Changes to iptables state and module.

Added flush and set policy to iptables state. Added a -if option to specify interface mainly to allow traffic over lo. Also added in sport so OUTPUT policy can be set to DROP and have more control over the rule.
2024-11-08 01:18:58 +00:00 · 2013-10-25 11:16:24 +01:00 · 2013-10-25 11:16:24 +01:00 · 3756f12a10
commit 3756f12a10
parent 8f5e0245dd
2 changed files with 67 additions and 5 deletions
--- a/salt/modules/iptables.py
+++ b/salt/modules/iptables.py
@ -87,6 +87,10 @@ def build_rule(table=None, chain=None, command=None, position='', full=None,

    rule = ''

+    if 'if' in kwargs:
+        rule += '-i {0} '.format(kwargs['if'])
+        del kwargs['if']
+
    if 'proto' in kwargs:
        rule += '-p {0} '.format(kwargs['proto'])

@ -98,17 +102,24 @@ def build_rule(table=None, chain=None, command=None, position='', full=None,
        del kwargs['state']

    if 'connstate' in kwargs:
-        rule += '--state {0} -m {1} '.format(kwargs['connstate'], kwargs['proto'])
-    del kwargs['connstate']
-    del kwargs['proto']
+        rule += '--state {0} '.format(kwargs['connstate'])
+        del kwargs['connstate']
+
+    if 'proto' in kwargs:
+        rule += '-m {0} '.format(kwargs['proto'])
+        del kwargs['proto']

    if 'dport' in kwargs:
        rule += '--dport {0} '.format(kwargs['dport'])
-    del kwargs['dport']
+        del kwargs['dport']
+
+    if 'sport' in kwargs:
+        rule += '--sport {0} '.format(kwargs['sport'])
+        del kwargs['sport']

    if 'jump' in kwargs:
        kwargs['j'] = kwargs['jump']
-    del kwargs['jump']
+        del kwargs['jump']

    for item in kwargs:
        if len(item) == 1:
--- a/salt/states/iptables.py
+++ b/salt/states/iptables.py
@ -80,3 +80,54 @@ def append(name, **kwargs):
        ret['result'] = False
        ret['comment'] = 'Failed to set iptables rule for {0}'.format(name)
        return ret
+
+def set_policy(name, **kwargs):
+    '''Sets policy for iptables firewall tables'''
+    ret = {'name': name,
+        'changes': {},
+        'result': None,
+        'comment': ''}
+    
+    for ignore in "__env__",  "__sls__", "order":
+        if ignore in kwargs:
+            del kwargs[ignore]
+
+    if __salt__['iptables.get_policy'](kwargs['table'],kwargs['chain'])==kwargs['policy']:
+        ret['result']=True
+        ret['comment']='iptables default policy for {0} already set to {1}'.format(kwargs['table'],kwargs['policy'])
+        return ret
+
+    if not __salt__['iptables.set_policy'](kwargs['table'],kwargs['chain'],kwargs['policy']):
+        ret['changes'] = {'locale': name}
+        ret['result'] = True
+        ret['comment'] = 'Set default policy for {0} to {1}'.format(kwargs['chain'],kwargs['policy'])
+        return ret
+    else:
+        ret['result'] = False
+        ret['comment'] = 'Failed to set iptables default policy'
+        return ret
+
+def flush(name,**kwargs):
+    '''Flush current iptables state'''
+    ret = {'name': name,
+        'changes': {},
+        'result': None,
+        'comment': ''}
+
+    for ignore in "__env__",  "__sls__", "order":
+        if ignore in kwargs:
+            del kwargs[ignore]
+
+    if not __salt__['iptables.flush'](kwargs['table']):
+        ret['changes'] = {'locale': name}
+        ret['result'] = True
+        ret['comment'] = 'Flush iptables rules in {0}'.format(kwargs['table'])
+        return ret
+    else:
+        ret['result'] = False
+        ret['comment'] = 'Failed to flush iptables rules'
+        return ret
+
+
+
+