def main():
module = AnsibleModule(
argument_spec=dict(
service=dict(required=False, type="list", default=[]),
port=dict(required=False, type="list", default=[]),
trust=dict(required=False, type="list", default=[]),
trust_by_mac=dict(required=False, type="list", default=[]),
masq=dict(required=False, type="list", default=[]),
masq_by_mac=dict(required=False, type="list", default=[]),
forward_port=dict(required=False, type="list", default=[]),
forward_port_by_mac=dict(required=False, type="list", default=[]),
zone=dict(required=False, type="str", default=None),
state=dict(choices=["enabled", "disabled"], required=True),
),
required_one_of=([
"service",
"port",
"trust",
"trust_by_mac",
"masq",
"masq_by_mac",
"forward_prot",
], ),
supports_check_mode=True,
)
if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL:
module.fail_json(msg="No firewall backend could be imported.")
service = module.params["service"]
port = []
for port_proto in module.params["port"]:
_port, _protocol = port_proto.split("/")
if _protocol is None:
module.fail_json(msg="improper port format (missing protocol?)")
port.append((_port, _protocol))
trust = module.params["trust"]
trust_by_mac = []
for item in module.params["trust_by_mac"]:
_interface = get_device_for_mac(item)
if _interface is None:
module.fail_json(msg="MAC address not found %s" % item)
trust_by_mac.append(_interface)
masq = module.params["masq"]
masq_by_mac = []
for item in module.params["masq_by_mac"]:
_interface = get_device_for_mac(item)
if _interface is None:
module.fail_json(msg="MAC address not found %s" % item)
masq_by_mac.append(_interface)
forward_port = []
for item in module.params["forward_port"]:
args = item.split(";")
if len(args) == 4:
_interface, __port, _to_port, _to_addr = args
elif len(args) == 3:
_interface = ""
__port, _to_port, _to_addr = args
else:
module.fail_json(msg="improper forward_port format: %s" % item)
_port, _protocol = __port.split("/")
if _protocol is None:
module.fail_json(
msg="improper forward port format (missing protocol?)")
if _to_port == "":
_to_port = None
if _to_addr == "":
_to_addr = None
forward_port.append((_interface, _port, _protocol, _to_port, _to_addr))
forward_port_by_mac = []
for item in module.params["forward_port_by_mac"]:
args = item.split(";")
if len(args) != 4:
module.fail_json(msg="improper forward_port_by_mac format")
_mac_addr, __port, _to_port, _to_addr = args
_port, _protocol = __port.split("/")
if _protocol is None:
module.fail_json(
msg="improper forward_port_by_mac format (missing protocol?)")
if _to_port == "":
_to_port = None
if _to_addr == "":
_to_addr = None
_interface = get_device_for_mac(_mac_addr)
if _interface is None:
module.fail_json(msg="MAC address not found %s" % _mac_addr)
forward_port_by_mac.append(
(_interface, _port, _protocol, _to_port, _to_addr))
zone = module.params["zone"]
if HAS_SYSTEM_CONFIG_FIREWALL and zone is not None:
module.fail_json(
msg="Zone can not be used with system-config-firewall/lokkit.")
desired_state = module.params["state"]
if HAS_FIREWALLD:
fw = FirewallClient()
def exception_handler(exception_message):
module.fail_json(msg=exception_message)
fw.setExceptionHandler(exception_handler)
if not fw.connected:
module.fail_json(msg="firewalld service must be running")
trusted_zone = "trusted"
external_zone = "external"
if zone is not None:
if zone not in fw.getZones():
module.fail_json(msg="Runtime zone '%s' does not exist." %
zone)
if zone not in fw.config().getZoneNames():
module.fail_json(msg="Permanent zone '%s' does not exist." %
zone)
else:
zone = fw.getDefaultZone()
fw_zone = fw.config().getZoneByName(zone)
fw_settings = fw_zone.getSettings()
changed = False
changed_zones = {}
# service
for item in service:
if desired_state == "enabled":
if not fw.queryService(zone, item):
fw.addService(zone, item)
changed = True
if not fw_settings.queryService(item):
fw_settings.addService(item)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if fw.queryService(zone, item):
fw.removeService(zone, item)
if fw_settings.queryService(item):
fw_settings.removeService(item)
changed = True
changed_zones[fw_zone] = fw_settings
# port
for _port, _protocol in port:
if desired_state == "enabled":
if not fw.queryPort(zone, _port, _protocol):
fw.addPort(zone, _port, _protocol)
changed = True
if not fw_settings.queryPort(_port, _protocol):
fw_settings.addPort(_port, _protocol)
changed = True
changed_zones[fw_zone] = fw_settings
elif desired_state == "disabled":
if fw.queryPort(zone, _port, _protocol):
fw.removePort(zone, _port, _protocol)
changed = True
if fw_settings.queryPort(_port, _protocol):
fw_settings.removePort(_port, _protocol)
changed = True
changed_zones[fw_zone] = fw_settings
# trust, trust_by_mac
if len(trust) > 0 or len(trust_by_mac) > 0:
items = trust
if len(trust_by_mac) > 0:
items.extend(trust_by_mac)
if zone != trusted_zone:
_fw_zone = fw.config().getZoneByName(trusted_zone)
if _fw_zone in changed_zones:
_fw_settings = changed_zones[_fw_zone]
else:
_fw_settings = _fw_zone.getSettings()
else:
_fw_zone = fw_zone
_fw_settings = fw_settings
for item in items:
if desired_state == "enabled":
if try_set_zone_of_interface(trusted_zone, item):
changed = True
else:
if not fw.queryInterface(trusted_zone, item):
fw.changeZoneOfInterface(trusted_zone, item)
changed = True
if not _fw_settings.queryInterface(item):
_fw_settings.addInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
elif desired_state == "disabled":
if try_set_zone_of_interface("", item):
if module.check_mode:
module.exit_json(changed=True)
else:
if fw.queryInterface(trusted_zone, item):
fw.removeInterface(trusted_zone, item)
changed = True
if _fw_settings.queryInterface(item):
_fw_settings.removeInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
# masq, masq_by_mac
if len(masq) > 0 or len(masq_by_mac) > 0:
items = masq
if len(masq_by_mac) > 0:
items.extend(masq_by_mac)
if zone != external_zone:
_fw_zone = fw.config().getZoneByName(external_zone)
if _fw_zone in changed_zones:
_fw_settings = changed_zones[_fw_zone]
else:
_fw_settings = _fw_zone.getSettings()
else:
_fw_zone = fw_zone
_fw_settings = fw_settings
for item in items:
if desired_state == "enabled":
if try_set_zone_of_interface(external_zone, item):
changed = True
else:
if not fw.queryInterface(external_zone, item):
fw.changeZoneOfInterface(external_zone, item)
changed = True
if not _fw_settings.queryInterface(item):
_fw_settings.addInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
elif desired_state == "disabled":
if try_set_zone_of_interface("", item):
if module.check_mode:
module.exit_json(changed=True)
else:
if fw.queryInterface(external_zone, item):
fw.removeInterface(external_zone, item)
changed = True
if _fw_settings.queryInterface(item):
_fw_settings.removeInterface(item)
changed = True
changed_zones[_fw_zone] = _fw_settings
# forward_port, forward_port_by_mac
if len(forward_port) > 0 or len(forward_port_by_mac) > 0:
items = forward_port
