From 22a19559481ddb7618836141c6e4f4cb8e944438 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 9 Sep 2024 13:59:31 +0100
Subject: [PATCH] Updated nftables prereqs for table

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_4/cis_4.3.x.yml | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml
index 60db876..4e85deb 100644
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@@ -1,5 +1,15 @@
 ---
 
+- name: "OPTIONAL | PATCH | Create Table if doesn't exist and required"
+  when:
+    - rhel9cis_nft_tables_autonewtable
+    - rhel9cis_rule_4_3_1
+    - rhel9cis_rule_4_3_2
+    - rhel9cis_rule_4_3_3
+    - rhel9cis_rule_4_3_4
+  tags: always
+  ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
+
 - name: "4.3.1 | PATCH | Ensure nftables base chains exist"
   when:
     - rhel9cis_rule_4_3_1
@@ -72,10 +82,6 @@
       failed_when: false
       register: discovered_nftables_outconnectionrule
 
-    - name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Create table is doesn't exist"
-      when: rhel9cis_nft_tables_autonewtable
-      ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
-
     - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
       when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
       ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept