Iptables unit tests (#30762)

* Add some tests for iptables * Fix remove bug (calls 2 times check to remove a chain) * Add me as maintainer * Fix PEP8 * Doc: Give more information on issue #18988 * Fix #18988 and test it * Fix doc (thanks Pillou) * enable PEP8 check for iptables
2025-04-25 20:01:25 -07:00 · 2017-11-01 12:08:57 +01:00 · 2017-11-01 12:08:57 +01:00 · bc4ba6b638
commit bc4ba6b638
parent 1068aa3ce7
3 changed files with 628 additions and 19 deletions
--- a/lib/ansible/modules/system/iptables.py
+++ b/lib/ansible/modules/system/iptables.py
@ -2,6 +2,7 @@
 # -*- coding: utf-8 -*-
 #
 # Copyright: (c) 2015, Linus Unnebäck <linus@folkdatorn.se>
+# Copyright: (c) 2017, Sébastien DA ROCHA <sebastien@da-rocha.net>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

 from __future__ import absolute_import, division, print_function
@ -18,6 +19,7 @@ short_description: Modify the systems iptables
 version_added: "2.0"
 author:
 - Linus Unnebäck (@LinusU) <linus@folkdatorn.se>
+- Sébastien DA ROCHA (@sebastiendarocha)
 description:
  - Iptables is used to set up, maintain, and inspect the tables of IP packet
    filter rules in the Linux kernel.
@ -235,7 +237,8 @@ options:
    version_added: "2.1"
  reject_with:
    description:
-      - Specifies the error packet type to return while rejecting.
+      - 'Specifies the error packet type to return while rejecting. It implies
+        "jump: REJECT"'
    version_added: "2.1"
  icmp_type:
    description:
@ -317,6 +320,13 @@ EXAMPLES = '''
 - iptables:
    chain: INPUT
    policy: DROP
+
+# Reject tcp with tcp-reset
+- iptables:
+    chain: INPUT
+    protocol: tcp
+    reject_with: tcp-reset
+    ip_version: ipv4
 '''

 import re
@ -346,11 +356,13 @@ def append_param(rule, param, flag, is_list):
            else:
                rule.extend([flag, param])

+
 def append_tcp_flags(rule, param, flag):
    if param:
        if 'flags' in param and 'flags_set' in param:
            rule.extend([flag, ','.join(param['flags']), ','.join(param['flags_set'])])

+
 def append_match_flag(rule, param, flag, negatable):
    if param == 'match':
        rule.extend([flag])
@ -413,7 +425,8 @@ def construct_rule(params):
    append_param(rule, params['limit_burst'], '--limit-burst', False)
    append_match(rule, params['uid_owner'], 'owner')
    append_param(rule, params['uid_owner'], '--uid-owner', False)
-    append_jump(rule, params['reject_with'], 'REJECT')
+    if params['jump'] is None:
+        append_jump(rule, params['reject_with'], 'REJECT')
    append_param(rule, params['reject_with'], '--reject-with', False)
    append_param(
        rule,
@ -534,7 +547,7 @@ def main():

    # Check if chain option is required
    if args['flush'] is False and args['chain'] is None:
-        module.fail_json( msg="Either chain or flush parameter must be specified.")
+        module.fail_json(msg="Either chain or flush parameter must be specified.")

    # Flush the table
    if args['flush'] is True:
@ -572,21 +585,7 @@ def main():
                else:
                    append_rule(iptables_path, module, module.params)
            else:
-                insert = (module.params['action'] == 'insert')
-                rule_is_present = check_present(iptables_path, module, module.params)
-                should_be_present = (args['state'] == 'present')
-
-                # Check if target is up to date
-                args['changed'] = (rule_is_present != should_be_present)
-
-                if args['changed'] and not module.check_mode:
-                    if should_be_present:
-                        if insert:
-                            insert_rule(iptables_path, module, module.params)
-                        else:
-                            append_rule(iptables_path, module, module.params)
-                    else:
-                        remove_rule(iptables_path, module, module.params)
+                remove_rule(iptables_path, module, module.params)

    module.exit_json(**args)