diff options
| author | Simon Wydooghe <wydooghe.simon@gmail.com> | 2017-02-13 21:12:50 +0100 |
|---|---|---|
| committer | Dag Wieers <dag@wieers.com> | 2017-09-10 01:39:56 +0200 |
| commit | 57d4a6ca8bb52f54b193830100be1e0d5c2db42f (patch) | |
| tree | 15a488eea28efd836cfc4a8a7a3ace38332911c5 | |
| parent | 67972211078bc413fe0c589718dd0af795c3097e (diff) | |
| download | ansible-57d4a6ca8bb52f54b193830100be1e0d5c2db42f.tar.gz | |
Add --syn option to iptables module
This adds the --syn option to filter SYN packets. Can be negated.
I added a generic append_match_flag function which can be used to add
match flags without parameters. It also allows negating the flag
if the added param allows this.
Not sure if I took the best approach here so all feedback welcome :)
| -rw-r--r-- | lib/ansible/modules/system/iptables.py | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/lib/ansible/modules/system/iptables.py b/lib/ansible/modules/system/iptables.py index dbdd9a9823..35919e63af 100644 --- a/lib/ansible/modules/system/iptables.py +++ b/lib/ansible/modules/system/iptables.py @@ -217,6 +217,14 @@ options: this, the source address is never altered." required: false default: null + syn: + version_added: "2.3" + description: + - "This allows matching packets that have the SYN bit set and the ACK + and RST bits unset. When negated, this matches all packets with + the RST or the ACK bits set." + required: false + default: ignore set_dscp_mark: version_added: "2.1" description: @@ -321,6 +329,16 @@ EXAMPLES = ''' jump: ACCEPT become: yes +# Allow new incoming SYN packets on TCP port 22 (SSH). +- iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + ctstate: NEW + syn: match + jump: ACCEPT + comment: Accept new SSH connections. + # Tag all outbound tcp packets with DSCP mark 8 - iptables: chain: OUTPUT @@ -375,6 +393,13 @@ def append_tcp_flags(rule, param, flag): if 'flags' in param and 'flags_set' in param: rule.extend([flag, ','.join(param['flags']), ','.join(param['flags_set'])]) +def append_match_flag(rule, param, flag, negatable): + if param == 'match': + rule.extend([flag]) + elif negatable and param == 'negate': + rule.extend(['!', flag]) + + def append_csv(rule, param, flag): if param: rule.extend([flag, ','.join(param)]) @@ -414,6 +439,7 @@ def construct_rule(params): params['set_dscp_mark_class'], '--set-dscp-class', False) + append_match_flag(rule, params['syn'], '--syn', True) append_match(rule, params['comment'], 'comment') append_param(rule, params['comment'], '--comment', False) if 'conntrack' in params['match']: @@ -536,6 +562,10 @@ def main(): uid_owner=dict(required=False, default=None, type='str'), reject_with=dict(required=False, default=None, type='str'), icmp_type=dict(required=False, default=None, type='str'), + syn=dict( + required=False, + default='ignore', + choices=['ignore', 'match', 'negate']), flush=dict(required=False, default=False, type='bool'), policy=dict( required=False, |