def port_selection(self, port=None, protocol=None):
_port = ( self.__simplePortStr(port) if port else "" )
_protocol = ( protocol if protocol else "" )
while 1:
(res, values) = EntryWindow(\
self.screen, ("Port and Protocol"),
_("Please enter a port or port range and protocol."),
((_("Port / Port Range:"), _port),
(_("Protocol:"), _protocol)),
buttons=((_("OK"), "ok"), (_("Cancel"), "cancel")))
self.screen.popWindow()
if res == 'ok':
error = False
# port
_port = values[0].strip()
port = getPortRange(_port)
if not (isinstance(port, types.ListType) or \
isinstance(port, types.TupleType)):
self.port_error(_port)
error = True
port = None
# protocol
_protocol = values[1].strip()
if not _protocol in [ "tcp", "udp" ]:
self.protocol_error(_protocol)
error = True
else:
protocol = _protocol
if error:
continue
return (port, protocol)
elif res == 'cancel':
return None
def _check_forward_port(option, opt, value):
result = { }
error = None
splits = value.split(":", 1)
while len(splits) > 0:
key_val = splits[0].split("=")
if len(key_val) != 2:
error = _("Invalid argument %s") % splits[0]
break
(key, val) = key_val
if (key == "if" and checkInterface(val)) or \
(key == "proto" and val in [ "tcp", "udp" ]) or \
(key == "toaddr" and checkIP(val)):
result[key] = val
elif (key == "port" or key == "toport") and getPortRange(val) > 0:
result[key] = getPortRange(val)
else:
error = _("Invalid argument %s") % splits[0]
break
if len(splits) > 1:
if splits[1].count("=") == 1:
# last element
splits = [ splits[1] ]
else:
splits = splits[1].split(":", 1)
else:
# finish
splits.pop()
if error:
dict = { "option": opt, "value": value, "error": error }
raise OptionError(_("option %(option)s: invalid forward_port "
"'%(value)s': %(error)s.") % dict, opt)
error = False
for key in [ "if", "port", "proto" ]:
if key not in result.keys():
error = True
if not "toport" in result.keys() and not "toaddr" in result.keys():
error = True
if error:
dict = { "option": opt, "value": value }
raise OptionError(_("option %(option)s: invalid forward_port "
"'%(value)s'.") % dict, opt)
return result
def _check_port(option, opt, value):
failure = False
try:
(ports, protocol) = value.split(":")
except:
failure = True
else:
range = getPortRange(ports.strip())
if range == -1:
failure = True
elif range == None:
raise OptionError(_("port range %s is not unique.") % value, opt)
elif len(range) == 2 and range[0] >= range[1]:
raise OptionError(_("%s is not a valid range (start port >= end "
"port).") % value, opt)
if not failure:
protocol = protocol.strip()
if protocol not in [ "tcp", "udp" ]:
raise OptionError(_("%s is not a valid protocol.") % protocol, opt)
if failure:
raise OptionError(_("invalid port definition %s.") % value, opt)
return (range, protocol)
def main():
module = AnsibleModule(
argument_spec=dict(
service=dict(required=False, type="list", default=[]),
port=dict(required=False, type="list", default=[]),
trust=dict(required=False, type="list", default=[]),
trust_by_mac=dict(required=False, type="list", default=[]),
masq=dict(required=False, type="list", default=[]),
masq_by_mac=dict(required=False, type="list", default=[]),
forward_port=dict(required=False, type="list", default=[]),
forward_port_by_mac=dict(required=False, type="list", default=[]),
zone=dict(required=False, type="str", default=None),
state=dict(choices=["enabled", "disabled"], required=True),
),
required_one_of=([
"service",
"port",
"trust",
"trust_by_mac",
"masq",
"masq_by_mac",
"forward_prot",
], ),
supports_check_mode=True,
)
if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL:
module.fail_json(msg="No firewall backend could be imported.")
service = module.params["service"]
port = []
for port_proto in module.params["port"]:
_port, _protocol = port_proto.split("/")
if _protocol is None:
module.fail_json(msg="improper port format (missing protocol?)")