if len(forward_port_by_mac) > 0:
items.extend(forward_port_by_mac)
for _interface, _port, _protocol, _to_port, _to_addr in items:
if _interface != "":
_zone = fw.getZoneOfInterface(_interface)
else:
_zone = zone
if _zone != "" and _zone != zone:
_fw_zone = fw.config().getZoneByName(_zone)
if _fw_zone in changed_zones:
_fw_settings = changed_zones[_fw_zone]
else:
_fw_settings = _fw_zone.getSettings()
else:
_fw_zone = fw_zone
_fw_settings = fw_settings
if desired_state == "enabled":
if not fw.queryForwardPort(_zone, _port, _protocol,
_to_port, _to_addr):
fw.addForwardPort(_zone, _port, _protocol, _to_port,
_to_addr)
changed = True
if not _fw_settings.queryForwardPort(
_port, _protocol, _to_port, _to_addr):
_fw_settings.addForwardPort(_port, _protocol, _to_port,
_to_addr)
changed = True
changed_zones[_fw_zone] = _fw_settings
elif desired_state == "disabled":
if fw.queryForwardPort(_zone, _port, _protocol, _to_port,
_to_addr):
fw.removeForwardPort(_zone, _port, _protocol, _to_port,
_to_addr)
changed = True
if _fw_settings.queryForwardPort(_port, _protocol,
_to_port, _to_addr):
_fw_settings.removeForwardPort(_port, _protocol,
_to_port, _to_addr)
changed = True
changed_zones[_fw_zone] = _fw_settings
# apply changes
if changed:
for _zone in changed_zones:
_zone.update(changed_zones[_zone])
module.exit_json(changed=True)
elif HAS_SYSTEM_CONFIG_FIREWALL:
(config, old_config, _) = fw_lokkit.loadConfig(args=[],
dbus_parser=True)
changed = False
# service
for item in service:
if config.services is None:
config.services = []
if desired_state == "enabled":
if item not in config.services:
config.services.append(item)
changed = True
elif desired_state == "disabled":
if item in config.services:
config.services.remove(item)
changed = True
# port
for _port, _protocol in port:
if config.ports is None:
config.ports = []
_range = getPortRange(_port)
if _range < 0:
module.fail_json(msg="invalid port definition %s" % _port)
elif _range is None:
module.fail_json(msg="port _range is not unique.")
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg="invalid port range %s" % _port)
port_proto = (_range, _protocol)
if desired_state == "enabled":
if port_proto not in config.ports:
config.ports.append(port_proto)
changed = True
elif desired_state == "disabled":
if port_proto in config.ports:
config.ports.remove(port_proto)
changed = True
# trust, trust_by_mac
if len(trust) > 0 or len(trust_by_mac) > 0:
if config.trust is None:
config.trust = []
items = trust
if len(trust_by_mac) > 0:
items.extend(trust_by_mac)
for item in items:
if desired_state == "enabled":
if item not in config.trust:
config.trust.append(item)
changed = True
elif desired_state == "disabled":
if item in config.trust:
config.trust.remove(item)
changed = True
# masq, masq_by_mac
if len(masq) > 0 or len(masq_by_mac) > 0:
if config.masq is None:
config.masq = []
items = masq
if len(masq_by_mac) > 0:
items.extend(masq_by_mac)
for item in items:
if desired_state == "enabled":
if item not in config.masq:
config.masq.append(item)
changed = True
elif desired_state == "disabled":
if item in config.masq:
config.masq.remove(item)
changed = True
# forward_port, forward_port_by_mac
if len(forward_port) > 0 or len(forward_port_by_mac) > 0:
if config.forward_port is None:
config.forward_port = []
items = forward_port
if len(forward_port_by_mac) > 0:
items.extend(forward_port_by_mac)
for _interface, _port, _protocol, _to_port, _to_addr in items:
_range = getPortRange(_port)
if _range < 0:
module.fail_json(msg="invalid port definition")
elif _range is None:
module.fail_json(msg="port _range is not unique.")
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg="invalid port range")
fwd_port = {
"if": _interface,
"port": _range,
"proto": _protocol
}
if _to_port is not None:
_range = getPortRange(_to_port)
if _range < 0:
module.fail_json(msg="invalid port definition %s" %
_to_port)
elif _range is None:
module.fail_json(msg="port _range is not unique.")
