Do not join flag parameters in iptables module (#36658)

* Do not join flag parameters This put a comma between every character of the tcp flag parameters, resulting in a bad iptables command. Fixes #36490 * Use suboptions to ensure tcp_flags options are lists * Add unit tests for tcp_flags * Add example of how to use tcp_flags
2025-04-26 20:31:27 -07:00 · 2018-05-17 13:53:51 -04:00 · 2018-05-17 13:53:51 -04:00 · c9d3bb59a4
commit c9d3bb59a4
parent 13aff08748
2 changed files with 85 additions and 5 deletions
--- a/lib/ansible/modules/system/iptables.py
+++ b/lib/ansible/modules/system/iptables.py
@ -106,11 +106,15 @@ options:
    description:
      - TCP flags specification.
      - C(tcp_flags) expects a dict with the two keys C(flags) and C(flags_set).
-        - The C(flags) list is the mask, a list of flags you want to examine.
-        - The C(flags_set) list tells which one(s) should be set.
-        If one of the two values is missing, the --tcp-flags option will be ignored.
    default: {}
    version_added: "2.4"
+    suboptions:
+        flags:
+            description:
+                - List of flags you want to examine.
+        flags_set:
+            description:
+                - Flags to be set.
  match:
    description:
      - Specifies a match to use, that is, an extension module that tests for
@ -342,6 +346,19 @@ EXAMPLES = '''
    protocol: tcp
    reject_with: tcp-reset
    ip_version: ipv4
+
+# Set tcp flags
+- iptables:
+    chain: OUTPUT
+    jump: DROP
+    protocol: tcp
+    tcp_flags:
+      flags: ALL
+      flags_set:
+        - ACK
+        - RST
+        - SYN
+        - FIN
 '''

 import re
@ -521,7 +538,11 @@ def main():
            destination=dict(type='str'),
            to_destination=dict(type='str'),
            match=dict(type='list', default=[]),
-            tcp_flags=dict(type='dict', default={}),
+            tcp_flags=dict(type='dict',
+                           options=dict(
+                                flags=dict(type='list'),
+                                flags_set=dict(type='list'))
+                           ),
            jump=dict(type='str'),
            log_prefix=dict(type='str'),
            goto=dict(type='str'),
@ -608,5 +629,6 @@ def main():

    module.exit_json(**args)

+
 if __name__ == '__main__':
    main()