Merge pull request #29718 from thusoy/issue-29423

Support match-sets in iptables module
2024-11-07 08:58:59 +00:00 · 2015-12-16 07:48:18 -07:00 · 2015-12-16 07:48:18 -07:00 · aab929d196
commit aab929d196
parent 2b9e74554c 387ac2ce5e
2 changed files with 33 additions and 0 deletions
--- a/salt/modules/iptables.py
+++ b/salt/modules/iptables.py
@ -15,6 +15,7 @@ import string
 import salt.utils
 from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS
 from salt.exceptions import SaltException
+from salt.ext import six

 import logging
 log = logging.getLogger(__name__)
@ -220,6 +221,17 @@ def build_rule(table='filter', chain=None, command=None, position='', full=None,
                rule.append('--name {0}'.format(kwargs['name']))
        del kwargs['match']

+    if 'match-set' in kwargs:
+        if isinstance(kwargs['match-set'], six.string_types):
+            kwargs['match-set'] = [kwargs['match-set']]
+        for match_set in kwargs['match-set']:
+            negative_match_set = ''
+            if match_set.startswith('!') or match_set.startswith('not'):
+                negative_match_set = '! '
+                match_set = re.sub(bang_not_pat, '', match_set)
+            rule.append('-m set {0}--match-set {1}'.format(negative_match_set, match_set))
+        del kwargs['match-set']
+
    if 'connstate' in kwargs:
        if '-m state' not in rule:
            rule.append('-m state')
--- a/tests/unit/modules/iptables_test.py
+++ b/tests/unit/modules/iptables_test.py
@ -130,6 +130,27 @@ class IptablesTestCase(TestCase):
                                             **{'new': ''}),
                         '--jump CLUSTERIP --new ')

+        # should build match-sets with single string
+        self.assertEqual(iptables.build_rule(**{'match-set': 'src flag1,flag2'}),
+                         '-m set --match-set src flag1,flag2')
+
+        # should build match-sets as list
+        match_sets = ['src1 flag1',
+                      'src2 flag2,flag3',
+                     ]
+        self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
+                         '-m set --match-set src1 flag1 -m set --match-set src2 flag2,flag3')
+
+        # should handle negations for string match-sets
+        self.assertEqual(iptables.build_rule(**{'match-set': '!src flag'}),
+                         '-m set ! --match-set src flag')
+
+        # should handle negations for list match-sets
+        match_sets = ['src1 flag',
+                      'not src2 flag2']
+        self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
+                         '-m set --match-set src1 flag -m set ! --match-set src2 flag2')
+
        # Should allow the --save jump option to CONNSECMARK
        #self.assertEqual(iptables.build_rule(jump='CONNSECMARK',
        #                                     **{'save': ''}),