port.append((_port, _protocol))
trust = module.params["trust"]
trust_by_mac = []
for item in module.params["trust_by_mac"]:
_interface = get_device_for_mac(item)
if _interface is None:
module.fail_json(msg="MAC address not found %s" % item)
trust_by_mac.append(_interface)
masq = module.params["masq"]
masq_by_mac = []
for item in module.params["masq_by_mac"]:
_interface = get_device_for_mac(item)
if _interface is None:
module.fail_json(msg="MAC address not found %s" % item)
masq_by_mac.append(_interface)
forward_port = []
for item in module.params["forward_port"]:
args = item.split(";")
if len(args) == 4:
_interface, __port, _to_port, _to_addr = args
elif len(args) == 3:
_interface = ""
__port, _to_port, _to_addr = args
else:
module.fail_json(msg="improper forward_port format: %s" % item)
_port, _protocol = __port.split("/")
if _protocol is None:
module.fail_json(
msg="improper forward port format (missing protocol?)")
if _to_port == "":
_to_port = None
if _to_addr == "":
_to_addr = None
forward_port.append((_interface, _port, _protocol, _to_port, _to_addr))
forward_port_by_mac = []
for item in module.params["forward_port_by_mac"]:
args = item.split(";")
if len(args) != 4:
module.fail_json(msg="improper forward_port_by_mac format")
_mac_addr, __port, _to_port, _to_addr = args
_port, _protocol = __port.split("/")
if _protocol is None:
module.fail_json(
msg="improper forward_port_by_mac format (missing protocol?)")
if _to_port == "":
_to_port = None
if _to_addr == "":
_to_addr = None
_interface = get_device_for_mac(_mac_addr)
if _interface is None:
module.fail_json(msg="MAC address not found %s" % _mac_addr)
forward_port_by_mac.append(
(_interface, _port, _protocol, _to_port, _to_addr))
zone = module.params["zone"]
if HAS_SYSTEM_CONFIG_FIREWALL and zone is not None:
module.fail_json(
msg="Zone can not be used with system-config-firewall/lokkit.")
desired_state = module.params["state"]
if HAS_FIREWALLD:
fw = FirewallClient()
def exception_handler(exception_message):
module.fail_json(msg=exception_message)
fw.setExceptionHandler(exception_handler)
if not fw.connected:
module.fail_json(msg="firewalld service must be running")
trusted_zone = "trusted"
external_zone = "external"
if zone is not None:
if zone not in fw.getZones():
module.fail_json(msg="Runtime zone '%s' does not exist." %
zone)
if zone not in fw.config().getZoneNames():
module.fail_json(msg="Permanent zone '%s' does not exist." %
zone)
else:
zone = fw.getDefaultZone()
fw_zone = fw.config().getZoneByName(zone)
fw_settings = fw_zone.getSettings()
changed = False
changed_zones = {}
# service
for item in service:
if desired_state == "enabled":
if not fw.queryService(zone, item):
fw.addService(zone, item)
changed = True
if not fw_settings.queryService(item):
fw_settings.addService(item)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if fw.queryService(zone, item):
fw.removeService(zone, item)
if fw_settings.queryService(item):
fw_settings.removeService(item)
changed = True
changed_zones[fw_zone] = fw_settings
# port
for _port, _protocol in port:
if desired_state == "enabled":
if not fw.queryPort(zone, _port, _protocol):
fw.addPort(zone, _port, _protocol)
changed = True
if not fw_settings.queryPort(_port, _protocol):
fw_settings.addPort(_port, _protocol)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if fw.queryPort(zone, _port, _protocol):
fw.removePort(zone, _port, _protocol)
changed = True
if fw_settings.queryPort(_port, _protocol):
fw_settings.removePort(_port, _protocol)
changed = True
changed_zones[fw_zone] = fw_settings
# trust, trust_by_mac
if len(trust) > 0 or len(trust_by_mac) > 0:
items = trust
if len(trust_by_mac) > 0:
items.extend(trust_by_mac)
if zone != trusted_zone:
_fw_zone = fw.config().getZoneByName(trusted_zone)
if _fw_zone in changed_zones:
_fw_settings = changed_zones[_fw_zone]
else:
_fw_settings = _fw_zone.getSettings()
else:
_fw_zone = fw_zone
