def define_zone(z,
zdata,
masquerade=None,
errors=None,
changes=None,
apply_retry=0,
**kwargs):
if errors is None:
errors = []
if changes is None:
changes = []
if 'target' in zdata:
msg = 'Configure zone {0}: {1[target]}'
else:
msg = 'Configure zone {0}'
log.info(msg.format(z, zdata))
if not in_zones(z):
try:
zn = fw().config().addZone(z, FirewallClientZoneSettings())
except (Exception, ) as ex:
if 'NAME_CONFLICT' in "{0}".format(ex):
mark_reload()
lazy_reload()
if not in_zones(z):
zn = fw().config().addZone(z, FirewallClientZoneSettings())
else:
zn = get_zone(z)
else:
raise ex
zn.setShort(z)
zn.setDescription(z)
msg = ' - Zone {0} created'.format(z)
log.info(msg)
changes.append(msg)
mark_reload()
else:
zn = get_zone(z)
masquerade = bool(masquerade)
cmask = bool(zn.getMasquerade())
if cmask is not masquerade:
zn.setMasquerade(masquerade)
msg = ' - Masquerade: {0}/{1}'.format(z, masquerade)
log.info(msg)
changes.append(msg)
target = zdata.get('target', None)
if 'target' in zdata:
ztarget = "{0}".format(zn.getTarget())
if not target:
target = DEFAULT_TARGET
if target:
target = {
'reject': '%%REJECT%%',
'default': 'default'
}.get(target.lower(), target.upper())
if ztarget != target:
msg = ' - Zone {0} edited'.format(z)
log.info(msg)
changes.append(msg)
zn.setTarget(target)
mark_reload()
def get_fw_zone_settings(self):
if self.fw_offline:
fw_zone = self.fw.config.get_zone(self.zone)
fw_settings = FirewallClientZoneSettings(
list(self.fw.config.get_zone_config(fw_zone)))
else:
fw_zone = self.fw.config().getZoneByName(self.zone)
fw_settings = fw_zone.getSettings()
return (fw_zone, fw_settings)
def change_zone_of_interface_permanent(zone, interface):
fw_zone, fw_settings = get_fw_zone_settings(zone)
if fw_offline:
iface_zone_objs = []
for zone in fw.config.get_zones():
old_zone_obj = fw.config.get_zone(zone)
if interface in old_zone_obj.interfaces:
iface_zone_objs.append(old_zone_obj)
if len(iface_zone_objs) > 1:
# Even it shouldn't happen, it's actually possible that
# the same interface is in several zone XML files
module.fail_json(
msg=
'ERROR: interface {} is in {} zone XML file, can only be in one'
.format(interface, len(iface_zone_objs)))
old_zone_obj = iface_zone_objs[0]
if old_zone_obj.name != zone:
old_zone_settings = FirewallClientZoneSettings(
fw.config.get_zone_config(old_zone_obj))
old_zone_settings.removeInterface(interface) # remove from old
fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings)
fw_settings.addInterface(interface) # add to new
fw.config.set_zone_config(fw_zone, fw_settings.settings)
else:
old_zone_name = fw.config().getZoneOfInterface(interface)
if old_zone_name != zone:
if old_zone_name:
old_zone_obj = fw.config().getZoneByName(old_zone_name)
old_zone_settings = old_zone_obj.getSettings()
old_zone_settings.removeInterface(interface) # remove from old
old_zone_obj.update(old_zone_settings)
fw_settings.addInterface(interface) # add to new
fw_zone.update(fw_settings)
def set_enabled_permanent(self, interface):
fw_zone, fw_settings = self.get_fw_zone_settings()
if self.fw_offline:
iface_zone_objs = []
for zone in self.fw.config.get_zones():
old_zone_obj = self.fw.config.get_zone(zone)
if interface in old_zone_obj.interfaces:
iface_zone_objs.append(old_zone_obj)
if len(iface_zone_objs) > 1:
# Even it shouldn't happen, it's actually possible that
# the same interface is in several zone XML files
module.fail_json(
msg='ERROR: interface {} is in {} zone XML file, can only be in one'.format(
interface,
len(iface_zone_objs)
)
)
old_zone_obj = iface_zone_objs[0]
if old_zone_obj.name != self.zone:
old_zone_settings = FirewallClientZoneSettings(
self.fw.config.get_zone_config(old_zone_obj)
)
old_zone_settings.removeInterface(interface) # remove from old
self.fw.config.set_zone_config(
old_zone_obj,
old_zone_settings.settings
)
fw_settings.addInterface(interface) # add to new
self.fw.config.set_zone_config(fw_zone, fw_settings.settings)
else:
old_zone_name = self.fw.config().getZoneOfInterface(interface)
if old_zone_name != self.zone:
if old_zone_name:
old_zone_obj = self.fw.config().getZoneByName(old_zone_name)
old_zone_settings = old_zone_obj.getSettings()
old_zone_settings.removeInterface(interface) # remove from old
old_zone_obj.update(old_zone_settings)
fw_settings.addInterface(interface) # add to new
fw_zone.update(fw_settings)
def main():
module = AnsibleModule(argument_spec=dict(
name=dict(required=True),
state=dict(choices=['present', 'absent'], required=True),
no_reload=dict(type='bool', default='no'),
),
