From 57d4a6ca8bb52f54b193830100be1e0d5c2db42f Mon Sep 17 00:00:00 2001
From: Simon Wydooghe <wydooghe.simon@gmail.com>
Date: Mon, 13 Feb 2017 21:12:50 +0100
Subject: [PATCH] Add --syn option to iptables module

This adds the --syn option to filter SYN packets. Can be negated.

I added a generic append_match_flag function which can be used to add
match flags without parameters. It also allows negating the flag
if the added param allows this.

Not sure if I took the best approach here so all feedback welcome :)
---
 lib/ansible/modules/system/iptables.py | 30 ++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/lib/ansible/modules/system/iptables.py b/lib/ansible/modules/system/iptables.py
index dbdd9a9823..35919e63af 100644
--- a/lib/ansible/modules/system/iptables.py
+++ b/lib/ansible/modules/system/iptables.py
@@ -217,6 +217,14 @@ options:
         this, the source address is never altered."
     required: false
     default: null
+  syn:
+    version_added: "2.3"
+    description:
+      - "This allows matching packets that have the SYN bit set and the ACK
+        and RST bits unset. When negated, this matches all packets with
+        the RST or the ACK bits set."
+    required: false
+    default: ignore
   set_dscp_mark:
     version_added: "2.1"
     description:
@@ -321,6 +329,16 @@ EXAMPLES = '''
     jump: ACCEPT
   become: yes
 
+# Allow new incoming SYN packets on TCP port 22 (SSH).
+- iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 22
+    ctstate: NEW
+    syn: match
+    jump: ACCEPT
+    comment: Accept new SSH connections.
+
 # Tag all outbound tcp packets with DSCP mark 8
 - iptables:
     chain: OUTPUT
@@ -375,6 +393,13 @@ def append_tcp_flags(rule, param, flag):
         if 'flags' in param and 'flags_set' in param:
             rule.extend([flag, ','.join(param['flags']), ','.join(param['flags_set'])])
 
+def append_match_flag(rule, param, flag, negatable):
+    if param == 'match':
+        rule.extend([flag])
+    elif negatable and param == 'negate':
+        rule.extend(['!', flag])
+
+
 def append_csv(rule, param, flag):
     if param:
         rule.extend([flag, ','.join(param)])
@@ -414,6 +439,7 @@ def construct_rule(params):
         params['set_dscp_mark_class'],
         '--set-dscp-class',
         False)
+    append_match_flag(rule, params['syn'], '--syn', True)
     append_match(rule, params['comment'], 'comment')
     append_param(rule, params['comment'], '--comment', False)
     if 'conntrack' in params['match']:
@@ -536,6 +562,10 @@ def main():
             uid_owner=dict(required=False, default=None, type='str'),
             reject_with=dict(required=False, default=None, type='str'),
             icmp_type=dict(required=False, default=None, type='str'),
+            syn=dict(
+                required=False,
+                default='ignore',
+                choices=['ignore', 'match', 'negate']),
             flush=dict(required=False, default=False, type='bool'),
             policy=dict(
                 required=False,