Merging upstream version 2.17.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 38 insertions, 21 deletions

diff --git a/lib/ansible/modules/iptables.py b/lib/ansible/modules/iptables.py
index 8b9a46a..b7fd778 100644
--- a/lib/ansible/modules/iptables.py
+++ b/lib/ansible/modules/iptables.py
@@ -4,8 +4,7 @@
 # Copyright: (c) 2017, Sébastien DA ROCHA <sebastien@da-rocha.net>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
-from __future__ import absolute_import, division, print_function
-__metaclass__ = type
+from __future__ import annotations
 
 
 DOCUMENTATION = r'''
@@ -38,7 +37,7 @@ notes:
 options:
   table:
     description:
-      - This option specifies the packet matching table which the command should operate on.
+      - This option specifies the packet matching table on which the command should operate.
       - If the kernel is configured with automatic module loading, an attempt will be made
          to load the appropriate module for that table if it is not already there.
     type: str
@@ -134,9 +133,9 @@ options:
     description:
       - Specifies a match to use, that is, an extension module that tests for
         a specific property.
-      - The set of matches make up the condition under which a target is invoked.
+      - The set of matches makes up the condition under which a target is invoked.
       - Matches are evaluated first to last if specified as an array and work in short-circuit
-        fashion, i.e. if one extension yields false, evaluation will stop.
+        fashion, i.e. if one extension yields false, the evaluation will stop.
     type: list
     elements: str
     default: []
@@ -144,7 +143,7 @@ options:
     description:
       - This specifies the target of the rule; i.e., what to do if the packet matches it.
       - The target can be a user-defined chain (other than the one
-        this rule is in), one of the special builtin targets which decide the
+        this rule is in), one of the special builtin targets that decide the
         fate of the packet immediately, or an extension (see EXTENSIONS
         below).
       - If this option is omitted in a rule (and the goto parameter
@@ -153,13 +152,13 @@ options:
     type: str
   gateway:
     description:
-      - This specifies the IP address of host to send the cloned packets.
+      - This specifies the IP address of the host to send the cloned packets.
       - This option is only valid when O(jump) is set to V(TEE).
     type: str
     version_added: "2.8"
   log_prefix:
     description:
-      - Specifies a log text for the rule. Only make sense with a LOG jump.
+      - Specifies a log text for the rule. Only makes sense with a LOG jump.
     type: str
     version_added: "2.5"
   log_level:
@@ -172,7 +171,7 @@ options:
     choices: [ '0', '1', '2', '3', '4', '5', '6', '7', 'emerg', 'alert', 'crit', 'error', 'warning', 'notice', 'info', 'debug' ]
   goto:
     description:
-      - This specifies that the processing should continue in a user specified chain.
+      - This specifies that the processing should continue in a user-specified chain.
       - Unlike the jump argument return will not continue processing in
         this chain but instead in the chain that called us via jump.
     type: str
@@ -200,7 +199,7 @@ options:
         of fragmented packets.
       - Since there is no way to tell the source or destination ports of such
         a packet (or ICMP type), such a packet will not match any rules which specify them.
-      - When the "!" argument precedes fragment argument, the rule will only match head fragments,
+      - When the "!" argument precedes the fragment argument, the rule will only match head fragments,
         or unfragmented packets.
     type: str
   set_counters:
@@ -266,6 +265,7 @@ options:
     description:
       - This allows specifying a DSCP mark to be added to packets.
         It takes either an integer or hex value.
+      - If the parameter is set, O(jump) is set to V(DSCP).
       - Mutually exclusive with O(set_dscp_mark_class).
     type: str
     version_added: "2.1"
@@ -273,6 +273,7 @@ options:
     description:
       - This allows specifying a predefined DiffServ class which will be
         translated to the corresponding DSCP mark.
+      - If the parameter is set, O(jump) is set to V(DSCP).
       - Mutually exclusive with O(set_dscp_mark).
     type: str
     version_added: "2.1"
@@ -289,7 +290,7 @@ options:
     default: []
   src_range:
     description:
-      - Specifies the source IP range to match in the iprange module.
+      - Specifies the source IP range to match the iprange module.
     type: str
     version_added: "2.8"
   dst_range:
@@ -299,8 +300,8 @@ options:
     version_added: "2.8"
   match_set:
     description:
-      - Specifies a set name which can be defined by ipset.
-      - Must be used together with the match_set_flags parameter.
+      - Specifies a set name that can be defined by ipset.
+      - Must be used together with the O(match_set_flags) parameter.
       - When the V(!) argument is prepended then it inverts the rule.