elif len(_range) == 2 and _range[0] >= _range[1]:
module.fail_json(msg="invalid port range")
fwd_port["toport"] = _range
if _to_addr is not None:
fwd_port["toaddr"] = _to_addr
if desired_state == "enabled":
if fwd_port not in config.forward_port:
config.forward_port.append(fwd_port)
changed = True
elif desired_state == "disabled":
if fwd_port in config.forward_port:
config.forward_port.remove(fwd_port)
changed = True
# apply changes
if changed:
fw_lokkit.updateFirewall(config, old_config)
if module.check_mode:
module.exit_json(changed=True)
else:
module.fail_json(msg="No firewalld and system-config-firewall")
module.exit_json(changed=False)
class TestFirewallDInterfaceConfig(unittest.TestCase):
"""
For testing of permanent changes, ie. those that survive restart:
"""
def setUp(self):
unittest.TestCase.setUp(self)
self.fw = FirewallClient()
def tearDown(self):
unittest.TestCase.tearDown(self)
def test_zones(self):
"""
/org/fedoraproject/FirewallD1/config
listZones()
getZoneByName(String name)
addZone(String name, Dict of {String, Variant} zone_settings)
/org/fedoraproject/FirewallD1/config/zone/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print("\nGetting invalid zone")
self.assertRaisesRegexp(Exception, 'INVALID_ZONE',
self.fw.config().getZoneByName, "dummyname")
zone_version = "1.0"
zone_short = "Testing"
zone_description = "this is just a testing zone"
zone_target = DEFAULT_ZONE_TARGET
zone_services = ["dhcpv6-client", "ssh"]
zone_ports = [("123", "tcp"), ("666-667", "udp")]
zone_icmpblocks = ["redirect", "echo-reply"]
zone_masquerade = False
zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"),
("123", "udp", "321", "192.168.1.1")]
settings = FirewallClientZoneSettings()
settings.setVersion(zone_version)
settings.setShort(zone_short)
settings.setDescription(zone_description)
settings.setTarget(zone_target)
settings.setServices(zone_services)
settings.setPorts(zone_ports)
settings.setIcmpBlocks(zone_icmpblocks)
settings.setMasquerade(zone_masquerade)
settings.setForwardPorts(zone_forward_ports)
print("Adding zone with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT',
self.fw.config().addZone, "home", settings)
print("Adding zone with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME',
self.fw.config().addZone, "", settings)
zone_name = "test"
print("Adding proper zone")
self.fw.config().addZone(zone_name, settings)
print("Checking the saved (permanent) settings")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertIsInstance(config_zone,
firewall.client.FirewallClientConfigZone)
zone_settings = config_zone.getSettings()
self.assertIsInstance(zone_settings,
firewall.client.FirewallClientZoneSettings)
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), "default")
self.assertEquals(zone_settings.getServices().sort(),
zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(),
zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(),
zone_forward_ports.sort())
print("Updating settings")
zone_services.append("mdns")
zone_settings.setServices(zone_services)
config_zone.update(zone_settings)
print("Reloading firewalld")
self.fw.reload()
print("Checking of runtime settings")
self.assertTrue(zone_name in self.fw.getZones())
self.assertEquals(
self.fw.getServices(zone_name).sort(), zone_services.sort())
self.assertEquals(
self.fw.getPorts(zone_name).sort(), zone_ports.sort())
self.assertEquals(
self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort())
self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade)
self.assertEquals(
self.fw.getForwardPorts(zone_name).sort(),
zone_forward_ports.sort())
print("Renaming zone to name that already exists")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename,
"home")
new_zone_name = "renamed"
print("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name))
config_zone.rename(new_zone_name)
print(
"Checking whether the zone '%s' is accessible (it shouldn't be)" %
zone_name)
self.assertRaisesRegexp(Exception, 'INVALID_ZONE',
self.fw.config().getZoneByName, zone_name)
print("Checking whether the zone '%s' is accessible" % new_zone_name)
config_zone = self.fw.config().getZoneByName(new_zone_name)
zone_settings = config_zone.getSettings()
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), "default")
self.assertEquals(zone_settings.getServices().sort(),
zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(),
zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(),
zone_forward_ports.sort())
print("Removing the zone '%s'" % new_zone_name)
config_zone.remove()
print(
"Checking whether the removed zone is accessible (it shouldn't be)"
)
self.assertRaisesRegexp(Exception, 'INVALID_ZONE',
self.fw.config().getZoneByName, new_zone_name)
