def main(): module = AnsibleModule( argument_spec=dict( service=dict(required=False, type="list", default=[]), port=dict(required=False, type="list", default=[]), trust=dict(required=False, type="list", default=[]), trust_by_mac=dict(required=False, type="list", default=[]), masq=dict(required=False, type="list", default=[]), masq_by_mac=dict(required=False, type="list", default=[]), forward_port=dict(required=False, type="list", default=[]), forward_port_by_mac=dict(required=False, type="list", default=[]), zone=dict(required=False, type="str", default=None), state=dict(choices=["enabled", "disabled"], required=True), ), required_one_of=([ "service", "port", "trust", "trust_by_mac", "masq", "masq_by_mac", "forward_prot", ], ), supports_check_mode=True, ) if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL: module.fail_json(msg="No firewall backend could be imported.") service = module.params["service"] port = [] for port_proto in module.params["port"]: _port, _protocol = port_proto.split("/") if _protocol is None: module.fail_json(msg="improper port format (missing protocol?)") port.append((_port, _protocol)) trust = module.params["trust"] trust_by_mac = [] for item in module.params["trust_by_mac"]: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg="MAC address not found %s" % item) trust_by_mac.append(_interface) masq = module.params["masq"] masq_by_mac = [] for item in module.params["masq_by_mac"]: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg="MAC address not found %s" % item) masq_by_mac.append(_interface) forward_port = [] for item in module.params["forward_port"]: args = item.split(";") if len(args) == 4: _interface, __port, _to_port, _to_addr = args elif len(args) == 3: _interface = "" __port, _to_port, _to_addr = args else: module.fail_json(msg="improper forward_port format: %s" % item) _port, _protocol = __port.split("/") if _protocol is None: module.fail_json( msg="improper forward port format (missing protocol?)") if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None forward_port.append((_interface, _port, _protocol, _to_port, _to_addr)) forward_port_by_mac = [] for item in module.params["forward_port_by_mac"]: args = item.split(";") if len(args) != 4: module.fail_json(msg="improper forward_port_by_mac format") _mac_addr, __port, _to_port, _to_addr = args _port, _protocol = __port.split("/") if _protocol is None: module.fail_json( msg="improper forward_port_by_mac format (missing protocol?)") if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None _interface = get_device_for_mac(_mac_addr) if _interface is None: module.fail_json(msg="MAC address not found %s" % _mac_addr) forward_port_by_mac.append( (_interface, _port, _protocol, _to_port, _to_addr)) zone = module.params["zone"] if HAS_SYSTEM_CONFIG_FIREWALL and zone is not None: module.fail_json( msg="Zone can not be used with system-config-firewall/lokkit.") desired_state = module.params["state"] if HAS_FIREWALLD: fw = FirewallClient() def exception_handler(exception_message): module.fail_json(msg=exception_message) fw.setExceptionHandler(exception_handler) if not fw.connected: module.fail_json(msg="firewalld service must be running") trusted_zone = "trusted" external_zone = "external" if zone is not None: if zone not in fw.getZones(): module.fail_json(msg="Runtime zone '%s' does not exist." % zone) if zone not in fw.config().getZoneNames(): module.fail_json(msg="Permanent zone '%s' does not exist." % zone) else: zone = fw.getDefaultZone() fw_zone = fw.config().getZoneByName(zone) fw_settings = fw_zone.getSettings() changed = False changed_zones = {} # service for item in service: if desired_state == "enabled": if not fw.queryService(zone, item): fw.addService(zone, item) changed = True if not fw_settings.queryService(item): fw_settings.addService(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryService(zone, item): fw.removeService(zone, item) if fw_settings.queryService(item): fw_settings.removeService(item) changed = True changed_zones[fw_zone] = fw_settings # port for _port, _protocol in port: if desired_state == "enabled": if not fw.queryPort(zone, _port, _protocol): fw.addPort(zone, _port, _protocol) changed = True if not fw_settings.queryPort(_port, _protocol): fw_settings.addPort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryPort(zone, _port, _protocol): fw.removePort(zone, _port, _protocol) changed = True if fw_settings.queryPort(_port, _protocol): fw_settings.removePort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) if zone != trusted_zone: _fw_zone = fw.config().getZoneByName(trusted_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings for item in items: if desired_state == "enabled": if try_set_zone_of_interface(trusted_zone, item): changed = True else: if not fw.queryInterface(trusted_zone, item): fw.changeZoneOfInterface(trusted_zone, item) changed = True if not _fw_settings.queryInterface(item): _fw_settings.addInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(trusted_zone, item): fw.removeInterface(trusted_zone, item) changed = True if _fw_settings.queryInterface(item): _fw_settings.removeInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) if zone != external_zone: _fw_zone = fw.config().getZoneByName(external_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings for item in items: if desired_state == "enabled": if try_set_zone_of_interface(external_zone, item): changed = True else: if not fw.queryInterface(external_zone, item): fw.changeZoneOfInterface(external_zone, item) changed = True if not _fw_settings.queryInterface(item): _fw_settings.addInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(external_zone, item): fw.removeInterface(external_zone, item) changed = True if _fw_settings.queryInterface(item): _fw_settings.removeInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: if _interface != "": _zone = fw.getZoneOfInterface(_interface) else: _zone = zone if _zone != "" and _zone != zone: _fw_zone = fw.config().getZoneByName(_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings if desired_state == "enabled": if not fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.addForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if not _fw_settings.queryForwardPort( _port, _protocol, _to_port, _to_addr): _fw_settings.addForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.removeForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if _fw_settings.queryForwardPort(_port, _protocol, _to_port, _to_addr): _fw_settings.removeForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[_fw_zone] = _fw_settings # apply changes if changed: for _zone in changed_zones: _zone.update(changed_zones[_zone]) module.exit_json(changed=True) elif HAS_SYSTEM_CONFIG_FIREWALL: (config, old_config, _) = fw_lokkit.loadConfig(args=[], dbus_parser=True) changed = False # service for item in service: if config.services is None: config.services = [] if desired_state == "enabled": if item not in config.services: config.services.append(item) changed = True elif desired_state == "disabled": if item in config.services: config.services.remove(item) changed = True # port for _port, _protocol in port: if config.ports is None: config.ports = [] _range = getPortRange(_port) if _range < 0: module.fail_json(msg="invalid port definition %s" % _port) elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range %s" % _port) port_proto = (_range, _protocol) if desired_state == "enabled": if port_proto not in config.ports: config.ports.append(port_proto) changed = True elif desired_state == "disabled": if port_proto in config.ports: config.ports.remove(port_proto) changed = True # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: if config.trust is None: config.trust = [] items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) for item in items: if desired_state == "enabled": if item not in config.trust: config.trust.append(item) changed = True elif desired_state == "disabled": if item in config.trust: config.trust.remove(item) changed = True # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: if config.masq is None: config.masq = [] items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) for item in items: if desired_state == "enabled": if item not in config.masq: config.masq.append(item) changed = True elif desired_state == "disabled": if item in config.masq: config.masq.remove(item) changed = True # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: if config.forward_port is None: config.forward_port = [] items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: _range = getPortRange(_port) if _range < 0: module.fail_json(msg="invalid port definition") elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range") fwd_port = { "if": _interface, "port": _range, "proto": _protocol } if _to_port is not None: _range = getPortRange(_to_port) if _range < 0: module.fail_json(msg="invalid port definition %s" % _to_port) elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range") fwd_port["toport"] = _range if _to_addr is not None: fwd_port["toaddr"] = _to_addr if desired_state == "enabled": if fwd_port not in config.forward_port: config.forward_port.append(fwd_port) changed = True elif desired_state == "disabled": if fwd_port in config.forward_port: config.forward_port.remove(fwd_port) changed = True # apply changes if changed: fw_lokkit.updateFirewall(config, old_config) if module.check_mode: module.exit_json(changed=True) else: module.fail_json(msg="No firewalld and system-config-firewall") module.exit_json(changed=False)