_fw_settings = fw_settings
for item in items:
if desired_state == "enabled":
if try_set_zone_of_interface(trusted_zone, item):
changed = True
else:
if not fw.queryInterface(trusted_zone, item):
fw.changeZoneOfInterface(trusted_zone, item)
changed = True
if not _fw_settings.queryInterface(item):
_fw_settings.addInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
elif desired_state == "disabled":
if try_set_zone_of_interface("", item):
if module.check_mode:
module.exit_json(changed=True)
else:
if fw.queryInterface(trusted_zone, item):
fw.removeInterface(trusted_zone, item)
changed = True
if _fw_settings.queryInterface(item):
_fw_settings.removeInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
# masq, masq_by_mac
if len(masq) > 0 or len(masq_by_mac) > 0:
items = masq
if len(masq_by_mac) > 0:
items.extend(masq_by_mac)
if zone != external_zone:
_fw_zone = fw.config().getZoneByName(external_zone)
if _fw_zone in changed_zones:
_fw_settings = changed_zones[_fw_zone]
else:
_fw_settings = _fw_zone.getSettings()
else:
_fw_zone = fw_zone
_fw_settings = fw_settings
for item in items:
if desired_state == "enabled":
if try_set_zone_of_interface(external_zone, item):
changed = True
else:
if not fw.queryInterface(external_zone, item):
fw.changeZoneOfInterface(external_zone, item)
changed = True
if not _fw_settings.queryInterface(item):
_fw_settings.addInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
elif desired_state == "disabled":
if try_set_zone_of_interface("", item):
if module.check_mode:
module.exit_json(changed=True)
else:
if fw.queryInterface(external_zone, item):
fw.removeInterface(external_zone, item)
changed = True
if _fw_settings.queryInterface(item):
_fw_settings.removeInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
# forward_port, forward_port_by_mac
if len(forward_port) > 0 or len(forward_port_by_mac) > 0:
items = forward_port
if len(forward_port_by_mac) > 0:
items.extend(forward_port_by_mac)
for _interface, _port, _protocol, _to_port, _to_addr in items:
if _interface != "":
_zone = fw.getZoneOfInterface(_interface)
else:
_zone = zone
if _zone != "" and _zone != zone:
_fw_zone = fw.config().getZoneByName(_zone)
if _fw_zone in changed_zones:
_fw_settings = changed_zones[_fw_zone]
else:
_fw_settings = _fw_zone.getSettings()
else:
_fw_zone = fw_zone
_fw_settings = fw_settings
if desired_state == "enabled":
if not fw.queryForwardPort(_zone, _port, _protocol,
_to_port, _to_addr):
fw.addForwardPort(_zone, _port, _protocol, _to_port,
_to_addr)
changed = True
if not _fw_settings.queryForwardPort(
_port, _protocol, _to_port, _to_addr):
_fw_settings.addForwardPort(_port, _protocol, _to_port,
_to_addr)
changed = True
changed_zones[_fw_zone] = _fw_settings
elif desired_state == "disabled":
if fw.queryForwardPort(_zone, _port, _protocol, _to_port,
_to_addr):
fw.removeForwardPort(_zone, _port, _protocol, _to_port,
_to_addr)
changed = True
if _fw_settings.queryForwardPort(_port, _protocol,
_to_port, _to_addr):
_fw_settings.removeForwardPort(_port, _protocol,
_to_port, _to_addr)
changed = True
changed_zones[_fw_zone] = _fw_settings
# apply changes
if changed:
for _zone in changed_zones:
_zone.update(changed_zones[_zone])
module.exit_json(changed=True)
elif HAS_SYSTEM_CONFIG_FIREWALL:
(config, old_config, _) = fw_lokkit.loadConfig(args=[],
dbus_parser=True)
changed = False
# service
for item in service:
if config.services is None:
config.services = []
if desired_state == "enabled":
if item not in config.services:
config.services.append(item)
changed = True
elif desired_state == "disabled":
if item in config.services:
config.services.remove(item)
changed = True
# port
for _port, _protocol in port:
if config.ports is None:
config.ports = []
_range = getPortRange(_port)
if _range < 0:
module.fail_json(msg="invalid port definition %s" % _port)
elif _range is None:
module.fail_json(msg="port _range is not unique.")