# TODO test loadDefaults() ?
def test_services(self):
"""
/org/fedoraproject/FirewallD1/config
listServices()
getServiceByName(String name)
addService(String name, Dict of {String, Variant} settings)
/org/fedoraproject/FirewallD1/config/service/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print("\nGetting invalid service")
self.assertRaisesRegexp(Exception, 'INVALID_SERVICE',
self.fw.config().getServiceByName, "dummyname")
service_version = "1.0"
service_short = "Testing"
service_description = "this is just a testing service"
service_ports = [("123", "tcp"), ("666-667", "udp")]
service_modules = ["nf_conntrack_tftp"]
service_destinations = {'ipv4': '1.2.3.4', 'ipv6': 'dead::beef'}
settings = FirewallClientServiceSettings() # ["", "", "", [], [], {}]
settings.setVersion(service_version)
settings.setShort(service_short)
settings.setDescription(service_description)
settings.setPorts(service_ports)
settings.setModules(service_modules)
settings.setDestinations(service_destinations)
print("Adding service with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT',
self.fw.config().addService, "mdns", settings)
print("Adding service with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME',
self.fw.config().addService, "", settings)
service_name = "test"
print("Adding proper service")
self.fw.config().addService(service_name, settings)
print("Checking the saved (permanent) settings")
config_service = self.fw.config().getServiceByName(service_name)
self.assertIsInstance(config_service,
firewall.client.FirewallClientConfigService)
service_settings = config_service.getSettings()
self.assertIsInstance(service_settings,
firewall.client.FirewallClientServiceSettings)
print("Updating settings")
service_modules.append("nf_conntrack_sip")
service_destinations["ipv6"] = "3ffe:501:ffff::"
service_settings.setModules(service_modules)
service_settings.setDestinations(service_destinations)
config_service.update(service_settings)
self.assertEquals(service_settings.getVersion(), service_version)
self.assertEquals(service_settings.getShort(), service_short)
self.assertEquals(service_settings.getDescription(),
service_description)
self.assertEquals(service_settings.getPorts().sort(),
service_ports.sort())
self.assertEquals(service_settings.getModules().sort(),
service_modules.sort())
self.assertDictEqual(service_settings.getDestinations(),
service_destinations)
print("Renaming service to name that already exists")
config_service = self.fw.config().getServiceByName(service_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT',
config_service.rename, "mdns")
new_service_name = "renamed"
print("Renaming service '%s' to '%s'" %
(service_name, new_service_name))
config_service.rename(new_service_name)
print(
"Checking whether the service '%s' is accessible (it shouldn't be)"
% service_name)
self.assertRaisesRegexp(Exception, 'INVALID_SERVICE',
self.fw.config().getServiceByName,
service_name)
print("Checking whether the service '%s' is accessible" %
new_service_name)
config_service = self.fw.config().getServiceByName(new_service_name)
service_settings = config_service.getSettings()
self.assertEquals(service_settings.getVersion(), service_version)
self.assertEquals(service_settings.getShort(), service_short)
self.assertEquals(service_settings.getDescription(),
service_description)
self.assertEquals(service_settings.getPorts().sort(),
service_ports.sort())
self.assertEquals(service_settings.getModules().sort(),
service_modules.sort())
self.assertDictEqual(service_settings.getDestinations(),
service_destinations)
print("Removing the service '%s'" % new_service_name)
config_service.remove()
print(
"Checking whether the removed service is accessible (it shouldn't be)"
)
self.assertRaisesRegexp(Exception, 'INVALID_SERVICE',
self.fw.config().getServiceByName,
new_service_name)
