From 051972cf2628634e2265c77829a93faaba89a6f3 Mon Sep 17 00:00:00 2001 From: Rene Moser Date: Wed, 11 Aug 2021 18:30:23 +0200 Subject: [PATCH] cs_firewall: add dest cidrs --- plugins/modules/cs_firewall.py | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/plugins/modules/cs_firewall.py b/plugins/modules/cs_firewall.py index fda792a..d21ac71 100644 --- a/plugins/modules/cs_firewall.py +++ b/plugins/modules/cs_firewall.py @@ -49,11 +49,17 @@ cidrs: description: - List of CIDRs (full notation) to be used for firewall rule. - - Since version 2.5, it is a list of CIDR. elements: str type: list default: 0.0.0.0/0 aliases: [ cidr ] + dest_cidrs: + description: + - List of destination CIDRs (full notation) to forward traffic to if I(type=egress). + elements: str + type: list + aliases: [ dest_cidr ] + version_added: 2.2.0 start_port: description: - Start port for this rule. @@ -178,6 +184,12 @@ returned: success type: list sample: [ '0.0.0.0/0' ] +dest_cidrs: + description: CIDR list of the rule to forward traffic to. + returned: success + type: list + sample: [ '0.0.0.0/0' ] + version_added: 2.2.0 protocol: description: Protocol of the rule. returned: success @@ -224,6 +236,7 @@ def __init__(self, module): super(AnsibleCloudStackFirewall, self).__init__(module) self.returns = { 'cidrlist': 'cidr', + 'destcidrlist': 'dest_cidrs', 'startport': 'start_port', 'endport': 'end_port', 'protocol': 'protocol', @@ -237,6 +250,7 @@ def __init__(self, module): def get_firewall_rule(self): if not self.firewall_rule: cidrs = self.module.params.get('cidrs') + dest_cidrs = self.module.params.get('destcidrs') protocol = self.module.params.get('protocol') start_port = self.module.params.get('start_port') end_port = self.get_or_fallback('end_port', 'start_port') @@ -280,7 +294,7 @@ def get_firewall_rule(self): if firewall_rules: for rule in firewall_rules: - type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs) + type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs) and self._type_dest_cidrs_match(rule, dest_cidrs) protocol_match = ( self._tcp_udp_match(rule, protocol, start_port, end_port) or @@ -322,6 +336,10 @@ def _type_cidrs_match(self, rule, cidrs, egress_cidrs): else: return ",".join(cidrs) == rule['cidrlist'] + def _type_dest_cidrs_match(self, rule, dest_cidrs): + if dest_cidrs is not None and 'destcidrlist' in rule: + return ",".join(dest_cidrs) == rule['destcidrlist'] + def create_firewall_rule(self): firewall_rule = self.get_firewall_rule() if not firewall_rule: @@ -329,6 +347,7 @@ def create_firewall_rule(self): args = { 'cidrlist': self.module.params.get('cidrs'), + 'destcidrlist': self.module.params.get('dest_cidrs'), 'protocol': self.module.params.get('protocol'), 'startport': self.module.params.get('start_port'), 'endport': self.get_or_fallback('end_port', 'start_port'), @@ -393,6 +412,7 @@ def main(): ip_address=dict(), network=dict(), cidrs=dict(type='list', elements='str', default='0.0.0.0/0', aliases=['cidr']), + dest_cidrs=dict(type='list', elements='str', aliases=['dest_cidr']), protocol=dict(choices=['tcp', 'udp', 'icmp', 'all'], default='tcp'), type=dict(choices=['ingress', 'egress'], default='ingress'), icmp_type=dict(type='int'),