ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Add --syn option to iptables module

Browse source 
This adds the --syn option to filter SYN packets. Can be negated.

I added a generic append_match_flag function which can be used to add
match flags without parameters. It also allows negating the flag
if the added param allows this.

Not sure if I took the best approach here so all feedback welcome :)
This commit is contained in:
Simon Wydooghe 2017-02-13 21:12:50 +01:00 committed by Dag Wieers
parent 6797221107
commit 57d4a6ca8b
1 changed files with 30 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
lib/ansible/modules/system/iptables.py
View file

@ -217,6 +217,14 @@ options:
this, the source address is never altered." this, the source address is never altered."
required: false required: false
default: null default: null
syn:
version_added: "2.3"
description:
- "This allows matching packets that have the SYN bit set and the ACK
and RST bits unset. When negated, this matches all packets with
the RST or the ACK bits set."
required: false
default: ignore
set_dscp_mark: set_dscp_mark:
version_added: "2.1" version_added: "2.1"
description: description:
@ -321,6 +329,16 @@ EXAMPLES = '''
jump: ACCEPT jump: ACCEPT
become: yes become: yes
# Allow new incoming SYN packets on TCP port 22 (SSH).
- iptables:
chain: INPUT
protocol: tcp
destination_port: 22
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new SSH connections.
# Tag all outbound tcp packets with DSCP mark 8 # Tag all outbound tcp packets with DSCP mark 8
- iptables: - iptables:
chain: OUTPUT chain: OUTPUT
@ -375,6 +393,13 @@ def append_tcp_flags(rule, param, flag):
if 'flags' in param and 'flags_set' in param: if 'flags' in param and 'flags_set' in param:
rule.extend([flag, ','.join(param['flags']), ','.join(param['flags_set'])]) rule.extend([flag, ','.join(param['flags']), ','.join(param['flags_set'])])
def append_match_flag(rule, param, flag, negatable):
if param == 'match':
rule.extend([flag])
elif negatable and param == 'negate':
rule.extend(['!', flag])
def append_csv(rule, param, flag): def append_csv(rule, param, flag):
if param: if param:
rule.extend([flag, ','.join(param)]) rule.extend([flag, ','.join(param)])
@ -414,6 +439,7 @@ def construct_rule(params):
params['set_dscp_mark_class'], params['set_dscp_mark_class'],
'--set-dscp-class', '--set-dscp-class',
False) False)
append_match_flag(rule, params['syn'], '--syn', True)
append_match(rule, params['comment'], 'comment') append_match(rule, params['comment'], 'comment')
append_param(rule, params['comment'], '--comment', False) append_param(rule, params['comment'], '--comment', False)
if 'conntrack' in params['match']: if 'conntrack' in params['match']:
@ -536,6 +562,10 @@ def main():
uid_owner=dict(required=False, default=None, type='str'), uid_owner=dict(required=False, default=None, type='str'),
reject_with=dict(required=False, default=None, type='str'), reject_with=dict(required=False, default=None, type='str'),
icmp_type=dict(required=False, default=None, type='str'), icmp_type=dict(required=False, default=None, type='str'),
syn=dict(
required=False,
default='ignore',
choices=['ignore', 'match', 'negate']),
flush=dict(required=False, default=False, type='bool'), flush=dict(required=False, default=False, type='bool'),
policy=dict( policy=dict(
required=False, required=False,