Task "Apply iptables rules if ferm is enabled" fails if IPv6 module is not loaded

[htgoebel]

On Raspiban, the IPv6 kernel module is not loaded by default.

One solution would be to probe for IPv6 within the role and adjust ferm_filter_domains.

For the records, here is the complete error message.

TASK: [debops.ferm | Apply iptables rules if ferm is enabled] ***************** 
failed: [server] => {"changed": false, "cmd": ["ferm", "--slow", "/etc/ferm/ferm.conf"], 
"delta": "...", "end": "...", "rc": 2, "start": "..."}
stderr: ip6tables v1.4.14: can't initialize ip6tables table `filter': Address family not
supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables-restore v1.4.14: ip6tables-restore: unable to initialize table 'filter'

Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Failed to run /sbin/ip6tables-restore

[drybjed]

@htgoebel Does sysctl -a|grep disable_ipv6 on Raspian show correctly that IPv6 is disabled?

[htgoebel]

sysctl -a | grep disable_ipv6 returns nothing.
I assume that ipv6 is not disabled, but just the module is not loaded by default. (As soon as I modprobe ipv6, the interfaces get ipv6-addresses and this role passes this point.)

[drybjed]

@htgoebel I see, so IPv6 works on Pi? Do you plan to use it? I plan to create a kernel/grub role, it could for example check if ipv6 module is loaded and load it if needed. But that's just a plan at this point.

[htgoebel]

@drybjed I do not plan to use IPv6 in the short term.

If you want to implement a test, I suggest simply checking if ansible_all_ipv6_addresses is non-empty.

[drybjed]

I'm not sure if this is a good check, but I'll look into it.