class TestFirewallDInterfaceConfig(unittest.TestCase): """ For testing of permanent changes, ie. those that survive restart: """ def setUp(self): unittest.TestCase.setUp(self) self.fw = FirewallClient() def tearDown(self): unittest.TestCase.tearDown(self) def test_zones(self): """ /org/fedoraproject/FirewallD1/config listZones() getZoneByName(String name) addZone(String name, Dict of {String, Variant} zone_settings) /org/fedoraproject/FirewallD1/config/zone/<id> getSettings() loadDefaults() update() rename() remove() """ print("\nGetting invalid zone") self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, "dummyname") zone_version = "1.0" zone_short = "Testing" zone_description = "this is just a testing zone" zone_target = DEFAULT_ZONE_TARGET zone_services = ["dhcpv6-client", "ssh"] zone_ports = [("123", "tcp"), ("666-667", "udp")] zone_icmpblocks = ["redirect", "echo-reply"] zone_masquerade = False zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"), ("123", "udp", "321", "192.168.1.1")] settings = FirewallClientZoneSettings() settings.setVersion(zone_version) settings.setShort(zone_short) settings.setDescription(zone_description) settings.setTarget(zone_target) settings.setServices(zone_services) settings.setPorts(zone_ports) settings.setIcmpBlocks(zone_icmpblocks) settings.setMasquerade(zone_masquerade) settings.setForwardPorts(zone_forward_ports) print("Adding zone with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addZone, "home", settings) print("Adding zone with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addZone, "", settings) zone_name = "test" print("Adding proper zone") self.fw.config().addZone(zone_name, settings) print("Checking the saved (permanent) settings") config_zone = self.fw.config().getZoneByName(zone_name) self.assertIsInstance(config_zone, firewall.client.FirewallClientConfigZone) zone_settings = config_zone.getSettings() self.assertIsInstance(zone_settings, firewall.client.FirewallClientZoneSettings) self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), "default") self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print("Updating settings") zone_services.append("mdns") zone_settings.setServices(zone_services) config_zone.update(zone_settings) print("Reloading firewalld") self.fw.reload() print("Checking of runtime settings") self.assertTrue(zone_name in self.fw.getZones()) self.assertEquals( self.fw.getServices(zone_name).sort(), zone_services.sort()) self.assertEquals( self.fw.getPorts(zone_name).sort(), zone_ports.sort()) self.assertEquals( self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort()) self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade) self.assertEquals( self.fw.getForwardPorts(zone_name).sort(), zone_forward_ports.sort()) print("Renaming zone to name that already exists") config_zone = self.fw.config().getZoneByName(zone_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename, "home") new_zone_name = "renamed" print("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name)) config_zone.rename(new_zone_name) print( "Checking whether the zone '%s' is accessible (it shouldn't be)" % zone_name) self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, zone_name) print("Checking whether the zone '%s' is accessible" % new_zone_name) config_zone = self.fw.config().getZoneByName(new_zone_name) zone_settings = config_zone.getSettings() self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), "default") self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print("Removing the zone '%s'" % new_zone_name) config_zone.remove() print( "Checking whether the removed zone is accessible (it shouldn't be)" ) self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, new_zone_name) # TODO test loadDefaults() ? def test_services(self): """ /org/fedoraproject/FirewallD1/config listServices() getServiceByName(String name) addService(String name, Dict of {String, Variant} settings) /org/fedoraproject/FirewallD1/config/service/<id> getSettings() loadDefaults() update() rename() remove() """ print("\nGetting invalid service") self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, "dummyname") service_version = "1.0" service_short = "Testing" service_description = "this is just a testing service" service_ports = [("123", "tcp"), ("666-667", "udp")] service_modules = ["nf_conntrack_tftp"] service_destinations = {'ipv4': '1.2.3.4', 'ipv6': 'dead::beef'} settings = FirewallClientServiceSettings() # ["", "", "", [], [], {}] settings.setVersion(service_version) settings.setShort(service_short) settings.setDescription(service_description) settings.setPorts(service_ports) settings.setModules(service_modules) settings.setDestinations(service_destinations) print("Adding service with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addService, "mdns", settings) print("Adding service with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addService, "", settings) service_name = "test" print("Adding proper service") self.fw.config().addService(service_name, settings) print("Checking the saved (permanent) settings") config_service = self.fw.config().getServiceByName(service_name) self.assertIsInstance(config_service, firewall.client.FirewallClientConfigService) service_settings = config_service.getSettings() self.assertIsInstance(service_settings, firewall.client.FirewallClientServiceSettings) print("Updating settings") service_modules.append("nf_conntrack_sip") service_destinations["ipv6"] = "3ffe:501:ffff::" service_settings.setModules(service_modules) service_settings.setDestinations(service_destinations) config_service.update(service_settings) self.assertEquals(service_settings.getVersion(), service_version) self.assertEquals(service_settings.getShort(), service_short) self.assertEquals(service_settings.getDescription(), service_description) self.assertEquals(service_settings.getPorts().sort(), service_ports.sort()) self.assertEquals(service_settings.getModules().sort(), service_modules.sort()) self.assertDictEqual(service_settings.getDestinations(), service_destinations) print("Renaming service to name that already exists") config_service = self.fw.config().getServiceByName(service_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_service.rename, "mdns") new_service_name = "renamed" print("Renaming service '%s' to '%s'" % (service_name, new_service_name)) config_service.rename(new_service_name) print( "Checking whether the service '%s' is accessible (it shouldn't be)" % service_name) self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, service_name) print("Checking whether the service '%s' is accessible" % new_service_name) config_service = self.fw.config().getServiceByName(new_service_name) service_settings = config_service.getSettings() self.assertEquals(service_settings.getVersion(), service_version) self.assertEquals(service_settings.getShort(), service_short) self.assertEquals(service_settings.getDescription(), service_description) self.assertEquals(service_settings.getPorts().sort(), service_ports.sort()) self.assertEquals(service_settings.getModules().sort(), service_modules.sort()) self.assertDictEqual(service_settings.getDestinations(), service_destinations) print("Removing the service '%s'" % new_service_name) config_service.remove() print( "Checking whether the removed service is accessible (it shouldn't be)" ) self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, new_service_name) # TODO test loadDefaults() ? def test_icmptypes(self): """ /org/fedoraproject/FirewallD1/config listIcmpTypes() getIcmpTypeByName(String name) addIcmpType(String name, Dict of {String, Variant} settings) /org/fedoraproject/FirewallD1/config/icmptype/<id> getSettings() loadDefaults() update() rename() remove() """ print("\nGetting invalid icmp-type") self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, "dummyname") icmptype_version = "1.0" icmptype_short = "Testing" icmptype_description = "this is just a testing icmp type" icmptype_destinations = ['ipv4'] settings = FirewallClientIcmpTypeSettings() # ["", "", "", []] settings.setVersion(icmptype_version) settings.setShort(icmptype_short) settings.setDescription(icmptype_description) settings.setDestinations(icmptype_destinations) print("Adding icmp type with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addIcmpType, "echo-reply", settings) print("Adding icmp type with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addIcmpType, "", settings) icmptype_name = "test" print("Adding proper icmp type") self.fw.config().addIcmpType(icmptype_name, settings) print("Checking the saved (permanent) settings") config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name) self.assertIsInstance(config_icmptype, firewall.client.FirewallClientConfigIcmpType) icmptype_settings = config_icmptype.getSettings() self.assertIsInstance(icmptype_settings, firewall.client.FirewallClientIcmpTypeSettings) print("Updating settings") icmptype_destinations.append("ipv6") icmptype_settings.setDestinations(icmptype_destinations) config_icmptype.update(icmptype_settings) self.assertEquals(icmptype_settings.getVersion(), icmptype_version) self.assertEquals(icmptype_settings.getShort(), icmptype_short) self.assertEquals(icmptype_settings.getDescription(), icmptype_description) self.assertEquals(icmptype_settings.getDestinations().sort(), icmptype_destinations.sort()) print("Renaming icmp type to name that already exists") config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_icmptype.rename, "echo-reply") new_icmptype_name = "renamed" print("Renaming icmp type '%s' to '%s'" % (icmptype_name, new_icmptype_name)) config_icmptype.rename(new_icmptype_name) print( "Checking whether the icmp type '%s' is accessible (it shouldn't be)" % icmptype_name) self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, icmptype_name) print("Checking whether the icmp type '%s' is accessible" % new_icmptype_name) config_icmptype = self.fw.config().getIcmpTypeByName(new_icmptype_name) icmptype_settings = config_icmptype.getSettings() self.assertEquals(icmptype_settings.getVersion(), icmptype_version) self.assertEquals(icmptype_settings.getShort(), icmptype_short) self.assertEquals(icmptype_settings.getDescription(), icmptype_description) self.assertEquals(icmptype_settings.getDestinations().sort(), icmptype_destinations.sort()) print("Removing the icmp type '%s'" % new_icmptype_name) config_icmptype.remove() print( "Checking whether the removed icmp type is accessible (it shouldn't be)" ) self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, new_icmptype_name)
