Extend match functionality for iptables module #41147
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
ansibot
added
affects_2.5
webknjaz
removed
the
needs_triage
|
Hello, For exemple, actually with something like : - name: configure | Adding iptables rules
iptables:
chain: FORWARD
protocol: tcp
destination_port: 15672
action: insert
match: "set ! --match-set AWX3.0 src"
jump: DROP
rule_num: 1It's converted to : /sbin/iptables -t filter -I FORWARD 1 -p tcp -m 'set ! --match-set AWX3.0 src' -j DROP --destination-port 15672this give the error : iptables v1.4.21: Couldn't load match `set ! --match-set AWX3.0 src':While it should be : /sbin/iptables -t filter -I FORWARD 1 -p tcp -m set ! --match-set AWX3.0 src -j DROP --destination-port 15672tested on ansible 2.8 |
|
Files identified in the description: If these files are incorrect, please update the |
|
I would like to see the match funtionality extended to include support for the from the iptables man pagerecent
Allows you to dynamically create a list of IP addresses and then match against that list in a few different ways.
For example, you can create a 'badguy' list out of people attempting to connect to port 139 on your firewall and then DROP all future packets from them without considering them.
--name name
Specify the list to use for the commands. If no name is given then 'DEFAULT' will be used.
[!] --set
This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry. This will always return success (or failure if '!' is passed in).
[!] --rcheck
Check if the source address of the packet is currently in the list.
[!] --update
Like --rcheck, except it will update the "last seen" timestamp if it matches.
[!] --remove
Check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true. If the address is not found, false is returned.
[!] --seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.
[!] --hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even narrower match requiring a certain number of hits within a specific time frame. Ideally I would like to see something like this: - name: Drop Quarantined Hosts for Port Scanning for 60 seconds
ansible.builtin.iptables:
table: filter
chain: INPUT
jump: DROP
recent:
name: psc
update: true
seconds: 60Result in an iptables rule like this: And something like this: - name: Drop Quarantined Hosts for Port Scanning Internal Services
ansible.builtin.iptables_raw:
table: filter
chain: INPUT
jump: DROP
in_interface: "! lo"
destination_port: 1433
protocol: tcp
comment: SQLServer
recent:
name: psc
set: trueresult in a rule like this: |
|
waiting_on_contributor |
ansibot
added
the
waiting_on_contributor
|
Thank you very much for your submission to Ansible. It means a lot to us that you've taken time to contribute. Unfortunately, this issue has been open for some time while waiting for a contributor to take it up but there does not seem to have been anyone that did so. So we are going to close this issue to clear up the queues and make it easier for contributors to browse possible implementation targets. However, we're absolutely always up for discussion. Because this project is very active, we're unlikely to see comments made on closed tickets and we lock them after some time. If you or anyone else has any further questions, please let us know by using any of the communication methods listed in the page below: In the future, sometimes starting a discussion on the development list prior to proposing or implementing a feature can make getting things included a little easier, but it's not always necessary. Thank you once again for this and your interest in Ansible! |
ansibot
added
bot_closed
and removed
waiting_on_contributor
SUMMARY
iptables module only offers a limited set of functionality for the match function of iptables.
ISSUE TYPE
COMPONENT NAME
iptables
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Source: OSX 10.13.4
Target: CentOS 7
STEPS TO REPRODUCE
EXPECTED RESULTS
There are two proposed options. First would follow the current model where sanity checks and the like are done by the iptables module prior to attempting an insert and the second would simplify things in a sense by allowing a user to supply an argument to the match option that would be error handled by iptables itself.
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: