more flexible iptables handling

2019-02-13 00:10:26 +01:00 · 2019-02-13 00:10:26 +01:00 · f62f155237
parent a3cc643adf
commit f62f155237
2 changed files with 20 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,7 +11,19 @@ cups_listen_address: print.example.org

 cups_log_level: warn
 cups_server_admin: admin@example.com
+
 cups_iptables_enabled: False
+cups_open_ports:
+  - name: allow_cups_ipp
+    rules: |
+      -A INPUT -m state --state NEW -p tcp --dport 631 -j ACCEPT
+      -A OUTPUT -m state --state NEW -p tcp --dport 631 -j ACCEPT
+    state: present
+  - name: allow_cups_dnssd
+    rules: |
+      -A OUTPUT -m state --state NEW -p tcp --dport 5353 -j ACCEPT
+      -A OUTPUT -m state --state NEW -p udp --dport 5353 -j ACCEPT
+    state: present

 cups_tls_cert_source: mycert.pem
 cups_tls_key_source: mykey.pem
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -30,9 +30,14 @@

    - name: Open ports in iptables
      iptables_raw:
-        name: allow_cups
-        state: present
-        rules: '-A INPUT -m state --state NEW -p tcp --dport {{ cups_nginx_proxy_url.split(":")[1] }} -j ACCEPT'
+        name: "{{ item.name }}"
+        rules: "{{ item.rules }}"
+        state: "{{ item.state }}"
+        weight: "{{ item.weight | default(omit) }}"
+        table: "{{ item.table | default(omit) }}"
+      loop: "{{ cups_open_ports }}"
+      loop_control:
+        label: "{{ item.name }}"
      when: cups_iptables_enabled
  become: True
  become_user: root