Squashed commit of the following:

commit f79beaa3b3b642c370552d63b0848195358bccd0
Author: James Cammarata <jimi@sngx.net>
Date:   Wed Jun 28 17:00:57 2017 -0500

    Add example for iptables using the policy option

commit 1a0f9debdb526bef9d8d469a84a8cc55ef68da03
Author: James Cammarata <jimi@sngx.net>
Date:   Wed Jun 28 16:59:52 2017 -0500

    Fix missing re import for iptables after merging #19476

commit 084479d21d
Author: Alexey Solodkiy <work@x1.by>
Date:   Sun Dec 18 12:07:05 2016 +0300

    fix #19476
This commit is contained in:
James Cammarata 2017-06-28 17:01:34 -05:00
parent 98fc54f02d
commit 4c72e98262

View file

@ -346,8 +346,15 @@ EXAMPLES = '''
table: mangle table: mangle
set_dscp_mark_class: CS1 set_dscp_mark_class: CS1
protocol: tcp protocol: tcp
# Set the policy for the INPUT chain to DROP
- iptables:
chain: INPUT
policy: DROP
''' '''
import re
# import module snippets # import module snippets
from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.basic import AnsibleModule
@ -463,6 +470,16 @@ def set_chain_policy(iptables_path, module, params):
module.run_command(cmd, check_rc=True) module.run_command(cmd, check_rc=True)
def get_chain_policy(iptables_path, module, params):
cmd = push_arguments(iptables_path, '-L', params)
rc, out, _ = module.run_command(cmd, check_rc=True)
chain_header = out.split("\n")[0]
result = re.search(r'\(policy ([A-Z]+)\)', chain_header)
if result:
return result.group(1)
return None
def main(): def main():
module = AnsibleModule( module = AnsibleModule(
supports_check_mode=True, supports_check_mode=True,
@ -540,18 +557,22 @@ def main():
module.fail_json( msg="Either chain or flush parameter must be specified.") module.fail_json( msg="Either chain or flush parameter must be specified.")
# Flush the table # Flush the table
if args['flush']: if args['flush'] is True:
args['changed'] = True args['changed'] = True
if not module.check_mode: if not module.check_mode:
flush_table(iptables_path, module, module.params) flush_table(iptables_path, module, module.params)
# Set the policy # Set the policy
elif module.params['policy']: elif module.params['policy']:
args['changed'] = True current_policy = get_chain_policy(iptables_path, module, module.params)
if not module.check_mode: if not current_policy:
module.fail_json(msg='Can\'t detect current policy')
changed = current_policy != module.params['policy']
args['changed'] = changed
if changed and not module.check_mode:
set_chain_policy(iptables_path, module, module.params) set_chain_policy(iptables_path, module, module.params)
# Chain
else: else:
insert = (module.params['action'] == 'insert') insert = (module.params['action'] == 'insert')
rule_is_present = check_present(iptables_path, module, module.params) rule_is_present = check_present(iptables_path, module, module.params)
@ -559,15 +580,33 @@ def main():
# Check if target is up to date # Check if target is up to date
args['changed'] = (rule_is_present != should_be_present) args['changed'] = (rule_is_present != should_be_present)
if args['changed'] is False:
# Target is already up to date
module.exit_json(**args)
if args['changed'] and not module.check_mode: # Check only; don't modify
if not module.check_mode:
if should_be_present: if should_be_present:
if insert: if insert:
insert_rule(iptables_path, module, module.params) insert_rule(iptables_path, module, module.params)
else: else:
append_rule(iptables_path, module, module.params) append_rule(iptables_path, module, module.params)
else: else:
remove_rule(iptables_path, module, module.params) insert = (module.params['action'] == 'insert')
rule_is_present = check_present(iptables_path, module, module.params)
should_be_present = (args['state'] == 'present')
# Check if target is up to date
args['changed'] = (rule_is_present != should_be_present)
if args['changed'] and not module.check_mode:
if should_be_present:
if insert:
insert_rule(iptables_path, module, module.params)
else:
append_rule(iptables_path, module, module.params)
else:
remove_rule(iptables_path, module, module.params)
module.exit_json(**args) module.exit_json(**args)