supports_check_mode=False)
if not HAVE_FIREWALLD:
module.fail_json(msg='firewalld and the python module are required '
'for this module')
if not FIREWALLD_RUNNING:
module.fail_json(msg='firewalld is not running, and offline operations'
' are not supported yet')
name = module.params['name']
state = module.params['state']
no_reload = module.params['no_reload']
fw = FirewallClient().config()
zones = fw.getZoneNames()
changed = False
if state == 'present':
if name not in zones:
fw.addZone(name, FirewallClientZoneSettings())
changed = True
else:
if name in zones:
z = fw.getZoneByName(name)
z.remove()
changed = True
if changed and not no_reload:
FirewallClient().reload()
result = dict(changed=changed)
module.exit_json(**result)
def set_enabled_permanent(self):
self.fw.config().addZone(self.zone, FirewallClientZoneSettings())
def test_zones(self):
"""
/org/fedoraproject/FirewallD1/config
listZones()
getZoneByName(String name)
addZone(String name, Dict of {String, Variant} zone_settings)
/org/fedoraproject/FirewallD1/config/zone/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print("\nGetting invalid zone")
self.assertRaisesRegexp(Exception, 'INVALID_ZONE',
self.fw.config().getZoneByName, "dummyname")
zone_version = "1.0"
zone_short = "Testing"
zone_description = "this is just a testing zone"
zone_target = DEFAULT_ZONE_TARGET
zone_services = ["dhcpv6-client", "ssh"]
zone_ports = [("123", "tcp"), ("666-667", "udp")]
zone_icmpblocks = ["redirect", "echo-reply"]
zone_masquerade = False
zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"),
("123", "udp", "321", "192.168.1.1")]
settings = FirewallClientZoneSettings()
settings.setVersion(zone_version)
settings.setShort(zone_short)
settings.setDescription(zone_description)
settings.setTarget(zone_target)
settings.setServices(zone_services)
settings.setPorts(zone_ports)
settings.setIcmpBlocks(zone_icmpblocks)
settings.setMasquerade(zone_masquerade)
settings.setForwardPorts(zone_forward_ports)
print("Adding zone with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT',
self.fw.config().addZone, "home", settings)
print("Adding zone with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME',
self.fw.config().addZone, "", settings)
zone_name = "test"
print("Adding proper zone")
self.fw.config().addZone(zone_name, settings)
print("Checking the saved (permanent) settings")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertIsInstance(config_zone,
firewall.client.FirewallClientConfigZone)
zone_settings = config_zone.getSettings()
self.assertIsInstance(zone_settings,
firewall.client.FirewallClientZoneSettings)
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), "default")
self.assertEquals(zone_settings.getServices().sort(),
zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(),
zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(),
zone_forward_ports.sort())
print("Updating settings")
zone_services.append("mdns")
zone_settings.setServices(zone_services)
config_zone.update(zone_settings)
print("Reloading firewalld")
self.fw.reload()
print("Checking of runtime settings")
self.assertTrue(zone_name in self.fw.getZones())
self.assertEquals(
self.fw.getServices(zone_name).sort(), zone_services.sort())
self.assertEquals(
self.fw.getPorts(zone_name).sort(), zone_ports.sort())
self.assertEquals(
self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort())
self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade)
self.assertEquals(
self.fw.getForwardPorts(zone_name).sort(),
zone_forward_ports.sort())
print("Renaming zone to name that already exists")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename,
"home")
new_zone_name = "renamed"
print("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name))
config_zone.rename(new_zone_name)
print(
"Checking whether the zone '%s' is accessible (it shouldn't be)" %
zone_name)
self.assertRaisesRegexp(Exception, 'INVALID_ZONE',
self.fw.config().getZoneByName, zone_name)
print("Checking whether the zone '%s' is accessible" % new_zone_name)
config_zone = self.fw.config().getZoneByName(new_zone_name)
zone_settings = config_zone.getSettings()
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), "default")
self.assertEquals(zone_settings.getServices().sort(),
zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(),
zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(),
zone_forward_ports.sort())
print("Removing the zone '%s'" % new_zone_name)
config_zone.remove()
print(
"Checking whether the removed zone is accessible (it shouldn't be)"
)
