Skip to content

Commit

Permalink
cs_firewall: add dest cidrs
Browse files Browse the repository at this point in the history
  • Loading branch information
resmo committed Aug 15, 2021
1 parent d16c15f commit f228096
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 2 deletions.
2 changes: 2 additions & 0 deletions changelogs/fragments/84-cs_instance_extend_ip_to_networks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- cs_firewall - implemented support for ``dest_cidrs`` (https://github.com/ngine-io/ansible-collection-cloudstack/issues/76).
26 changes: 24 additions & 2 deletions plugins/modules/cs_firewall.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,11 +49,17 @@
cidrs:
description:
- List of CIDRs (full notation) to be used for firewall rule.
- Since version 2.5, it is a list of CIDR.
elements: str
type: list
default: 0.0.0.0/0
aliases: [ cidr ]
dest_cidrs:
description:
- List of destination CIDRs (full notation) to forward traffic to if I(type=egress).
elements: str
type: list
aliases: [ dest_cidr ]
version_added: 2.2.0
start_port:
description:
- Start port for this rule.
Expand Down Expand Up @@ -178,6 +184,12 @@
returned: success
type: list
sample: [ '0.0.0.0/0' ]
dest_cidrs:
description: CIDR list of the rule to forward traffic to.
returned: success
type: list
sample: [ '0.0.0.0/0' ]
version_added: 2.2.0
protocol:
description: Protocol of the rule.
returned: success
Expand Down Expand Up @@ -224,6 +236,7 @@ def __init__(self, module):
super(AnsibleCloudStackFirewall, self).__init__(module)
self.returns = {
'cidrlist': 'cidr',
'destcidrlist': 'dest_cidrs',
'startport': 'start_port',
'endport': 'end_port',
'protocol': 'protocol',
Expand All @@ -237,6 +250,7 @@ def __init__(self, module):
def get_firewall_rule(self):
if not self.firewall_rule:
cidrs = self.module.params.get('cidrs')
dest_cidrs = self.module.params.get('destcidrs')
protocol = self.module.params.get('protocol')
start_port = self.module.params.get('start_port')
end_port = self.get_or_fallback('end_port', 'start_port')
Expand Down Expand Up @@ -280,7 +294,7 @@ def get_firewall_rule(self):

if firewall_rules:
for rule in firewall_rules:
type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs)
type_match = self._type_cidrs_match(rule, cidrs, egress_cidrs) and self._type_dest_cidrs_match(rule, dest_cidrs)

protocol_match = (
self._tcp_udp_match(rule, protocol, start_port, end_port) or
Expand Down Expand Up @@ -322,13 +336,20 @@ def _type_cidrs_match(self, rule, cidrs, egress_cidrs):
else:
return ",".join(cidrs) == rule['cidrlist']

def _type_dest_cidrs_match(self, rule, dest_cidrs):
if dest_cidrs is not None and 'destcidrlist' in rule:
return ",".join(dest_cidrs) == rule['destcidrlist']
else:
return True

def create_firewall_rule(self):
firewall_rule = self.get_firewall_rule()
if not firewall_rule:
self.result['changed'] = True

args = {
'cidrlist': self.module.params.get('cidrs'),
'destcidrlist': self.module.params.get('dest_cidrs'),
'protocol': self.module.params.get('protocol'),
'startport': self.module.params.get('start_port'),
'endport': self.get_or_fallback('end_port', 'start_port'),
Expand Down Expand Up @@ -393,6 +414,7 @@ def main():
ip_address=dict(),
network=dict(),
cidrs=dict(type='list', elements='str', default='0.0.0.0/0', aliases=['cidr']),
dest_cidrs=dict(type='list', elements='str', aliases=['dest_cidr']),
protocol=dict(choices=['tcp', 'udp', 'icmp', 'all'], default='tcp'),
type=dict(choices=['ingress', 'egress'], default='ingress'),
icmp_type=dict(type='int'),
Expand Down

0 comments on commit f228096

Please sign in to comment.