class TestFirewallDInterfaceConfig(unittest.TestCase): """ For testing of permanent changes, ie. those that survive restart: """ def setUp(self): unittest.TestCase.setUp(self) self.fw = FirewallClient() def tearDown(self): unittest.TestCase.tearDown(self) def test_zones(self): """ /org/fedoraproject/FirewallD1/config listZones() getZoneByName(String name) addZone(String name, Dict of {String, Variant} zone_settings) /org/fedoraproject/FirewallD1/config/zone/<id> getSettings() loadDefaults() update() rename() remove() """ print ("\nGetting invalid zone") self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, "dummyname") zone_version = "1.0" zone_short = "Testing" zone_description = "this is just a testing zone" zone_target = DEFAULT_ZONE_TARGET zone_services = ["dhcpv6-client", "ssh"] zone_ports = [("123", "tcp"), ("666-667", "udp")] zone_icmpblocks = ["redirect", "echo-reply"] zone_masquerade = False zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"), ("123", "udp", "321", "192.168.1.1")] settings = FirewallClientZoneSettings() settings.setVersion(zone_version) settings.setShort(zone_short) settings.setDescription(zone_description) settings.setTarget(zone_target) settings.setServices(zone_services) settings.setPorts(zone_ports) settings.setIcmpBlocks(zone_icmpblocks) settings.setMasquerade(zone_masquerade) settings.setForwardPorts(zone_forward_ports) print ("Adding zone with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addZone, "home", settings) print ("Adding zone with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addZone, "", settings) zone_name = "test" print ("Adding proper zone") self.fw.config().addZone (zone_name, settings) print ("Checking the saved (permanent) settings") config_zone = self.fw.config().getZoneByName(zone_name) self.assertIsInstance(config_zone, firewall.client.FirewallClientConfigZone) zone_settings = config_zone.getSettings() self.assertIsInstance(zone_settings, firewall.client.FirewallClientZoneSettings) self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), zone_target) self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print ("Updating settings") zone_services.append("mdns") zone_settings.setServices(zone_services) config_zone.update(zone_settings) print ("Reloading firewalld") self.fw.reload() print ("Checking of runtime settings") self.assertTrue(zone_name in self.fw.getZones()) self.assertEquals(self.fw.getServices(zone_name).sort(), zone_services.sort()) self.assertEquals(self.fw.getPorts(zone_name).sort(), zone_ports.sort()) self.assertEquals(self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort()) self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade) self.assertEquals(self.fw.getForwardPorts(zone_name).sort(), zone_forward_ports.sort()) print ("Renaming zone to name that already exists") config_zone = self.fw.config().getZoneByName(zone_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename, "home") new_zone_name = "renamed" print ("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name)) config_zone.rename(new_zone_name) print ("Checking whether the zone '%s' is accessible (it shouldn't be)" % zone_name) self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, zone_name) print ("Checking whether the zone '%s' is accessible" % new_zone_name) config_zone = self.fw.config().getZoneByName(new_zone_name) zone_settings = config_zone.getSettings() self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), zone_target) self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print ("Removing the zone '%s'" % new_zone_name) config_zone.remove() print ("Checking whether the removed zone is accessible (it shouldn't be)") self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, new_zone_name) # TODO test loadDefaults() ? def test_services(self): """ /org/fedoraproject/FirewallD1/config listServices() getServiceByName(String name) addService(String name, Dict of {String, Variant} settings) /org/fedoraproject/FirewallD1/config/service/<id> getSettings() loadDefaults() update() rename() remove() """ print ("\nGetting invalid service") self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, "dummyname") service_version = "1.0" service_short = "Testing" service_description = "this is just a testing service" service_ports = [("123", "tcp"), ("666-667", "udp")] service_modules = ["nf_test_first", "nf_test_second"] service_destinations = {'ipv4': '1.2.3.4', 'ipv6': 'dead::beef'} settings = FirewallClientServiceSettings() # ["", "", "", [], [], {}] settings.setVersion(service_version) settings.setShort(service_short) settings.setDescription(service_description) settings.setPorts(service_ports) settings.setModules(service_modules) settings.setDestinations(service_destinations) print ("Adding service with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addService, "mdns", settings) print ("Adding service with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addService, "", settings) service_name = "test" print ("Adding proper service") self.fw.config().addService (service_name, settings) print ("Checking the saved (permanent) settings") config_service = self.fw.config().getServiceByName(service_name) self.assertIsInstance(config_service, firewall.client.FirewallClientConfigService) service_settings = config_service.getSettings() self.assertIsInstance(service_settings, firewall.client.FirewallClientServiceSettings) print ("Updating