more flexible iptables handling

defaults/main.yml

@@ -11,7 +11,19 @@ cups_listen_address: print.example.org
 
 cups_log_level: warn
 cups_server_admin: admin@example.com
+
 cups_iptables_enabled: False
+cups_open_ports:
+  - name: allow_cups_ipp
+    rules: |
+      -A INPUT -m state --state NEW -p tcp --dport 631 -j ACCEPT
+      -A OUTPUT -m state --state NEW -p tcp --dport 631 -j ACCEPT
+    state: present
+  - name: allow_cups_dnssd
+    rules: |
+      -A OUTPUT -m state --state NEW -p tcp --dport 5353 -j ACCEPT
+      -A OUTPUT -m state --state NEW -p udp --dport 5353 -j ACCEPT
+    state: present
 
 cups_tls_cert_source: mycert.pem
 cups_tls_key_source: mykey.pem

tasks/install.yml

@@ -30,9 +30,14 @@
 
     - name: Open ports in iptables
       iptables_raw:
-        name: allow_cups
+        name: "{{ item.name }}"
-        state: present
+        rules: "{{ item.rules }}"
-        rules: '-A INPUT -m state --state NEW -p tcp --dport {{ cups_nginx_proxy_url.split(":")[1] }} -j ACCEPT'
+        state: "{{ item.state }}"
+        weight: "{{ item.weight | default(omit) }}"
+        table: "{{ item.table | default(omit) }}"
+      loop: "{{ cups_open_ports }}"
+      loop_control:
+        label: "{{ item.name }}"
       when: cups_iptables_enabled
   become: True
   become_user: root