cs_firewall: add dest cidrs

resmo · resmo · commit b425a2e4efdf · 2021-08-11T18:30:23.000+02:00
diff --git a/plugins/modules/cs_firewall.py b/plugins/modules/cs_firewall.py
@@ -49,11 +49,17 @@
   cidrs:
     description:
       - List of CIDRs (full notation) to be used for firewall rule.
-      - Since version 2.5, it is a list of CIDR.
     elements: str
     type: list
     default: 0.0.0.0/0
     aliases: [ cidr ]
+  dest_cidrs:
+    description:
+      - List of destination CIDRs (full notation) to forward traffic to if I(type=egress).
+    elements: str
+    type: list
+    aliases: [ dest_cidr ]
+    version_added: 2.2.0
   start_port:
     description:
       - Start port for this rule.
@@ -178,6 +184,11 @@
   returned: success
   type: list
   sample: [ '0.0.0.0/0' ]
+dest_cidrs:
+  description: CIDR list of the rule to forward traffic to.
+  returned: success
+  type: list
+  sample: [ '0.0.0.0/0' ]
 protocol:
   description: Protocol of the rule.
   returned: success
@@ -224,6 +235,7 @@ def __init__(self, module):
         super(AnsibleCloudStackFirewall, self).__init__(module)
         self.returns = {
             'cidrlist': 'cidr',
+            'destcidrlist': 'dest_cidrs',
             'startport': 'start_port',
             'endport': 'end_port',
             'protocol': 'protocol',
@@ -237,6 +249,7 @@ def __init__(self, module):
     def get_firewall_rule(self):
         if not self.firewall_rule:
             cidrs = self.module.params.get('cidrs')
+            dest_cidrs = self.module.params.get('destcidrs')
             protocol = self.module.params.get('protocol')
             start_port = self.module.params.get('start_port')
             end_port = self.get_or_fallback('end_port', 'start_port')
@@ -280,7 +293,7 @@ def get_firewall_rule(self):
 
             if firewall_rules:
                 for rule in firewall_rules:
-                    type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs)
+                    type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs) and self._type_dest_cidrs_match(rule, dest_cidrs)
 
                     protocol_match = (
                         self._tcp_udp_match(rule, protocol, start_port, end_port) or
@@ -322,13 +335,18 @@ def _type_cidrs_match(self, rule, cidrs, egress_cidrs):
         else:
             return ",".join(cidrs) == rule['cidrlist']
 
+    def _type_dest_cidrs_match(self, rule, dest_cidrs):
+        if dest_cidrs is not None and 'destcidrlist' in rule:
+            return ",".join(dest_cidrs) == rule['destcidrlist']
+
     def create_firewall_rule(self):
         firewall_rule = self.get_firewall_rule()
         if not firewall_rule:
             self.result['changed'] = True
 
             args = {
                 'cidrlist': self.module.params.get('cidrs'),
+                'destcidrlist': self.module.params.get('dest_cidrs'),
                 'protocol': self.module.params.get('protocol'),
                 'startport': self.module.params.get('start_port'),
                 'endport': self.get_or_fallback('end_port', 'start_port'),
@@ -393,6 +411,7 @@ def main():
         ip_address=dict(),
         network=dict(),
         cidrs=dict(type='list', elements='str', default='0.0.0.0/0', aliases=['cidr']),
+        dest_cidrs=dict(type='list', elements='str', aliases=['dest_cidr']),
         protocol=dict(choices=['tcp', 'udp', 'icmp', 'all'], default='tcp'),
         type=dict(choices=['ingress', 'egress'], default='ingress'),
         icmp_type=dict(type='int'),
