From b0278c1f6a0b84c0a91b020c5a5405473924fe1d Mon Sep 17 00:00:00 2001 From: Daniel Vigueras Date: Mon, 2 Nov 2015 10:36:58 +0100 Subject: [PATCH] Add conntrack module ctstate support to iptables --- system/iptables.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/system/iptables.py b/system/iptables.py index 726a5d7e9ac..59dc187c543 100644 --- a/system/iptables.py +++ b/system/iptables.py @@ -203,6 +203,12 @@ options: description: - "This specifies a comment that will be added to the rule" required: false + ctstate: + description: + - "ctstate is a comma separated list of the connection states to match in + the conntrack module. Possible states are: 'INVALID', 'NEW', + 'ESTABLISHED', 'RELATED', 'UNTRACKED', 'SNAT', 'DNAT'" + required: false ''' EXAMPLES = ''' @@ -213,6 +219,10 @@ EXAMPLES = ''' # Forward port 80 to 8600 - iptables: table=nat chain=PREROUTING in_interface=eth0 protocol=tcp match=tcp destination_port=80 jump=REDIRECT to_ports=8600 comment="Redirect web traffic to port 8600" become: yes + +# Allow related and established connections +- iptables: chain=INPUT ctstate=ESTABLISHED,RELATED jump=ACCEPT + become: yes ''' @@ -230,6 +240,12 @@ def append_comm(rule, param): rule.extend(['comment']) +def append_conntrack(rule, param): + if param: + rule.extend(['-m']) + rule.extend(['conntrack']) + + def construct_rule(params): rule = [] append_param(rule, params['protocol'], '-p', False) @@ -247,6 +263,8 @@ def construct_rule(params): append_param(rule, params['to_ports'], '--to-ports', False) append_comm(rule, params['comment']) append_param(rule, params['comment'], '--comment', False) + append_conntrack(rule, params['ctstate']) + append_param(rule, params['ctstate'], '--ctstate', False) return rule @@ -296,6 +314,7 @@ def main(): destination_port=dict(required=False, default=None, type='str'), to_ports=dict(required=False, default=None, type='str'), comment=dict(required=False, default=None, type='str'), + ctstate=dict(required=False, default=None, type='str'), ), ) args = dict(