# TODO test loadDefaults() ?
def test_icmptypes(self):
"""
/org/fedoraproject/FirewallD1/config
listIcmpTypes()
getIcmpTypeByName(String name)
addIcmpType(String name, Dict of {String, Variant} settings)
/org/fedoraproject/FirewallD1/config/icmptype/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print("\nGetting invalid icmp-type")
self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE',
self.fw.config().getIcmpTypeByName,
"dummyname")
icmptype_version = "1.0"
icmptype_short = "Testing"
icmptype_description = "this is just a testing icmp type"
icmptype_destinations = ['ipv4']
settings = FirewallClientIcmpTypeSettings() # ["", "", "", []]
settings.setVersion(icmptype_version)
settings.setShort(icmptype_short)
settings.setDescription(icmptype_description)
settings.setDestinations(icmptype_destinations)
print("Adding icmp type with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT',
self.fw.config().addIcmpType, "echo-reply",
settings)
print("Adding icmp type with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME',
self.fw.config().addIcmpType, "", settings)
icmptype_name = "test"
print("Adding proper icmp type")
self.fw.config().addIcmpType(icmptype_name, settings)
print("Checking the saved (permanent) settings")
config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name)
self.assertIsInstance(config_icmptype,
firewall.client.FirewallClientConfigIcmpType)
icmptype_settings = config_icmptype.getSettings()
self.assertIsInstance(icmptype_settings,
firewall.client.FirewallClientIcmpTypeSettings)
print("Updating settings")
icmptype_destinations.append("ipv6")
icmptype_settings.setDestinations(icmptype_destinations)
config_icmptype.update(icmptype_settings)
self.assertEquals(icmptype_settings.getVersion(), icmptype_version)
self.assertEquals(icmptype_settings.getShort(), icmptype_short)
self.assertEquals(icmptype_settings.getDescription(),
icmptype_description)
self.assertEquals(icmptype_settings.getDestinations().sort(),
icmptype_destinations.sort())
print("Renaming icmp type to name that already exists")
config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT',
config_icmptype.rename, "echo-reply")
new_icmptype_name = "renamed"
print("Renaming icmp type '%s' to '%s'" %
(icmptype_name, new_icmptype_name))
config_icmptype.rename(new_icmptype_name)
print(
"Checking whether the icmp type '%s' is accessible (it shouldn't be)"
% icmptype_name)
self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE',
self.fw.config().getIcmpTypeByName,
icmptype_name)
print("Checking whether the icmp type '%s' is accessible" %
new_icmptype_name)
config_icmptype = self.fw.config().getIcmpTypeByName(new_icmptype_name)
icmptype_settings = config_icmptype.getSettings()
self.assertEquals(icmptype_settings.getVersion(), icmptype_version)
self.assertEquals(icmptype_settings.getShort(), icmptype_short)
self.assertEquals(icmptype_settings.getDescription(),
icmptype_description)
self.assertEquals(icmptype_settings.getDestinations().sort(),
icmptype_destinations.sort())
print("Removing the icmp type '%s'" % new_icmptype_name)
config_icmptype.remove()
print(
"Checking whether the removed icmp type is accessible (it shouldn't be)"
)
self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE',
self.fw.config().getIcmpTypeByName,
new_icmptype_name)
class TestFirewallDInterfaceConfig(unittest.TestCase):
"""
For testing of permanent changes, ie. those that survive restart:
"""
def setUp(self):
unittest.TestCase.setUp(self)
self.fw = FirewallClient()
def tearDown(self):
unittest.TestCase.tearDown(self)
def test_zones(self):
"""
/org/fedoraproject/FirewallD1/config
listZones()
getZoneByName(String name)
addZone(String name, Dict of {String, Variant} zone_settings)
/org/fedoraproject/FirewallD1/config/zone/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print ("\nGetting invalid zone")
self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, "dummyname")
zone_version = "1.0"
zone_short = "Testing"
zone_description = "this is just a testing zone"
zone_target = DEFAULT_ZONE_TARGET
zone_services = ["dhcpv6-client", "ssh"]
zone_ports = [("123", "tcp"), ("666-667", "udp")]
zone_icmpblocks = ["redirect", "echo-reply"]
zone_masquerade = False
zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"), ("123", "udp", "321", "192.168.1.1")]
settings = FirewallClientZoneSettings()
settings.setVersion(zone_version)
settings.setShort(zone_short)
settings.setDescription(zone_description)
settings.setTarget(zone_target)
settings.setServices(zone_services)
settings.setPorts(zone_ports)
settings.setIcmpBlocks(zone_icmpblocks)
settings.setMasquerade(zone_masquerade)
settings.setForwardPorts(zone_forward_ports)
print ("Adding zone with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addZone, "home", settings)
print ("Adding zone with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addZone, "", settings)
zone_name = "test"
print ("Adding proper zone")
self.fw.config().addZone (zone_name, settings)
print ("Checking the saved (permanent) settings")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertIsInstance(config_zone, firewall.client.FirewallClientConfigZone)
zone_settings = config_zone.getSettings()
self.assertIsInstance(zone_settings, firewall.client.FirewallClientZoneSettings)
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), zone_target)
self.assertEquals(zone_settings.getServices().sort(), zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort())
