Merge pull request #29718 from thusoy/issue-29423

Support match-sets in iptables module
2024-11-07 08:58:59 +00:00 · 2015-12-16 07:48:18 -07:00 · 2015-12-16 07:48:18 -07:00 · aab929d196
commit aab929d196
parent 2b9e74554c 387ac2ce5e
2 changed files with 33 additions and 0 deletions
--- a/salt/modules/iptables.py
+++ b/salt/modules/iptables.py
@ -15,6 +15,7 @@ import string
 import salt.utils
 from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS
 from salt.exceptions import SaltException
 from salt.ext import six
 import logging
 log = logging.getLogger(__name__)
@ -220,6 +221,17 @@ def build_rule(table='filter', chain=None, command=None, position='', full=None,
                rule.append('--name {0}'.format(kwargs['name']))
        del kwargs['match']
    if 'match-set' in kwargs:
        if isinstance(kwargs['match-set'], six.string_types):
            kwargs['match-set'] = [kwargs['match-set']]
        for match_set in kwargs['match-set']:
            negative_match_set = ''
            if match_set.startswith('!') or match_set.startswith('not'):
                negative_match_set = '! '
                match_set = re.sub(bang_not_pat, '', match_set)
            rule.append('-m set {0}--match-set {1}'.format(negative_match_set, match_set))
        del kwargs['match-set']
    if 'connstate' in kwargs:
        if '-m state' not in rule:
            rule.append('-m state')
--- a/tests/unit/modules/iptables_test.py
+++ b/tests/unit/modules/iptables_test.py
@ -130,6 +130,27 @@ class IptablesTestCase(TestCase):
                                             **{'new': ''}),
                         '--jump CLUSTERIP --new ')
        # should build match-sets with single string
        self.assertEqual(iptables.build_rule(**{'match-set': 'src flag1,flag2'}),
                         '-m set --match-set src flag1,flag2')
        # should build match-sets as list
        match_sets = ['src1 flag1',
                      'src2 flag2,flag3',
                     ]
        self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
                         '-m set --match-set src1 flag1 -m set --match-set src2 flag2,flag3')
        # should handle negations for string match-sets
        self.assertEqual(iptables.build_rule(**{'match-set': '!src flag'}),
                         '-m set ! --match-set src flag')
        # should handle negations for list match-sets
        match_sets = ['src1 flag',
                      'not src2 flag2']
        self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
                         '-m set --match-set src1 flag -m set ! --match-set src2 flag2')
        # Should allow the --save jump option to CONNSECMARK
        #self.assertEqual(iptables.build_rule(jump='CONNSECMARK',
        #                                     **{'save': ''}),