If we try to add a rule which jumps to a custom chain which is defined in a different rule with a greater weight, the task will fail.

For example, this play will fail:

---
- hosts: some_hosts
  tasks:
    - iptables_raw:
        name=add_custom1_chain
        weight=50
        rules="-N CUSTOM1"
    - iptables_raw:
        name=jump_to_existing_chain
        weight=30
        rules="-A INPUT -p tcp --dport 7777 -j CUSTOM1"

Why is this a bug? You need to create a new chain before using it and before is not just a task order, but weight as well.

I agree that in most situations this shouldn't be a bug, but in reality chains don't have weight in iptables, they are always on top of all chains, which makes sense, since if a chain exists, all rules should be able to use it.

You could bump into this bug even if you use the same weight for both tasks, but set the task which crates the chain have a name which is alphabetically after the chain which uses that chain; and that is a bug.

Anyway this is an easy improvement I wanted to add anyway, since it should generate better diffs in check mode when using custom chains.