print ("Updating settings")
zone_services.append("mdns")
zone_settings.setServices(zone_services)
config_zone.update(zone_settings)
print ("Reloading firewalld")
self.fw.reload()
print ("Checking of runtime settings")
self.assertTrue(zone_name in self.fw.getZones())
self.assertEquals(self.fw.getServices(zone_name).sort(), zone_services.sort())
self.assertEquals(self.fw.getPorts(zone_name).sort(), zone_ports.sort())
self.assertEquals(self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort())
self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade)
self.assertEquals(self.fw.getForwardPorts(zone_name).sort(), zone_forward_ports.sort())
print ("Renaming zone to name that already exists")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename, "home")
new_zone_name = "renamed"
print ("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name))
config_zone.rename(new_zone_name)
print ("Checking whether the zone '%s' is accessible (it shouldn't be)" % zone_name)
self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, zone_name)
print ("Checking whether the zone '%s' is accessible" % new_zone_name)
config_zone = self.fw.config().getZoneByName(new_zone_name)
zone_settings = config_zone.getSettings()
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), zone_target)
self.assertEquals(zone_settings.getServices().sort(), zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort())
print ("Removing the zone '%s'" % new_zone_name)
config_zone.remove()
print ("Checking whether the removed zone is accessible (it shouldn't be)")
self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, new_zone_name)
# TODO test loadDefaults() ?
def test_services(self):
"""
/org/fedoraproject/FirewallD1/config
listServices()
getServiceByName(String name)
addService(String name, Dict of {String, Variant} settings)
/org/fedoraproject/FirewallD1/config/service/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print ("\nGetting invalid service")
self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, "dummyname")
service_version = "1.0"
service_short = "Testing"
service_description = "this is just a testing service"
service_ports = [("123", "tcp"), ("666-667", "udp")]
service_modules = ["nf_test_first", "nf_test_second"]
service_destinations = {'ipv4': '1.2.3.4', 'ipv6': 'dead::beef'}
settings = FirewallClientServiceSettings() # ["", "", "", [], [], {}]
settings.setVersion(service_version)
settings.setShort(service_short)
settings.setDescription(service_description)
settings.setPorts(service_ports)
settings.setModules(service_modules)
settings.setDestinations(service_destinations)
print ("Adding service with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addService, "mdns", settings)
print ("Adding service with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addService, "", settings)
service_name = "test"
print ("Adding proper service")
self.fw.config().addService (service_name, settings)
print ("Checking the saved (permanent) settings")
config_service = self.fw.config().getServiceByName(service_name)
self.assertIsInstance(config_service, firewall.client.FirewallClientConfigService)
service_settings = config_service.getSettings()
self.assertIsInstance(service_settings, firewall.client.FirewallClientServiceSettings)
print ("Updating settings")
service_modules.append("nf_test_third")
service_destinations["ipv6"] = "3ffe:501:ffff::"
service_settings.setModules(service_modules)
service_settings.setDestinations(service_destinations)
config_service.update(service_settings)
self.assertEquals(service_settings.getVersion(), service_version)
self.assertEquals(service_settings.getShort(), service_short)
self.assertEquals(service_settings.getDescription(), service_description)
self.assertEquals(service_settings.getPorts().sort(), service_ports.sort())
self.assertEquals(service_settings.getModules().sort(), service_modules.sort())
self.assertDictEqual(service_settings.getDestinations(), service_destinations)
print ("Renaming service to name that already exists")
config_service = self.fw.config().getServiceByName(service_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_service.rename, "mdns")
new_service_name = "renamed"
print ("Renaming service '%s' to '%s'" % (service_name, new_service_name))
config_service.rename(new_service_name)
print ("Checking whether the service '%s' is accessible (it shouldn't be)" % service_name)
self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, service_name)
print ("Checking whether the service '%s' is accessible" % new_service_name)
config_service = self.fw.config().getServiceByName(new_service_name)
service_settings = config_service.getSettings()
self.assertEquals(service_settings.getVersion(), service_version)
self.assertEquals(service_settings.getShort(), service_short)
self.assertEquals(service_settings.getDescription(), service_description)
self.assertEquals(service_settings.getPorts().sort(), service_ports.sort())
self.assertEquals(service_settings.getModules().sort(), service_modules.sort())
self.assertDictEqual(service_settings.getDestinations(), service_destinations)
print ("Removing the service '%s'" % new_service_name)
config_service.remove()
print ("Checking whether the removed service is accessible (it shouldn't be)")
self.assertRaisesRegexp(Exception, 'INVALID_SERVICE', self.fw.config().getServiceByName, new_service_name)
