 2.18.1]
  config file = /home/m/git/lekker/iac/ansible.cfg
  configured module search path = ['/home/m/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/m/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.7 (main, Oct  1 2024, 11:15:50) [GCC 14.2.1 20240910] (/usr/bin/python)
  jinja version = 3.1.4
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general

# /usr/lib/python3.12/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 10.1.0 

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None
EDITOR(env: EDITOR) = /usr/bin/nano

GALAXY_SERVERS:

OS / Environment

Arch Linux

Steps to Reproduce

---
- hosts: localhost
  become: true

  tasks:
    - name: reset ufw
      community.general.ufw:
        state: reset

    - name: |
        allow ssh at position 1
        forget about the reset in the
        previous task.
        theoretically I want to add this
        rule at any state of ufw.
      community.general.ufw:
        rule: allow
        src: 0.0.0.0/0
        from_port: 22
        proto: tcp
        insert: 1

Expected Results

No errors.

root@ubuntu-4gb-nbg1-2:~# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere  

Actual Results

TASK [reset ufw] *****************************************************************************************************************************************
changed: [localhost]

TASK [allow ssh at position 1
forget about the reset in the
previous task.
theoretically I want to add this
rule at any state of ufw.] ***********************
fatal: [localhost]: FAILED! => {"changed": false, "commands": ["/usr/sbin/ufw status verbose", "/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules", "/usr/sbin/ufw --version", "/usr/sbin/ufw insert 1 allow from 0.0.0.0/0 port 22 to any proto tcp"], "msg": "ERROR: Invalid position '1'\n"}

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/ufw.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @ahtik @ovcharenko @pyykkis
click here for bot help

[felixfontein]

Did you try having two separate tasks (one for IPv4 and one for IPv6) and use insert_relative_to? That way it might work as expected.

Generally the insert option is using ufw's insert, which doesn't work well at all (basically what you write). That's why a long time ago I added insert_relative_to to be able to specify what you actually want. But that doesn't work if you add both a IPv4 and IPv6 rule at the same time (which the module doesn't really know about, but what is something that ufw does by itself).