iptables: support wait parameter (#47877)

Version 1.4.20 doesn't support 'wait' at all Version 1.6.0 requires an argument for it
2019-10-19 18:57:45 +02:00 · 2019-10-19 18:57:45 +02:00 · 8f843bbaa5
commit 8f843bbaa5
parent 3f0479279e
2 changed files with 79 additions and 0 deletions
--- a/lib/ansible/modules/system/iptables.py
+++ b/lib/ansible/modules/system/iptables.py
@ -335,6 +335,12 @@ options:
    type: str
    choices: [ ACCEPT, DROP, QUEUE, RETURN ]
    version_added: "2.2"
+  wait:
+    description:
+      - Wait N seconds for the xtables lock to prevent multiple instances of
+        the program from running concurrently.
+    type: str
+    version_added: "2.10"
 '''

 EXAMPLES = r'''
@ -458,9 +464,15 @@ EXAMPLES = r'''

 import re

+from distutils.version import LooseVersion
+
 from ansible.module_utils.basic import AnsibleModule


+IPTABLES_WAIT_SUPPORT_ADDED = '1.4.20'
+
+IPTABLES_WAIT_WITH_SECONDS_SUPPORT_ADDED = '1.6.0'
+
 BINS = dict(
    ipv4='iptables',
    ipv6='ip6tables',
@ -512,8 +524,14 @@ def append_jump(rule, param, jump):
        rule.extend(['-j', jump])


+def append_wait(rule, param, flag):
+    if param:
+        rule.extend([flag, param])
+
+
 def construct_rule(params):
    rule = []
+    append_wait(rule, params['wait'], '-w')
    append_param(rule, params['protocol'], '-p', False)
    append_param(rule, params['source'], '-s', False)
    append_param(rule, params['destination'], '-d', False)
@ -630,6 +648,12 @@ def get_chain_policy(iptables_path, module, params):
    return None


+def get_iptables_version(iptables_path, module):
+    cmd = [iptables_path, '--version']
+    rc, out, _ = module.run_command(cmd, check_rc=True)
+    return out.split('v')[1].rstrip('\n')
+
+
 def main():
    module = AnsibleModule(
        supports_check_mode=True,
@ -641,6 +665,7 @@ def main():
            chain=dict(type='str'),
            rule_num=dict(type='str'),
            protocol=dict(type='str'),
+            wait=dict(type='str'),
            source=dict(type='str'),
            to_source=dict(type='str'),
            destination=dict(type='str'),
@ -717,6 +742,15 @@ def main():
        elif module.params['jump'] != 'LOG':
            module.fail_json(msg="Logging options can only be used with the LOG jump target.")

+    # Check if wait option is supported
+    iptables_version = LooseVersion(get_iptables_version(iptables_path, module))
+
+    if iptables_version >= LooseVersion(IPTABLES_WAIT_SUPPORT_ADDED):
+        if iptables_version < LooseVersion(IPTABLES_WAIT_WITH_SECONDS_SUPPORT_ADDED):
+            module.params['wait'] = ''
+    else:
+        module.params['wait'] = None
+
    # Flush the table
    if args['flush'] is True:
        args['changed'] = True
--- a/test/units/modules/system/test_iptables.py
+++ b/test/units/modules/system/test_iptables.py
@ -8,6 +8,10 @@ def get_bin_path(*args, **kwargs):
    return "/sbin/iptables"


+def get_iptables_version(iptables_path, module):
+    return "1.8.2"
+
+
 class TestIptables(ModuleTestCase):

    def setUp(self):
@ -15,6 +19,9 @@ class TestIptables(ModuleTestCase):
        self.mock_get_bin_path = patch.object(basic.AnsibleModule, 'get_bin_path', get_bin_path)
        self.mock_get_bin_path.start()
        self.addCleanup(self.mock_get_bin_path.stop)  # ensure that the patching is 'undone'
+        self.mock_get_iptables_version = patch.object(iptables, 'get_iptables_version', get_iptables_version)
+        self.mock_get_iptables_version.start()
+        self.addCleanup(self.mock_get_iptables_version.stop)  # ensure that the patching is 'undone'

    def test_without_required_parameters(self):
        """Failure must occurs when all parameters are missing"""
@ -828,3 +835,41 @@ class TestIptables(ModuleTestCase):
            '--dst-range',
            '10.0.0.50-10.0.0.100'
        ])
+
+    def test_insert_rule_with_wait(self):
+        """Test flush without parameters"""
+        set_module_args({
+            'chain': 'OUTPUT',
+            'source': '1.2.3.4/32',
+            'destination': '7.8.9.10/42',
+            'jump': 'ACCEPT',
+            'action': 'insert',
+            'wait': '10'
+        })
+
+        commands_results = [
+            (0, '', ''),
+        ]
+
+        with patch.object(basic.AnsibleModule, 'run_command') as run_command:
+            run_command.side_effect = commands_results
+            with self.assertRaises(AnsibleExitJson) as result:
+                iptables.main()
+                self.assertTrue(result.exception.args[0]['changed'])
+
+        self.assertEqual(run_command.call_count, 1)
+        self.assertEqual(run_command.call_args_list[0][0][0], [
+            '/sbin/iptables',
+            '-t',
+            'filter',
+            '-C',
+            'OUTPUT',
+            '-w',
+            '10',
+            '-s',
+            '1.2.3.4/32',
+            '-d',
+            '7.8.9.10/42',
+            '-j',
+            'ACCEPT'
+        ])