mirror of
https://github.com/valitydev/salt.git
synced 2024-11-07 08:58:59 +00:00
Merge pull request #29718 from thusoy/issue-29423
Support match-sets in iptables module
This commit is contained in:
commit
aab929d196
@ -15,6 +15,7 @@ import string
|
||||
import salt.utils
|
||||
from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS
|
||||
from salt.exceptions import SaltException
|
||||
from salt.ext import six
|
||||
|
||||
import logging
|
||||
log = logging.getLogger(__name__)
|
||||
@ -220,6 +221,17 @@ def build_rule(table='filter', chain=None, command=None, position='', full=None,
|
||||
rule.append('--name {0}'.format(kwargs['name']))
|
||||
del kwargs['match']
|
||||
|
||||
if 'match-set' in kwargs:
|
||||
if isinstance(kwargs['match-set'], six.string_types):
|
||||
kwargs['match-set'] = [kwargs['match-set']]
|
||||
for match_set in kwargs['match-set']:
|
||||
negative_match_set = ''
|
||||
if match_set.startswith('!') or match_set.startswith('not'):
|
||||
negative_match_set = '! '
|
||||
match_set = re.sub(bang_not_pat, '', match_set)
|
||||
rule.append('-m set {0}--match-set {1}'.format(negative_match_set, match_set))
|
||||
del kwargs['match-set']
|
||||
|
||||
if 'connstate' in kwargs:
|
||||
if '-m state' not in rule:
|
||||
rule.append('-m state')
|
||||
|
@ -130,6 +130,27 @@ class IptablesTestCase(TestCase):
|
||||
**{'new': ''}),
|
||||
'--jump CLUSTERIP --new ')
|
||||
|
||||
# should build match-sets with single string
|
||||
self.assertEqual(iptables.build_rule(**{'match-set': 'src flag1,flag2'}),
|
||||
'-m set --match-set src flag1,flag2')
|
||||
|
||||
# should build match-sets as list
|
||||
match_sets = ['src1 flag1',
|
||||
'src2 flag2,flag3',
|
||||
]
|
||||
self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
|
||||
'-m set --match-set src1 flag1 -m set --match-set src2 flag2,flag3')
|
||||
|
||||
# should handle negations for string match-sets
|
||||
self.assertEqual(iptables.build_rule(**{'match-set': '!src flag'}),
|
||||
'-m set ! --match-set src flag')
|
||||
|
||||
# should handle negations for list match-sets
|
||||
match_sets = ['src1 flag',
|
||||
'not src2 flag2']
|
||||
self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
|
||||
'-m set --match-set src1 flag -m set ! --match-set src2 flag2')
|
||||
|
||||
# Should allow the --save jump option to CONNSECMARK
|
||||
#self.assertEqual(iptables.build_rule(jump='CONNSECMARK',
|
||||
# **{'save': ''}),
|
||||
|
Loading…
Reference in New Issue
Block a user