settings") service_modules.append("nf_test_third") service_destinations["ipv6"] = "3ffe:501:ffff::" service_settings.setModules(service_modules) service_settings.setDestinations(service_destinations) config_service.update(service_settings) self.assertEquals(service_settings.getVersion(), service_version) self.assertEquals(service_settings.getShort(), service_short) self.assertEquals(service_settings.getDescription(), service_description) self.assertEquals(service_settings.getPorts().sort(), service_ports.sort()) self.assertEquals(service_settings.getModules().sort(), service_modules.sort()) self.assertDictEqual(service_settings.getDestinations(), service_destinations) print ("Renaming service to name that already exists") config_service = self.fw.config().getServiceByName(service_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_service.rename, "mdns") new_service_name = "renamed" print ("Renaming service '%s' to '%s'" % (service_name, new_service_name)) config_service.rename(new_service_name) print ("Checking whether the service '%s' is accessible (it shouldn't be)" % service_name) self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, service_name) print ("Checking whether the service '%s' is accessible" % new_service_name) config_service = self.fw.config().getServiceByName(new_service_name) service_settings = config_service.getSettings() self.assertEquals(service_settings.getVersion(), service_version) self.assertEquals(service_settings.getShort(), service_short) self.assertEquals(service_settings.getDescription(), service_description) self.assertEquals(service_settings.getPorts().sort(), service_ports.sort()) self.assertEquals(service_settings.getModules().sort(), service_modules.sort()) self.assertDictEqual(service_settings.getDestinations(), service_destinations) print ("Removing the service '%s'" % new_service_name) config_service.remove() print ("Checking whether the removed service is accessible (it shouldn't be)") self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, new_service_name) # TODO test loadDefaults() ? def test_icmptypes(self): """ /org/fedoraproject/FirewallD1/config listIcmpTypes() getIcmpTypeByName(String name) addIcmpType(String name, Dict of {String, Variant} settings) /org/fedoraproject/FirewallD1/config/icmptype/<id> getSettings() loadDefaults() update() rename() remove() """ print ("\nGetting invalid icmp-type") self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, "dummyname") icmptype_version = "1.0" icmptype_short = "Testing" icmptype_description = "this is just a testing icmp type" icmptype_destinations = ['ipv4'] settings = FirewallClientIcmpTypeSettings() # ["", "", "", []] settings.setVersion(icmptype_version) settings.setShort(icmptype_short) settings.setDescription(icmptype_description) settings.setDestinations(icmptype_destinations) print ("Adding icmp type with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addIcmpType, "echo-reply", settings) print ("Adding icmp type with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addIcmpType, "", settings) icmptype_name = "test" print ("Adding proper icmp type") self.fw.config().addIcmpType (icmptype_name, settings) print ("Checking the saved (permanent) settings") config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name) self.assertIsInstance(config_icmptype, firewall.client.FirewallClientConfigIcmpType) icmptype_settings = config_icmptype.getSettings() self.assertIsInstance(icmptype_settings, firewall.client.FirewallClientIcmpTypeSettings) print ("Updating settings") icmptype_destinations.append("ipv6") icmptype_settings.setDestinations(icmptype_destinations) config_icmptype.update(icmptype_settings) self.assertEquals(icmptype_settings.getVersion(), icmptype_version) self.assertEquals(icmptype_settings.getShort(), icmptype_short) self.assertEquals(icmptype_settings.getDescription(), icmptype_description) self.assertEquals(icmptype_settings.getDestinations().sort(), icmptype_destinations.sort()) print ("Renaming icmp type to name that already exists") config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_icmptype.rename, "echo-reply") new_icmptype_name = "renamed" print ("Renaming icmp type '%s' to '%s'" % (icmptype_name, new_icmptype_name)) config_icmptype.rename(new_icmptype_name) print ("Checking whether the icmp type '%s' is accessible (it shouldn't be)" % icmptype_name) self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, icmptype_name) print ("Checking whether the icmp type '%s' is accessible" % new_icmptype_name) config_icmptype = self.fw.config().getIcmpTypeByName(new_icmptype_name) icmptype_settings = config_icmptype.getSettings() self.assertEquals(icmptype_settings.getVersion(), icmptype_version) self.assertEquals(icmptype_settings.getShort(), icmptype_short) self.assertEquals(icmptype_settings.getDescription(), icmptype_description) self.assertEquals(icmptype_settings.getDestinations().sort(), icmptype_destinations.sort()) print ("Removing the icmp type '%s'" % new_icmptype_name) config_icmptype.remove() print ("Checking whether the removed icmp type is accessible (it shouldn't be)") self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, new_icmptype_name)