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg="invalid port range %s" % _port)
port_proto = (_range, _protocol)
if desired_state == "enabled":
if port_proto not in config.ports:
config.ports.append(port_proto)
changed = True
elif desired_state == "disabled":
if port_proto in config.ports:
config.ports.remove(port_proto)
changed = True
# trust, trust_by_mac
if len(trust) > 0 or len(trust_by_mac) > 0:
if config.trust is None:
config.trust = []
items = trust
if len(trust_by_mac) > 0:
items.extend(trust_by_mac)
for item in items:
if desired_state == "enabled":
if item not in config.trust:
config.trust.append(item)
changed = True
elif desired_state == "disabled":
if item in config.trust:
config.trust.remove(item)
changed = True
# masq, masq_by_mac
if len(masq) > 0 or len(masq_by_mac) > 0:
if config.masq is None:
config.masq = []
items = masq
if len(masq_by_mac) > 0:
items.extend(masq_by_mac)
for item in items:
if desired_state == "enabled":
if item not in config.masq:
config.masq.append(item)
changed = True
elif desired_state == "disabled":
if item in config.masq:
config.masq.remove(item)
changed = True
# forward_port, forward_port_by_mac
if len(forward_port) > 0 or len(forward_port_by_mac) > 0:
if config.forward_port is None:
config.forward_port = []
items = forward_port
if len(forward_port_by_mac) > 0:
items.extend(forward_port_by_mac)
for _interface, _port, _protocol, _to_port, _to_addr in items:
_range = getPortRange(_port)
if _range < 0:
module.fail_json(msg="invalid port definition")
elif _range is None:
module.fail_json(msg="port _range is not unique.")
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg="invalid port range")
fwd_port = {
"if": _interface,
"port": _range,
"proto": _protocol
}
if _to_port is not None:
_range = getPortRange(_to_port)
if _range < 0:
module.fail_json(msg="invalid port definition %s" %
_to_port)
elif _range is None:
module.fail_json(msg="port _range is not unique.")
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg="invalid port range")
fwd_port["toport"] = _range
if _to_addr is not None:
fwd_port["toaddr"] = _to_addr
if desired_state == "enabled":
if fwd_port not in config.forward_port:
config.forward_port.append(fwd_port)
changed = True
elif desired_state == "disabled":
if fwd_port in config.forward_port:
config.forward_port.remove(fwd_port)
changed = True
# apply changes
if changed:
fw_lokkit.updateFirewall(config, old_config)
if module.check_mode:
module.exit_json(changed=True)
else:
module.fail_json(msg="No firewalld and system-config-firewall")
module.exit_json(changed=False)
def main():
module = AnsibleModule(argument_spec=dict(
service=dict(required=False, type='list', default=[]),
port=dict(required=False, type='list', default=[]),
trust=dict(required=False, type='list', default=[]),
trust_by_mac=dict(required=False, type='list', default=[]),
masq=dict(required=False, type='list', default=[]),
masq_by_mac=dict(required=False, type='list', default=[]),
forward_port=dict(required=False, type='list', default=[]),
forward_port_by_mac=dict(required=False, type='list', default=[]),
state=dict(choices=['enabled', 'disabled'], required=True),
),
required_one_of=([
'service', 'port', 'trust', 'trust_by_mac',
'masq', 'masq_by_mac', 'forward_prot'
], ),
supports_check_mode=True)
if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL:
module.fail_json(msg='No firewall backend could be imported.')
service = module.params['service']
port = []
for port_proto in module.params['port']:
_port, _protocol = port_proto.split('/')
if _protocol is None:
module.fail_json(msg='improper port format (missing protocol?)')
port.append((_port, _protocol))
trust = module.params['trust']
trust_by_mac = []
for item in module.params['trust_by_mac']:
_interface = get_device_for_mac(item)
if _interface is None:
module.fail_json(msg='MAC address not found %s' % item)
trust_by_mac.append(_interface)
masq = module.params['masq']
masq_by_mac = []
for item in module.params['masq_by_mac']:
_interface = get_device_for_mac(item)
if _interface is None:
module.fail_json(msg='MAC address not found %s' % item)
masq_by_mac.append(_interface)
forward_port = []
for item in module.params['forward_port']:
args = item.split(";")
if len(args) != 4:
module.fail_json(msg='improper forward_port format: %s' % item)
_interface, __port, _to_port, _to_addr = args
_port, _protocol = __port.split('/')
if _protocol is None:
module.fail_json(msg='improper port format (missing protocol?)')
if _to_port == "":
_to_port = None
if _to_addr == "":
_to_addr = None
forward_port.append((_interface, _port, _protocol, _to_port, _to_addr))
forward_port_by_mac = []
for item in module.params['forward_port_by_mac']:
args = item.split(";")
if len(args) != 4:
module.fail_json(msg='improper forward_port_by_mac format')
_mac_addr, __port, _to_port, _to_addr = args
_port, _protocol = __port.split('/')
if _protocol is None:
module.fail_json(msg='improper port format (missing protocol?)')
