Squashed commit of the following:
commit f79beaa3b3b642c370552d63b0848195358bccd0
Author: James Cammarata <jimi@sngx.net>
Date: Wed Jun 28 17:00:57 2017 -0500
Add example for iptables using the policy option
commit 1a0f9debdb526bef9d8d469a84a8cc55ef68da03
Author: James Cammarata <jimi@sngx.net>
Date: Wed Jun 28 16:59:52 2017 -0500
Fix missing re import for iptables after merging #19476
commit 084479d21d
Author: Alexey Solodkiy <work@x1.by>
Date: Sun Dec 18 12:07:05 2016 +0300
fix #19476
This commit is contained in:
parent
98fc54f02d
commit
4c72e98262
1 changed files with 45 additions and 6 deletions
|
@ -346,8 +346,15 @@ EXAMPLES = '''
|
||||||
table: mangle
|
table: mangle
|
||||||
set_dscp_mark_class: CS1
|
set_dscp_mark_class: CS1
|
||||||
protocol: tcp
|
protocol: tcp
|
||||||
|
|
||||||
|
# Set the policy for the INPUT chain to DROP
|
||||||
|
- iptables:
|
||||||
|
chain: INPUT
|
||||||
|
policy: DROP
|
||||||
'''
|
'''
|
||||||
|
|
||||||
|
import re
|
||||||
|
|
||||||
# import module snippets
|
# import module snippets
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
|
||||||
|
@ -463,6 +470,16 @@ def set_chain_policy(iptables_path, module, params):
|
||||||
module.run_command(cmd, check_rc=True)
|
module.run_command(cmd, check_rc=True)
|
||||||
|
|
||||||
|
|
||||||
|
def get_chain_policy(iptables_path, module, params):
|
||||||
|
cmd = push_arguments(iptables_path, '-L', params)
|
||||||
|
rc, out, _ = module.run_command(cmd, check_rc=True)
|
||||||
|
chain_header = out.split("\n")[0]
|
||||||
|
result = re.search(r'\(policy ([A-Z]+)\)', chain_header)
|
||||||
|
if result:
|
||||||
|
return result.group(1)
|
||||||
|
return None
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
supports_check_mode=True,
|
supports_check_mode=True,
|
||||||
|
@ -540,18 +557,22 @@ def main():
|
||||||
module.fail_json( msg="Either chain or flush parameter must be specified.")
|
module.fail_json( msg="Either chain or flush parameter must be specified.")
|
||||||
|
|
||||||
# Flush the table
|
# Flush the table
|
||||||
if args['flush']:
|
if args['flush'] is True:
|
||||||
args['changed'] = True
|
args['changed'] = True
|
||||||
if not module.check_mode:
|
if not module.check_mode:
|
||||||
flush_table(iptables_path, module, module.params)
|
flush_table(iptables_path, module, module.params)
|
||||||
|
|
||||||
# Set the policy
|
# Set the policy
|
||||||
elif module.params['policy']:
|
elif module.params['policy']:
|
||||||
args['changed'] = True
|
current_policy = get_chain_policy(iptables_path, module, module.params)
|
||||||
if not module.check_mode:
|
if not current_policy:
|
||||||
|
module.fail_json(msg='Can\'t detect current policy')
|
||||||
|
|
||||||
|
changed = current_policy != module.params['policy']
|
||||||
|
args['changed'] = changed
|
||||||
|
if changed and not module.check_mode:
|
||||||
set_chain_policy(iptables_path, module, module.params)
|
set_chain_policy(iptables_path, module, module.params)
|
||||||
|
|
||||||
# Chain
|
|
||||||
else:
|
else:
|
||||||
insert = (module.params['action'] == 'insert')
|
insert = (module.params['action'] == 'insert')
|
||||||
rule_is_present = check_present(iptables_path, module, module.params)
|
rule_is_present = check_present(iptables_path, module, module.params)
|
||||||
|
@ -559,15 +580,33 @@ def main():
|
||||||
|
|
||||||
# Check if target is up to date
|
# Check if target is up to date
|
||||||
args['changed'] = (rule_is_present != should_be_present)
|
args['changed'] = (rule_is_present != should_be_present)
|
||||||
|
if args['changed'] is False:
|
||||||
|
# Target is already up to date
|
||||||
|
module.exit_json(**args)
|
||||||
|
|
||||||
if args['changed'] and not module.check_mode:
|
# Check only; don't modify
|
||||||
|
if not module.check_mode:
|
||||||
if should_be_present:
|
if should_be_present:
|
||||||
if insert:
|
if insert:
|
||||||
insert_rule(iptables_path, module, module.params)
|
insert_rule(iptables_path, module, module.params)
|
||||||
else:
|
else:
|
||||||
append_rule(iptables_path, module, module.params)
|
append_rule(iptables_path, module, module.params)
|
||||||
else:
|
else:
|
||||||
remove_rule(iptables_path, module, module.params)
|
insert = (module.params['action'] == 'insert')
|
||||||
|
rule_is_present = check_present(iptables_path, module, module.params)
|
||||||
|
should_be_present = (args['state'] == 'present')
|
||||||
|
|
||||||
|
# Check if target is up to date
|
||||||
|
args['changed'] = (rule_is_present != should_be_present)
|
||||||
|
|
||||||
|
if args['changed'] and not module.check_mode:
|
||||||
|
if should_be_present:
|
||||||
|
if insert:
|
||||||
|
insert_rule(iptables_path, module, module.params)
|
||||||
|
else:
|
||||||
|
append_rule(iptables_path, module, module.params)
|
||||||
|
else:
|
||||||
|
remove_rule(iptables_path, module, module.params)
|
||||||
|
|
||||||
module.exit_json(**args)
|
module.exit_json(**args)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue