From 72551575df8eb0b3106d367cafa85358ace14e6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Tue, 21 Apr 2020 08:40:31 +0200 Subject: [PATCH] Fix the 10 minutes delay at first run (fix #1)! --- CHANGELOG.md | 1 + README.md | 7 +------ defaults/main.yml | 2 ++ 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0c72b3..fc1a359 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ using a loop via squash_actions is deprecated. * Turn nft_old_pkg_list into a list. * Add libiptc0 (iptables dependency) to the list of old package to remove. +* The 10 minutes delay at first run (#1)! ## v1.5.0 diff --git a/README.md b/README.md index 04ddef5..a3778b9 100644 --- a/README.md +++ b/README.md @@ -266,12 +266,7 @@ nft_input_group_rules: ## Known Issue -* The first run of a playbook may be long (~8 minutes) just after the (re)start of `nftables` service. - * Probably due to Ansible/OpenSSH Specific default Settings, the outgoing connections for Ansible/SSH will be blocked : -``` -trace id d7c3a8dc inet filter output packet: oif "ens18" ip saddr REMOTE_HOST ip daddr MY_HOST ip dscp 0x02 ip ecn not-ect ip ttl 64 ip id 56799 ip length 420 tcp sport ssh tcp dport 53922 tcp flags == 0x18 tcp window 1452 -``` - * This only happen at the first run on new clean host. The next runs will works without any delay. +* The 10 minutes delay at the first run is finally fixed by allowing the host to reset SSH connection (flags `rst, psh | ack`) (see #1). ## Configuration diff --git a/defaults/main.yml b/defaults/main.yml index ac3a834..c901a16 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -315,6 +315,8 @@ nft_output_default_rules: - udp dport @out_udp_accept ct state new accept 210 output tcp accepted: - tcp dport @out_tcp_accept ct state new accept + 250 reset-ssh: # allow the host to reset SSH connections to avoid 10 min delay from Ansible controller + - tcp sport ssh tcp flags { rst, psh | ack } counter accept # ]]] # .. envvar:: nft_output_rules [[[ #