archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

iptables - set jump to DSCP when set_dscp_mark or set_dscp_mark_class is set (#82145)

Browse Source 
set_dscp_mark and set_dscp_mark_class is only valid when jump is set to
DSCP.

Fixes: #77077

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
pull/82202/head
Abhijeet Kasurde 1 year ago committed by GitHub
parent 567c78f9a1
commit 40baf5eace
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File

3
changelogs/fragments/77077_iptables.yml
Unescape Escape View File

@ -0,0 +1,3 @@
---
bugfixes:
- iptables - set jump to DSCP when set_dscp_mark or set_dscp_mark_class is set (https://github.com/ansible/ansible/issues/77077).

44
lib/ansible/modules/iptables.py
Unescape Escape View File

@ -37,7 +37,7 @@ notes:
options: options:
table: table:
description: description:
- This option specifies the packet matching table which the command should operate on. - This option specifies the packet matching table on which the command should operate.
- If the kernel is configured with automatic module loading, an attempt will be made - If the kernel is configured with automatic module loading, an attempt will be made
to load the appropriate module for that table if it is not already there. to load the appropriate module for that table if it is not already there.
type: str type: str
@ -133,9 +133,9 @@ options:
description: description:
- Specifies a match to use, that is, an extension module that tests for - Specifies a match to use, that is, an extension module that tests for
a specific property. a specific property.
- The set of matches make up the condition under which a target is invoked. - The set of matches makes up the condition under which a target is invoked.
- Matches are evaluated first to last if specified as an array and work in short-circuit - Matches are evaluated first to last if specified as an array and work in short-circuit
fashion, i.e. if one extension yields false, evaluation will stop. fashion, i.e. if one extension yields false, the evaluation will stop.
type: list type: list
elements: str elements: str
default: [] default: []
@ -143,7 +143,7 @@ options:
description: description:
- This specifies the target of the rule; i.e., what to do if the packet matches it. - This specifies the target of the rule; i.e., what to do if the packet matches it.
- The target can be a user-defined chain (other than the one - The target can be a user-defined chain (other than the one
this rule is in), one of the special builtin targets which decide the this rule is in), one of the special builtin targets that decide the
fate of the packet immediately, or an extension (see EXTENSIONS fate of the packet immediately, or an extension (see EXTENSIONS
below). below).
- If this option is omitted in a rule (and the goto parameter - If this option is omitted in a rule (and the goto parameter
@ -152,13 +152,13 @@ options:
type: str type: str
gateway: gateway:
description: description:
- This specifies the IP address of host to send the cloned packets. - This specifies the IP address of the host to send the cloned packets.
- This option is only valid when O(jump) is set to V(TEE). - This option is only valid when O(jump) is set to V(TEE).
type: str type: str
version_added: "2.8" version_added: "2.8"
log_prefix: log_prefix:
description: description:
- Specifies a log text for the rule. Only make sense with a LOG jump. - Specifies a log text for the rule. Only makes sense with a LOG jump.
type: str type: str
version_added: "2.5" version_added: "2.5"
log_level: log_level:
@ -171,7 +171,7 @@ options:
choices: [ '0', '1', '2', '3', '4', '5', '6', '7', 'emerg', 'alert', 'crit', 'error', 'warning', 'notice', 'info', 'debug' ] choices: [ '0', '1', '2', '3', '4', '5', '6', '7', 'emerg', 'alert', 'crit', 'error', 'warning', 'notice', 'info', 'debug' ]
goto: goto:
description: description:
- This specifies that the processing should continue in a user specified chain. - This specifies that the processing should continue in a user-specified chain.
- Unlike the jump argument return will not continue processing in - Unlike the jump argument return will not continue processing in
this chain but instead in the chain that called us via jump. this chain but instead in the chain that called us via jump.
type: str type: str
@ -199,7 +199,7 @@ options:
of fragmented packets. of fragmented packets.
- Since there is no way to tell the source or destination ports of such - Since there is no way to tell the source or destination ports of such
a packet (or ICMP type), such a packet will not match any rules which specify them. a packet (or ICMP type), such a packet will not match any rules which specify them.
- When the "!" argument precedes fragment argument, the rule will only match head fragments, - When the "!" argument precedes the fragment argument, the rule will only match head fragments,
or unfragmented packets. or unfragmented packets.
type: str type: str
set_counters: set_counters:
@ -265,6 +265,7 @@ options:
description: description:
- This allows specifying a DSCP mark to be added to packets. - This allows specifying a DSCP mark to be added to packets.
It takes either an integer or hex value. It takes either an integer or hex value.
- If the parameter is set, O(jump) is set to V(DSCP).
- Mutually exclusive with O(set_dscp_mark_class). - Mutually exclusive with O(set_dscp_mark_class).
type: str type: str
version_added: "2.1" version_added: "2.1"
@ -272,6 +273,7 @@ options:
description: description:
- This allows specifying a predefined DiffServ class which will be - This allows specifying a predefined DiffServ class which will be
translated to the corresponding DSCP mark. translated to the corresponding DSCP mark.