       - Uses the iptables set extension.
     type: str
@@ -308,10 +309,11 @@ options:
   match_set_flags:
     description:
       - Specifies the necessary flags for the match_set parameter.
-      - Must be used together with the match_set parameter.
+      - Must be used together with the O(match_set) parameter.
       - Uses the iptables set extension.
+      - Choices V(dst,dst) and V(src,src) added in version 2.17.
     type: str
-    choices: [ "src", "dst", "src,dst", "dst,src" ]
+    choices: [ "src", "dst", "src,dst", "dst,src", "dst,dst", "src,src" ]
     version_added: "2.11"
   limit:
     description:
@@ -327,14 +329,14 @@ options:
     version_added: "2.1"
   uid_owner:
     description:
-      - Specifies the UID or username to use in match by owner rule.
+      - Specifies the UID or username to use in the match by owner rule.
       - From Ansible 2.6 when the C(!) argument is prepended then the it inverts
         the rule to apply instead to all users except that one specified.
     type: str
     version_added: "2.1"
   gid_owner:
     description:
-      - Specifies the GID or group to use in match by owner rule.
+      - Specifies the GID or group to use in the match by owner rule.
     type: str
     version_added: "2.9"
   reject_with:
@@ -364,7 +366,7 @@ options:
       - Only built-in chains can have policies.
       - This parameter requires the O(chain) parameter.
       - If you specify this parameter, all other parameters will be ignored.
-      - This parameter is used to set default policy for the given O(chain).
+      - This parameter is used to set the default policy for the given O(chain).
         Do not confuse this with O(jump) parameter.
     type: str
     choices: [ ACCEPT, DROP, QUEUE, RETURN ]
@@ -386,9 +388,9 @@ options:
   numeric:
     description:
       - This parameter controls the running of the list -action of iptables, which is used internally by the module
-      - Does not affect the actual functionality. Use this if iptables hangs when creating chain or altering policy
+      - Does not affect the actual functionality. Use this if iptables hang when creating a chain or altering policy
       - If V(true), then iptables skips the DNS-lookup of the IP addresses in a chain when it uses the list -action
-      - Listing is used internally for example when setting a policy or creting of a chain
+      - Listing is used internally for example when setting a policy or creating a chain
     type: bool
     default: false
     version_added: "2.15"
@@ -636,11 +638,16 @@ def construct_rule(params):
     append_param(rule, params['destination_port'], '--destination-port', False)
     append_param(rule, params['to_ports'], '--to-ports', False)
     append_param(rule, params['set_dscp_mark'], '--set-dscp', False)
+    if params.get('set_dscp_mark') and params.get('jump').lower() != 'dscp':
+        append_jump(rule, params['set_dscp_mark'], 'DSCP')
+
     append_param(
         rule,
         params['set_dscp_mark_class'],
         '--set-dscp-class',
         False)
+    if params.get('set_dscp_mark_class') and params.get('jump').lower() != 'dscp':
+        append_jump(rule, params['set_dscp_mark_class'], 'DSCP')
     append_match_flag(rule, params['syn'], '--syn', True)
     if 'conntrack' in params['match']:
         append_csv(rule, params['ctstate'], '--ctstate')
@@ -674,6 +681,9 @@ def construct_rule(params):
     append_param(rule, params['gid_owner'], '--gid-owner', False)
     if params['jump'] is None:
         append_jump(rule, params['reject_with'], 'REJECT')
+        append_jump(rule, params['set_dscp_mark_class'], 'DSCP')
+        append_jump(rule, params['set_dscp_mark'], 'DSCP')
+
     append_param(rule, params['reject_with'], '--reject-with', False)
     append_param(
         rule,
@@ -811,7 +821,10 @@ def main():
             src_range=dict(type='str'),
             dst_range=dict(type='str'),
             match_set=dict(type='str'),
-            match_set_flags=dict(type='str', choices=['src', 'dst', 'src,dst', 'dst,src']),
+            match_set_flags=dict(
+                type='str',
+                choices=['src', 'dst', 'src,dst', 'dst,src', 'src,src', 'dst,dst']
+            ),
             limit=dict(type='str'),
             limit_burst=dict(type='str'),
             uid_owner=dict(type='str'),
@@ -828,6 +841,10 @@ def main():
             ['set_dscp_mark', 'set_dscp_mark_class'],
             ['flush', 'policy'],
         ),
+        required_by=dict(
+            set_dscp_mark=('jump',),
+            set_dscp_mark_class=('jump',),
+        ),
         required_if=[
             ['jump', 'TEE', ['gateway']],
             ['jump', 'tee', ['gateway']],