Add --syn option to iptables module

This adds the --syn option to filter SYN packets. Can be negated. I added a generic append_match_flag function which can be used to add match flags without parameters. It also allows negating the flag if the added param allows this. Not sure if I took the best approach here so all feedback welcome :)
2024-09-14 20:13:21 +02:00 · 2017-02-13 21:12:50 +01:00 · 2017-02-13 21:12:50 +01:00 · 57d4a6ca8b
commit 57d4a6ca8b
parent 6797221107
1 changed files with 30 additions and 0 deletions
--- a/lib/ansible/modules/system/iptables.py
+++ b/lib/ansible/modules/system/iptables.py
@ -217,6 +217,14 @@ options:
        this, the source address is never altered."
    required: false
    default: null
+  syn:
+    version_added: "2.3"
+    description:
+      - "This allows matching packets that have the SYN bit set and the ACK
+        and RST bits unset. When negated, this matches all packets with
+        the RST or the ACK bits set."
+    required: false
+    default: ignore
  set_dscp_mark:
    version_added: "2.1"
    description:
@ -321,6 +329,16 @@ EXAMPLES = '''
    jump: ACCEPT
  become: yes

+# Allow new incoming SYN packets on TCP port 22 (SSH).
+- iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 22
+    ctstate: NEW
+    syn: match
+    jump: ACCEPT
+    comment: Accept new SSH connections.
+
 # Tag all outbound tcp packets with DSCP mark 8
 - iptables:
    chain: OUTPUT
@ -375,6 +393,13 @@ def append_tcp_flags(rule, param, flag):
        if 'flags' in param and 'flags_set' in param:
            rule.extend([flag, ','.join(param['flags']), ','.join(param['flags_set'])])

+def append_match_flag(rule, param, flag, negatable):
+    if param == 'match':
+        rule.extend([flag])
+    elif negatable and param == 'negate':
+        rule.extend(['!', flag])
+
+
 def append_csv(rule, param, flag):
    if param:
        rule.extend([flag, ','.join(param)])
@ -414,6 +439,7 @@ def construct_rule(params):
        params['set_dscp_mark_class'],
        '--set-dscp-class',
        False)
+    append_match_flag(rule, params['syn'], '--syn', True)
    append_match(rule, params['comment'], 'comment')
    append_param(rule, params['comment'], '--comment', False)
    if 'conntrack' in params['match']:
@ -536,6 +562,10 @@ def main():
            uid_owner=dict(required=False, default=None, type='str'),
            reject_with=dict(required=False, default=None, type='str'),
            icmp_type=dict(required=False, default=None, type='str'),
+            syn=dict(
+                required=False,
+                default='ignore',
+                choices=['ignore', 'match', 'negate']),
            flush=dict(required=False, default=False, type='bool'),
            policy=dict(
                required=False,