cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

iptables: Add support for gateway parameter (#53465)

Browse source 
When user specifies the JUMP value to 'tee', gateway is required.
This fix adds new parameter 'gateway' to support this functionality.

Fixes: #53170

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
This commit is contained in:
Abhijeet Kasurde 2019-03-13 17:47:44 +05:30 committed by GitHub
parent 4cab425618
commit f0ef4dae05
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 73 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/53170-iptables-support_gateway.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- Added support for gateway parameter in iptables module (https://github.com/ansible/ansible/issues/53170).

13
lib/ansible/modules/system/iptables.py
View file

@ -145,6 +145,12 @@ options:
is not used), then matching the rule will have no effect on the is not used), then matching the rule will have no effect on the
packet's fate, but the counters on the rule will be incremented. packet's fate, but the counters on the rule will be incremented.
type: str type: str
gateway:
description:
- This specifies the IP address of host to send the cloned packets.
- This option is only valid when C(jump) is set to C(TEE).
type: str
version_added: "2.8"
log_prefix: log_prefix:
description: description:
- Specifies a log text for the rule. Only make sense with a LOG jump. - Specifies a log text for the rule. Only make sense with a LOG jump.
@ -473,6 +479,8 @@ def construct_rule(params):
append_param(rule, params['match'], '-m', True) append_param(rule, params['match'], '-m', True)
append_tcp_flags(rule, params['tcp_flags'], '--tcp-flags') append_tcp_flags(rule, params['tcp_flags'], '--tcp-flags')
append_param(rule, params['jump'], '-j', False) append_param(rule, params['jump'], '-j', False)
if params.get('jump') and params['jump'].lower() == 'tee':
append_param(rule, params['gateway'], '--gateway', False)
append_param(rule, params['log_prefix'], '--log-prefix', False) append_param(rule, params['log_prefix'], '--log-prefix', False)
append_param(rule, params['to_destination'], '--to-destination', False) append_param(rule, params['to_destination'], '--to-destination', False)
append_param(rule, params['to_source'], '--to-source', False) append_param(rule, params['to_source'], '--to-source', False)
@ -592,6 +600,7 @@ def main():
flags_set=dict(type='list')) flags_set=dict(type='list'))
), ),
jump=dict(type='str'), jump=dict(type='str'),
gateway=dict(type='str'),
log_prefix=dict(type='str'), log_prefix=dict(type='str'),
goto=dict(type='str'), goto=dict(type='str'),
in_interface=dict(type='str'), in_interface=dict(type='str'),
@ -618,6 +627,10 @@ def main():
['set_dscp_mark', 'set_dscp_mark_class'], ['set_dscp_mark', 'set_dscp_mark_class'],
['flush', 'policy'], ['flush', 'policy'],
), ),
required_if=[
['jump', 'TEE', ['gateway']],
['jump', 'tee', ['gateway']],
]
) )
args = dict( args = dict(
changed=False, changed=False,

58
test/units/modules/system/test_iptables.py
View file

@ -578,6 +578,64 @@ class TestIptables(ModuleTestCase):
'tcp-reset', 'tcp-reset',
]) ])
def test_jump_tee_gateway_negative(self):
""" Missing gateway when JUMP is set to TEE """
set_module_args({
'table': 'mangle',
'chain': 'PREROUTING',
'in_interface': 'eth0',
'protocol': 'udp',
'match': 'state',
'jump': 'TEE',
'ctstate': ['NEW'],
'destination_port': '9521',
'destination': '127.0.0.1'
})
with self.assertRaises(AnsibleFailJson) as e:
iptables.main()
self.assertTrue(e.exception.args[0]['failed'])
self.assertEqual(e.exception.args[0]['msg'], 'jump is TEE but all of the following are missing: gateway')
def test_jump_tee_gateway(self):
""" Using gateway when JUMP is set to TEE """
set_module_args({
'table': 'mangle',
'chain': 'PREROUTING',
'in_interface': 'eth0',
'protocol': 'udp',
'match': 'state',
'jump': 'TEE',
'ctstate': ['NEW'],
'destination_port': '9521',
'gateway': '192.168.10.1',
'destination': '127.0.0.1'
})
commands_results = [
(0, '', ''),
]
with patch.object(basic.AnsibleModule, 'run_command') as run_command:
run_command.side_effect = commands_results
with self.assertRaises(AnsibleExitJson) as result:
iptables.main()
self.assertTrue(result.exception.args[0]['changed'])
self.assertEqual(run_command.call_count, 1)
self.assertEqual(run_command.call_args_list[0][0][0], [
'/sbin/iptables',
'-t', 'mangle',
'-C', 'PREROUTING',
'-p', 'udp',
'-d', '127.0.0.1',
'-m', 'state',
'-j', 'TEE',
'--gateway', '192.168.10.1',
'-i', 'eth0',
'--destination-port', '9521',
'--state', 'NEW'
])
def test_tcp_flags(self): def test_tcp_flags(self):
""" Test various ways of inputting tcp_flags """ """ Test various ways of inputting tcp_flags """
args = [ args = [