if _to_port == "":
_to_port = None
if _to_addr == "":
_to_addr = None
_interface = get_device_for_mac(_mac_addr)
if _interface is None:
module.fail_json(msg='MAC address not found %s' % _mac_addr)
forward_port_by_mac.append(
(_interface, _port, _protocol, _to_port, _to_addr))
desired_state = module.params['state']
if HAS_FIREWALLD:
fw = FirewallClient()
def exception_handler(exception_message):
module.fail_json(msg=exception_message)
fw.setExceptionHandler(exception_handler)
if not fw.connected:
module.fail_json(msg='firewalld service must be running')
trusted_zone = "trusted"
external_zone = "external"
default_zone = fw.getDefaultZone()
fw_zone = fw.config().getZoneByName(default_zone)
fw_settings = fw_zone.getSettings()
changed = False
changed_zones = {}
# service
for item in service:
if desired_state == "enabled":
if not fw.queryService(default_zone, item):
fw.addService(default_zone, item)
changed = True
if not fw_settings.queryService(item):
fw_settings.addService(item)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if fw.queryService(default_zone, item):
fw.removeService(default_zone, item)
if fw_settings.queryService(item):
fw_settings.removeService(item)
changed = True
changed_zones[fw_zone] = fw_settings
# port
for _port, _protocol in port:
if desired_state == "enabled":
if not fw.queryPort(default_zone, _port, _protocol):
fw.addPort(default_zone, _port, _protocol)
changed = True
if not fw_settings.queryPort(_port, _protocol):
fw_settings.addPort(_port, _protocol)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if fw.queryPort(default_zone, _port, _protocol):
fw.removePort(default_zone, _port, _protocol)
changed = True
if fw_settings.queryPort(_port, _protocol):
fw_settings.removePort(_port, _protocol)
changed = True
changed_zones[fw_zone] = fw_settings
# trust, trust_by_mac
if len(trust) > 0 or len(trust_by_mac) > 0:
items = trust
if len(trust_by_mac) > 0:
items.extend(trust_by_mac)
if default_zone != trusted_zone:
fw_zone = fw.config().getZoneByName(trusted_zone)
fw_settings = fw_zone.getSettings()
for item in items:
if desired_state == "enabled":
if try_set_zone_of_interface(trusted_zone, item):
changed = True
else:
if not fw.queryInterface(trusted_zone, item):
fw.changeZoneOfInterface(trusted_zone, item)
changed = True
if not fw_settings.queryInterface(item):
fw_settings.addInterface(item)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if try_set_zone_of_interface("", item):
if module.check_mode:
module.exit_json(changed=True)
else:
if fw.queryInterface(trusted_zone, item):
fw.removeInterface(trusted_zone, item)
changed = True
if fw_settings.queryInterface(item):
fw_settings.removeInterface(item)
changed = True
changed_zones[fw_zone] = fw_settings
# masq, masq_by_mac
if len(masq) > 0 or len(masq_by_mac) > 0:
items = masq
if len(masq_by_mac) > 0:
items.extend(masq_by_mac)
if default_zone != external_zone:
fw_zone = fw.config().getZoneByName(external_zone)
fw_settings = fw_zone.getSettings()
for item in items:
if desired_state == "enabled":
if try_set_zone_of_interface(external_zone, item):
changed = True
else:
if not fw.queryInterface(external_zone, item):
fw.changeZoneOfInterface(external_zone, item)
changed = True
if not fw_settings.queryInterface(item):
fw_settings.addInterface(item)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if try_set_zone_of_interface("", item):
if module.check_mode:
module.exit_json(changed=True)
else:
if fw.queryInterface(external_zone, item):
fw.removeInterface(external_zone, item)
changed = True
if fw_settings.queryInterface(item):
fw_settings.removeInterface(item)
changed = True
changed_zones[fw_zone] = fw_settings
# forward_port, forward_port_by_mac
if len(forward_port) > 0 or len(forward_port_by_mac) > 0:
items = forward_port
