mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
iptables: implement log_level parameter (#52880)
Fixes: #25100 Based upon https://github.com/ansible/ansible/pull/25118 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
This commit is contained in:
Abhijeet Kasurde
GitHub
parent
d30879a0b7
commit
8d4343b94c
2 changed files with 66 additions and 0 deletions
|
|
@ -156,6 +156,14 @@ options:
|
||||||
- Specifies a log text for the rule. Only make sense with a LOG jump.
|
- Specifies a log text for the rule. Only make sense with a LOG jump.
|
||||||
type: str
|
type: str
|
||||||
version_added: "2.5"
|
version_added: "2.5"
|
||||||
|
log_level:
|
||||||
|
description:
|
||||||
|
- Logging level according to the syslogd-defined priorities.
|
||||||
|
- The value can be strings or numbers from 1-8.
|
||||||
|
- This parameter is only applicable if C(jump) is set to C(LOG).
|
||||||
|
type: str
|
||||||
|
version_added: "2.8"
|
||||||
|
choices: [ '0', '1', '2', '3', '4', '5', '6', '7', 'emerg', 'alert', 'crit', 'error', 'warning', 'notice', 'info', 'debug' ]
|
||||||
goto:
|
goto:
|
||||||
description:
|
description:
|
||||||
- This specifies that the processing should continue in a user specified chain.
|
- This specifies that the processing should continue in a user specified chain.
|
||||||
|
|
@ -413,6 +421,16 @@ EXAMPLES = r'''
|
||||||
chain: '{{ item }}'
|
chain: '{{ item }}'
|
||||||
flush: yes
|
flush: yes
|
||||||
with_items: [ 'INPUT', 'OUTPUT', 'PREROUTING', 'POSTROUTING' ]
|
with_items: [ 'INPUT', 'OUTPUT', 'PREROUTING', 'POSTROUTING' ]
|
||||||
|
|
||||||
|
- name: Log packets arriving into an user-defined chain
|
||||||
|
iptables:
|
||||||
|
chain: LOGGING
|
||||||
|
action: append
|
||||||
|
state: present
|
||||||
|
limit: 2/second
|
||||||
|
limit_burst: 20
|
||||||
|
log_prefix: "IPTABLES:INFO: "
|
||||||
|
log_level: info
|
||||||
'''
|
'''
|
||||||
|
|
||||||
import re
|
import re
|
||||||
|
|
@ -482,6 +500,7 @@ def construct_rule(params):
|
||||||
if params.get('jump') and params['jump'].lower() == 'tee':
|
if params.get('jump') and params['jump'].lower() == 'tee':
|
||||||
append_param(rule, params['gateway'], '--gateway', False)
|
append_param(rule, params['gateway'], '--gateway', False)
|
||||||
append_param(rule, params['log_prefix'], '--log-prefix', False)
|
append_param(rule, params['log_prefix'], '--log-prefix', False)
|
||||||
|
append_param(rule, params['log_level'], '--log-level', False)
|
||||||
append_param(rule, params['to_destination'], '--to-destination', False)
|
append_param(rule, params['to_destination'], '--to-destination', False)
|
||||||
append_param(rule, params['to_source'], '--to-source', False)
|
append_param(rule, params['to_source'], '--to-source', False)
|
||||||
append_param(rule, params['goto'], '-g', False)
|
append_param(rule, params['goto'], '-g', False)
|
||||||
|
|
@ -602,6 +621,12 @@ def main():
|
||||||
jump=dict(type='str'),
|
jump=dict(type='str'),
|
||||||
gateway=dict(type='str'),
|
gateway=dict(type='str'),
|
||||||
log_prefix=dict(type='str'),
|
log_prefix=dict(type='str'),
|
||||||
|
log_level=dict(type='str',
|
||||||
|
choices=['0', '1', '2', '3', '4', '5', '6', '7',
|
||||||
|
'emerg', 'alert', 'crit', 'error',
|
||||||
|
'warning', 'notice', 'info', 'debug'],
|
||||||
|
default=None,
|
||||||
|
),
|
||||||
goto=dict(type='str'),
|
goto=dict(type='str'),
|
||||||
in_interface=dict(type='str'),
|
in_interface=dict(type='str'),
|
||||||
out_interface=dict(type='str'),
|
out_interface=dict(type='str'),
|
||||||
|
|
@ -650,6 +675,12 @@ def main():
|
||||||
if args['flush'] is False and args['chain'] is None:
|
if args['flush'] is False and args['chain'] is None:
|
||||||
module.fail_json(msg="Either chain or flush parameter must be specified.")
|
module.fail_json(msg="Either chain or flush parameter must be specified.")
|
||||||
|
|
||||||
|
if module.params.get('log_prefix', None) or module.params.get('log_level', None):
|
||||||
|
if module.params['jump'] is None:
|
||||||
|
module.params['jump'] = 'LOG'
|
||||||
|
elif module.params['jump'] != 'LOG':
|
||||||
|
module.fail_json(msg="Logging options can only be used with the LOG jump target.")
|
||||||
|
|
||||||
# Flush the table
|
# Flush the table
|
||||||
if args['flush'] is True:
|
if args['flush'] is True:
|
||||||
args['changed'] = True
|
args['changed'] = True
|
||||||
|
|
|
||||||
|
|
@ -694,3 +694,38 @@ class TestIptables(ModuleTestCase):
|
||||||
'-j',
|
'-j',
|
||||||
'DROP'
|
'DROP'
|
||||||
])
|
])
|
||||||
|
|
||||||
|
def test_log_level(self):
|
||||||
|
""" Test various ways of log level flag """
|
||||||
|
|
||||||
|
log_levels = ['0', '1', '2', '3', '4', '5', '6', '7',
|
||||||
|
'emerg', 'alert', 'crit', 'error', 'warning', 'notice', 'info', 'debug']
|
||||||
|
|
||||||
|
for log_lvl in log_levels:
|
||||||
|
set_module_args({
|
||||||
|
'chain': 'INPUT',
|
||||||
|
'jump': 'LOG',
|
||||||
|
'log_level': log_lvl,
|
||||||
|
'source': '1.2.3.4/32',
|
||||||
|
'log_prefix': '** DROP-this_ip **'
|
||||||
|
})
|
||||||
|
commands_results = [
|
||||||
|
(0, '', ''),
|
||||||
|
]
|
||||||
|
|
||||||
|
with patch.object(basic.AnsibleModule, 'run_command') as run_command:
|
||||||
|
run_command.side_effect = commands_results
|
||||||
|
with self.assertRaises(AnsibleExitJson) as result:
|
||||||
|
iptables.main()
|
||||||
|
self.assertTrue(result.exception.args[0]['changed'])
|
||||||
|
|
||||||
|
self.assertEqual(run_command.call_count, 1)
|
||||||
|
self.assertEqual(run_command.call_args_list[0][0][0], [
|
||||||
|
'/sbin/iptables',
|
||||||
|
'-t', 'filter',
|
||||||
|
'-C', 'INPUT',
|
||||||
|
'-s', '1.2.3.4/32',
|
||||||
|
'-j', 'LOG',
|
||||||
|
'--log-prefix', '** DROP-this_ip **',
|
||||||
|
'--log-level', log_lvl
|
||||||
|
])
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue