Merge pull request #11771 from garethgreenaway/develop

Updating the iptables module to allow specifying states as a list in additional to a comma delimited string

salt/modules/iptables.py

@@ -132,9 +132,13 @@ def build_rule(table=None, chain=None, command=None, position='', full=None, fam
         rule += '-p {0} '.format(kwargs['proto'])
 
     if 'match' in kwargs:
-        kwargs['match'].replace(' ', '')
-        for match in kwargs['match'].split(','):
-            rule += '-m {0} '.format(match)
+        if isinstance(kwargs['match'], list):
+            for match in kwargs['match']:
+                rule += '-m {0} '.format(match)
+        else:
+            kwargs['match'].replace(' ', '')
+            for match in kwargs['match'].split(','):
+                rule += '-m {0} '.format(match)
         del kwargs['match']
 
     if 'state' in kwargs:
@@ -168,6 +172,10 @@ def build_rule(table=None, chain=None, command=None, position='', full=None, fam
         rule += '--sports {0} '.format(kwargs['sports'])
         del kwargs['sports']
 
+    if 'comment' in kwargs:
+        rule += '--comment "{0}" '.format(kwargs['comment'])
+        del kwargs['comment']
+
     # Jumps should appear last, except for any arguments that are passed to
     # jumps, which of course need to follow.
     after_jump = []

salt/states/iptables.py

@@ -21,6 +21,21 @@ at some point be deprecated in favor of a more generic `firewall` state.
         - sport: 1025:65535
         - save: True
 
+    httpd:
+      iptables.append:
+        - table: filter
+        - chain: INPUT
+        - jump: ACCEPT
+        - match:
+            - state
+            - comment
+        - comment: "Allow HTTP"
+        - connstate: NEW
+        - dport: 80
+        - proto: tcp
+        - sport: 1025:65535
+        - save: True
+
     httpd:
       iptables.append:
         - table: filter