- If the parameter is set, O(jump) is set to V(DSCP).
- Mutually exclusive with O(set_dscp_mark). - Mutually exclusive with O(set_dscp_mark).
type: str type: str
version_added: "2.1" version_added: "2.1"
@ -288,7 +290,7 @@ options:
default: [] default: []
src_range: src_range:
description: description:
- Specifies the source IP range to match in the iprange module. - Specifies the source IP range to match the iprange module.
type: str type: str
version_added: "2.8" version_added: "2.8"
dst_range: dst_range:
@ -298,7 +300,7 @@ options:
version_added: "2.8" version_added: "2.8"
match_set: match_set:
description: description:
- Specifies a set name which can be defined by ipset. - Specifies a set name that can be defined by ipset.
- Must be used together with the match_set_flags parameter. - Must be used together with the match_set_flags parameter.
- When the V(!) argument is prepended then it inverts the rule. - When the V(!) argument is prepended then it inverts the rule.
- Uses the iptables set extension. - Uses the iptables set extension.
@ -326,14 +328,14 @@ options:
version_added: "2.1" version_added: "2.1"
uid_owner: uid_owner:
description: description:
- Specifies the UID or username to use in match by owner rule. - Specifies the UID or username to use in the match by owner rule.
- From Ansible 2.6 when the C(!) argument is prepended then the it inverts - From Ansible 2.6 when the C(!) argument is prepended then the it inverts
the rule to apply instead to all users except that one specified. the rule to apply instead to all users except that one specified.
type: str type: str
version_added: "2.1" version_added: "2.1"
gid_owner: gid_owner:
description: description:
- Specifies the GID or group to use in match by owner rule. - Specifies the GID or group to use in the match by owner rule.
type: str type: str
version_added: "2.9" version_added: "2.9"
reject_with: reject_with:
@ -363,7 +365,7 @@ options:
- Only built-in chains can have policies. - Only built-in chains can have policies.
- This parameter requires the O(chain) parameter. - This parameter requires the O(chain) parameter.
- If you specify this parameter, all other parameters will be ignored. - If you specify this parameter, all other parameters will be ignored.
- This parameter is used to set default policy for the given O(chain). - This parameter is used to set the default policy for the given O(chain).
Do not confuse this with O(jump) parameter. Do not confuse this with O(jump) parameter.
type: str type: str
choices: [ ACCEPT, DROP, QUEUE, RETURN ] choices: [ ACCEPT, DROP, QUEUE, RETURN ]
@ -385,9 +387,9 @@ options:
numeric: numeric:
description: description:
- This parameter controls the running of the list -action of iptables, which is used internally by the module - This parameter controls the running of the list -action of iptables, which is used internally by the module
- Does not affect the actual functionality. Use this if iptables hangs when creating chain or altering policy - Does not affect the actual functionality. Use this if iptables hang when creating a chain or altering policy
- If V(true), then iptables skips the DNS-lookup of the IP addresses in a chain when it uses the list -action - If V(true), then iptables skips the DNS-lookup of the IP addresses in a chain when it uses the list -action
- Listing is used internally for example when setting a policy or creting of a chain - Listing is used internally for example when setting a policy or creating a chain
type: bool type: bool
default: false default: false
version_added: "2.15" version_added: "2.15"
@ -635,11 +637,16 @@ def construct_rule(params):
append_param(rule, params['destination_port'], '--destination-port', False) append_param(rule, params['destination_port'], '--destination-port', False)
append_param(rule, params['to_ports'], '--to-ports', False) append_param(rule, params['to_ports'], '--to-ports', False)
append_param(rule, params['set_dscp_mark'], '--set-dscp', False) append_param(rule, params['set_dscp_mark'], '--set-dscp', False)
if params.get('set_dscp_mark') and params.get('jump').lower() != 'dscp':
append_jump(rule, params['set_dscp_mark'], 'DSCP')
append_param( append_param(
rule, rule,
params['set_dscp_mark_class'], params['set_dscp_mark_class'],
'--set-dscp-class', '--set-dscp-class',
False) False)
if params.get('set_dscp_mark_class') and params.get('jump').lower() != 'dscp':
append_jump(rule, params['set_dscp_mark_class'], 'DSCP')
append_match_flag(rule, params['syn'], '--syn', True) append_match_flag(rule, params['syn'], '--syn', True)
if 'conntrack' in params['match']: if 'conntrack' in params['match']:
append_csv(rule, params['ctstate'], '--ctstate') append_csv(rule, params['ctstate'], '--ctstate')
@ -673,6 +680,9 @@ def construct_rule(params):
append_param(rule, params['gid_owner'], '--gid-owner', False) append_param(rule, params['gid_owner'], '--gid-owner', False)
if params['jump'] is None: if params['jump'] is None:
append_jump(rule, params['reject_with'], 'REJECT') append_jump(rule, params['reject_with'], 'REJECT')
append_jump(rule, params['set_dscp_mark_class'], 'DSCP')
append_jump(rule, params['set_dscp_mark'], 'DSCP')
append_param(rule, params['reject_with'], '--reject-with', False) append_param(rule, params['reject_with'], '--reject-with', False)
append_param( append_param(
rule, rule,
@ -827,6 +837,10 @@ def main():
['set_dscp_mark', 'set_dscp_mark_class'], ['set_dscp_mark', 'set_dscp_mark_class'],
['flush', 'policy'], ['flush', 'policy'],
), ),
required_by=dict(
set_dscp_mark=('jump',),
set_dscp_mark_class=('jump',),
),
required_if=[ required_if=[
['jump', 'TEE', ['gateway']], ['jump', 'TEE', ['gateway']],
['jump', 'tee', ['gateway']], ['jump', 'tee', ['gateway']],

Write Preview
Loading…
Cancel
Save