From a17cb88c1e8241fc2df33af4ed191406c7181bfa Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 19 Mar 2021 18:36:48 +0000
Subject: [PATCH] iptables: Don't set empty defaults, check if var is defined

---
 roles/iptables/defaults/main.yml      | 3 ---
 roles/iptables/templates/ip6tables.j2 | 6 ++++--
 roles/iptables/templates/iptables.j2  | 6 ++++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml
index 51dcfc3..d50d859 100644
--- a/roles/iptables/defaults/main.yml
+++ b/roles/iptables/defaults/main.yml
@@ -1,6 +1,3 @@
 ---
-
 firewall_in:
   - {proto: tcp, port: 22}
-
-firewall_raw: []
diff --git a/roles/iptables/templates/ip6tables.j2 b/roles/iptables/templates/ip6tables.j2
index ee937b2..bb22bcb 100644
--- a/roles/iptables/templates/ip6tables.j2
+++ b/roles/iptables/templates/ip6tables.j2
@@ -5,9 +5,11 @@
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p ipv6-icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
-{% for rule in firewall_raw6 %}
+{% if firewall_raw6 is defined %}
+{%   for rule in firewall_raw6 %}
 {{ rule }}
-{% endfor %}
+{%   endfor %}
+{% endif %}
 {% for rule in firewall_in %}
 {%   if rule.from is defined %}
 {%     for from in rule.from | ipv6 %}
diff --git a/roles/iptables/templates/iptables.j2 b/roles/iptables/templates/iptables.j2
index 4bbf67e..2e558a1 100644
--- a/roles/iptables/templates/iptables.j2
+++ b/roles/iptables/templates/iptables.j2
@@ -5,9 +5,11 @@
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
-{% for rule in firewall_raw %}
+{% if firewall_raw is defined %}
+{%   for rule in firewall_raw %}
 {{ rule }}
-{% endfor %}
+{%   endfor %}
+{% endif %}
 {% for rule in firewall_in %}
 {%   if rule.from is defined %}
 {%     for from in rule.from | ipv4 %}