From 765363e04d3eb97a0565b06dc72fa301cce7906b Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Mon, 26 Jun 2023 12:58:21 -0700
Subject: [PATCH] base / iptables: fix protocol, use creates for commands

iptables -p is expecting all, not any.
And create a file to track when we have made the ipset.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/base/tasks/main.yml              | 6 ++----
 roles/base/templates/iptables/iptables | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 13c463602b..739a913ce8 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -150,8 +150,7 @@
 
 - name: setup builder ipset if this is a new install
   command: /usr/sbin/ipset create osbuildapi hash:ip
-  ignore_errors: true
-  changed_when: false
+  creates: /etc/sysconfig/ipset-osbuildapi
   when: "'osbuild' in group_names"
   tags:
     - base
@@ -171,8 +170,7 @@
 
 - name: setup blocklist ipset if this is a new install
   command: /usr/sbin/ipset create blocklist hash:ip
-  ignore_errors: true
-  changed_when: false
+  creates: /etc/sysconfig/blocklist
   when: "'iad2' not in inventory_hostname or ( datacenter == 'iad2' and external == 'true')"
   tags:
     - base
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 41124f732d..f163ee9749 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -16,7 +16,7 @@
 
 # if the host is external, block some ips
 {% if datacenter != 'iad2' or ( datacenter == 'iad2' and hostvars[inventory_hostname].external == 'true' ) %}
--A INPUT -p any -m set --match-set blocklist src -j REJECT
+-A INPUT -p all -m set --match-set blocklist src -j REJECT
 {% endif %}
 
 # allow ssh - always