if len(forward_port_by_mac) > 0:
items.extend(forward_port_by_mac)
for _interface, _port, _protocol, _to_port, _to_addr in items:
if _interface != "":
_zone = fw.getZoneOfInterface(_interface)
if _zone != "" and _zone != default_zone:
fw_zone = fw.config().getZoneByName(_zone)
fw_settings = fw_zone.getSettings()
if desired_state == "enabled":
if not fw.queryForwardPort(_zone, _port, _protocol,
_to_port, _to_addr):
fw.addForwardPort(_zone, _port, _protocol, _to_port,
_to_addr)
changed = True
if not fw_settings.queryForwardPort(
_port, _protocol, _to_port, _to_addr):
fw_settings.addForwardPort(_port, _protocol, _to_port,
_to_addr)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if fw.queryForwardPort(_zone, _port, _protocol, _to_port,
_to_addr):
fw.removeForwardPort(_zone, _port, _protocol, _to_port,
_to_addr)
changed = True
if fw_settings.queryForwardPort(_port, _protocol, _to_port,
_to_addr):
fw_settings.removeForwardPort(_port, _protocol,
_to_port, _to_addr)
changed = True
changed_zones[fw_zone] = fw_settings
# apply changes
if changed:
for _zone in changed_zones:
_zone.update(changed_zones[_zone])
if module.check_mode:
module.exit_json(changed=True)
elif HAS_SYSTEM_CONFIG_FIREWALL:
(config, old_config, _) = fw_lokkit.loadConfig(args=[],
dbus_parser=True)
changed = False
# service
for item in service:
if config.services is None:
config.services = []
if desired_state == "enabled":
if item not in config.services:
config.services.append(item)
changed = True
elif desired_state == "disabled":
if item in config.services:
config.services.remove(item)
changed = True
# port
for _port, _protocol in port:
if config.ports is None:
config.ports = []
_range = getPortRange(_port)
if _range < 0:
module.fail_json(msg='invalid port definition %s' % _port)
elif _range is None:
module.fail_json(msg='port _range is not unique.')
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg='invalid port range %s' % _port)
port_proto = (_range, _protocol)
if desired_state == "enabled":
if port_proto not in config.ports:
config.ports.append(port_proto)
changed = True
elif desired_state == "disabled":
if port_proto in config.ports:
config.ports.remove(port_proto)
changed = True
# trust, trust_by_mac
if len(trust) > 0 or len(trust_by_mac) > 0:
if config.trust is None:
config.trust = []
items = trust
if len(trust_by_mac) > 0:
items.extend(trust_by_mac)
for item in items:
if desired_state == "enabled":
if item not in config.trust:
config.trust.append(item)
changed = True
elif desired_state == "disabled":
if item in config.trust:
config.trust.remove(item)
changed = True
# masq, masq_by_mac
if len(masq) > 0 or len(masq_by_mac) > 0:
if config.masq is None:
config.masq = []
items = masq
if len(masq_by_mac) > 0:
items.extend(masq_by_mac)
for item in items:
if desired_state == "enabled":
if item not in config.masq:
config.masq.append(item)
changed = True
elif desired_state == "disabled":
if item in config.masq:
config.masq.remove(item)
changed = True
# forward_port, forward_port_by_mac
if len(forward_port) > 0 or len(forward_port_by_mac) > 0:
if config.forward_port is None:
config.forward_port = []
items = forward_port
if len(forward_port_by_mac) > 0:
items.extend(forward_port_by_mac)
for _interface, _port, _protocol, _to_port, _to_addr in items:
_range = getPortRange(_port)
if _range < 0:
module.fail_json(msg='invalid port definition')
elif _range is None:
module.fail_json(msg='port _range is not unique.')
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg='invalid port range')
fwd_port = {
"if": _interface,
"port": _range,
"proto": _protocol
}
if _to_port is not None:
_range = getPortRange(_to_port)
if _range < 0:
module.fail_json(msg='invalid port definition %s' % \
_to_port)
elif _range is None:
module.fail_json(msg='port _range is not unique.')