# TODO test loadDefaults() ?
def test_icmptypes(self):
"""
/org/fedoraproject/FirewallD1/config
listIcmpTypes()
getIcmpTypeByName(String name)
addIcmpType(String name, Dict of {String, Variant} settings)
/org/fedoraproject/FirewallD1/config/icmptype/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print ("\nGetting invalid icmp-type")
self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, "dummyname")
icmptype_version = "1.0"
icmptype_short = "Testing"
icmptype_description = "this is just a testing icmp type"
icmptype_destinations = ['ipv4']
settings = FirewallClientIcmpTypeSettings() # ["", "", "", []]
settings.setVersion(icmptype_version)
settings.setShort(icmptype_short)
settings.setDescription(icmptype_description)
settings.setDestinations(icmptype_destinations)
print ("Adding icmp type with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addIcmpType, "echo-reply", settings)
print ("Adding icmp type with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addIcmpType, "", settings)
icmptype_name = "test"
print ("Adding proper icmp type")
self.fw.config().addIcmpType (icmptype_name, settings)
print ("Checking the saved (permanent) settings")
config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name)
self.assertIsInstance(config_icmptype, firewall.client.FirewallClientConfigIcmpType)
icmptype_settings = config_icmptype.getSettings()
self.assertIsInstance(icmptype_settings, firewall.client.FirewallClientIcmpTypeSettings)
print ("Updating settings")
icmptype_destinations.append("ipv6")
icmptype_settings.setDestinations(icmptype_destinations)
config_icmptype.update(icmptype_settings)
self.assertEquals(icmptype_settings.getVersion(), icmptype_version)
self.assertEquals(icmptype_settings.getShort(), icmptype_short)
self.assertEquals(icmptype_settings.getDescription(), icmptype_description)
self.assertEquals(icmptype_settings.getDestinations().sort(), icmptype_destinations.sort())
print ("Renaming icmp type to name that already exists")
config_icmptype = self.fw.config().getIcmpTypeByName(icmptype_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_icmptype.rename, "echo-reply")
new_icmptype_name = "renamed"
print ("Renaming icmp type '%s' to '%s'" % (icmptype_name, new_icmptype_name))
config_icmptype.rename(new_icmptype_name)
print ("Checking whether the icmp type '%s' is accessible (it shouldn't be)" % icmptype_name)
self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, icmptype_name)
print ("Checking whether the icmp type '%s' is accessible" % new_icmptype_name)
config_icmptype = self.fw.config().getIcmpTypeByName(new_icmptype_name)
icmptype_settings = config_icmptype.getSettings()
self.assertEquals(icmptype_settings.getVersion(), icmptype_version)
self.assertEquals(icmptype_settings.getShort(), icmptype_short)
self.assertEquals(icmptype_settings.getDescription(), icmptype_description)
self.assertEquals(icmptype_settings.getDestinations().sort(), icmptype_destinations.sort())
print ("Removing the icmp type '%s'" % new_icmptype_name)
config_icmptype.remove()
print ("Checking whether the removed icmp type is accessible (it shouldn't be)")
self.assertRaisesRegexp(Exception, 'INVALID_ICMPTYPE', self.fw.config().getIcmpTypeByName, new_icmptype_name)