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg='invalid port range')
fwd_port["toport"] = _range
if _to_addr is not None:
fwd_port["toaddr"] = _to_addr
if desired_state == "enabled":
if fwd_port not in config.forward_port:
config.forward_port.append(fwd_port)
changed = True
elif desired_state == "disabled":
if fwd_port in config.forward_port:
config.forward_port.remove(fwd_port)
changed = True
# apply changes
if changed:
fw_lokkit.updateFirewall(config, old_config)
if module.check_mode:
module.exit_json(changed=True)
else:
module.fail_json(msg='No firewalld and system-config-firewall')
module.exit_json(changed=False)
def forward_port_selection(self, interface=None, protocol=None, port=None,
to_address=None, to_port=None):
_interface = ( interface if interface else "" )
_protocol = ( protocol if protocol else "" )
_port = ( self.__simplePortStr(port) if port else "" )
_to_address = ( to_address if to_address else "" )
_to_port = ( self.__simplePortStr(to_port) if to_port else "" )
while 1:
dialog = GridForm(self.screen, _("Port Forwarding"), 1, 6)
tr = TextboxReflowed(40, _("Please select the source and "
"destination options according "
"to your needs."))
dialog.add(tr, 0, 0, padding=(0,0,0,1), growx=1)
dialog.add(TextboxReflowed(40, _("Source (all needed)")), 0, 1,
padding=(0,0,0,0), growx=1, anchorLeft=1)
grid = Grid(2, 3)
grid.setField(Label(_("Interface:")), 0, 0,
padding=(0,0,1,0), anchorLeft=1)
dialog.interface = Entry(20, text=_interface)
grid.setField(dialog.interface, 1, 0, padding=(0,0,1,0),
anchorLeft=1)
grid.setField(Label(_("Protocol:")), 0, 1,
padding=(0,0,1,0), anchorLeft=1)
dialog.protocol = Entry(20, text=_protocol)
grid.setField(dialog.protocol, 1, 1, padding=(0,0,1,0),
anchorLeft=1)
grid.setField(Label(_("Port / Port Range:")), 0, 2,
padding=(0,0,1,0), anchorLeft=1)
dialog.port = Entry(20, text=_port)
grid.setField(dialog.port, 1, 2, padding=(0,0,1,0),
anchorLeft=1)
dialog.add(grid, 0, 2, padding=(0,0,0,1))
dialog.add(TextboxReflowed(40, _("Destination (at least one "
"needed)")), 0, 3,
padding=(0,0,0,0), growx=1, anchorLeft=1)
grid = None
grid = Grid(2, 2)
grid.setField(Label(_("IP address:")), 0, 0,
padding=(0,0,1,0), anchorLeft=1)
dialog.to_address = Entry(20, text=_to_address)
grid.setField(dialog.to_address, 1, 0, padding=(0,0,1,0),
anchorLeft=1)
grid.setField(Label(_("Port / Port Range:")), 0, 1,
padding=(0,0,1,0), anchorLeft=1)
dialog.to_port = Entry(20, text=_to_port)
grid.setField(dialog.to_port, 1, 1, padding=(0,0,1,0),
anchorLeft=1)
dialog.add(grid, 0, 4, padding=(0,0,0,1))
dialog.bb = ButtonBar(self.screen,
((_("OK"), "ok"), (_("Cancel"), "cancel")))
dialog.add(dialog.bb, 0, 5, growx=1)
res = dialog.bb.buttonPressed(dialog.runPopup())
self.screen.popWindow()
values = (dialog.interface.value(), dialog.protocol.value(),
dialog.port.value(), dialog.to_address.value(),
dialog.to_port.value())
if res == 'ok':
error = False
# interface
_interface = values[0].strip()
if not len(_interface) > 0 or not checkInterface(_interface):
self.error(_("Interface '%s' is not valid.") % _interface)
error = True
else:
interface = _interface
# protocol
_protocol = values[1].strip()
if not _protocol in [ "tcp", "udp" ]:
self.protocol_error(_protocol)
error = True
else:
protocol = _protocol
# port
_port = values[2].strip()
port = getPortRange(_port)
if not (isinstance(port, types.ListType) or \
isinstance(port, types.TupleType)):
self.port_error(_port)
error = True
port = None
# to_address
_to_address = values[3].strip()
if len(_to_address) > 0 and not checkIP(_to_address):
self.error(_("Address '%s' is not valid.") % _to_address)
error = True
to_address = None
else:
to_address = _to_address
# to_port
_to_port = values[4].strip()
if len(_to_port) > 0:
to_port = getPortRange(_to_port)
if not (isinstance(to_port, types.ListType) or \
isinstance(to_port, types.TupleType)):
self.port_error(_to_port)
error = True
to_port = None
if error:
continue
if not interface or not protocol or not port:
continue
if not to_address and not to_port:
continue
return (interface, protocol, port, to_address, to_port)
elif res == 'cancel':
return None