self.assertRaisesRegexp(Exception, 'INVALID_ZONE',
self.fw.config().getZoneByName, new_zone_name)
def test_zones(self):
"""
/org/fedoraproject/FirewallD1/config
listZones()
getZoneByName(String name)
addZone(String name, Dict of {String, Variant} zone_settings)
/org/fedoraproject/FirewallD1/config/zone/<id>
getSettings()
loadDefaults()
update()
rename()
remove()
"""
print ("\nGetting invalid zone")
self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, "dummyname")
zone_version = "1.0"
zone_short = "Testing"
zone_description = "this is just a testing zone"
zone_target = DEFAULT_ZONE_TARGET
zone_services = ["dhcpv6-client", "ssh"]
zone_ports = [("123", "tcp"), ("666-667", "udp")]
zone_icmpblocks = ["redirect", "echo-reply"]
zone_masquerade = False
zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"), ("123", "udp", "321", "192.168.1.1")]
settings = FirewallClientZoneSettings()
settings.setVersion(zone_version)
settings.setShort(zone_short)
settings.setDescription(zone_description)
settings.setTarget(zone_target)
settings.setServices(zone_services)
settings.setPorts(zone_ports)
settings.setIcmpBlocks(zone_icmpblocks)
settings.setMasquerade(zone_masquerade)
settings.setForwardPorts(zone_forward_ports)
print ("Adding zone with name that already exists")
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addZone, "home", settings)
print ("Adding zone with empty name")
self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addZone, "", settings)
zone_name = "test"
print ("Adding proper zone")
self.fw.config().addZone (zone_name, settings)
print ("Checking the saved (permanent) settings")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertIsInstance(config_zone, firewall.client.FirewallClientConfigZone)
zone_settings = config_zone.getSettings()
self.assertIsInstance(zone_settings, firewall.client.FirewallClientZoneSettings)
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), zone_target)
self.assertEquals(zone_settings.getServices().sort(), zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort())
print ("Updating settings")
zone_services.append("mdns")
zone_settings.setServices(zone_services)
config_zone.update(zone_settings)
print ("Reloading firewalld")
self.fw.reload()
print ("Checking of runtime settings")
self.assertTrue(zone_name in self.fw.getZones())
self.assertEquals(self.fw.getServices(zone_name).sort(), zone_services.sort())
self.assertEquals(self.fw.getPorts(zone_name).sort(), zone_ports.sort())
self.assertEquals(self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort())
self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade)
self.assertEquals(self.fw.getForwardPorts(zone_name).sort(), zone_forward_ports.sort())
print ("Renaming zone to name that already exists")
config_zone = self.fw.config().getZoneByName(zone_name)
self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename, "home")
new_zone_name = "renamed"
print ("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name))
config_zone.rename(new_zone_name)
print ("Checking whether the zone '%s' is accessible (it shouldn't be)" % zone_name)
self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, zone_name)
print ("Checking whether the zone '%s' is accessible" % new_zone_name)
config_zone = self.fw.config().getZoneByName(new_zone_name)
zone_settings = config_zone.getSettings()
self.assertEquals(zone_settings.getVersion(), zone_version)
self.assertEquals(zone_settings.getShort(), zone_short)
self.assertEquals(zone_settings.getDescription(), zone_description)
self.assertEquals(zone_settings.getTarget(), zone_target)
self.assertEquals(zone_settings.getServices().sort(), zone_services.sort())
self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort())
self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort())
self.assertEquals(zone_settings.getMasquerade(), zone_masquerade)
self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort())
print ("Removing the zone '%s'" % new_zone_name)
config_zone.remove()
print ("Checking whether the removed zone is accessible (it shouldn't be)")
self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, new_zone_name)
#
# To use in git tree: PYTHONPATH=.. python firewalld-test.py
import dbus
from firewall.client import FirewallClientConfig, FirewallClientZoneSettings
bus = dbus.SystemBus()
fw_config = FirewallClientConfig(bus)
rule = [
'rule service name=ftp audit limit value="1/m" accept ',
'rule protocol value=ah accept ', 'rule protocol value=esp accept '
]
zone = FirewallClientZoneSettings()
zone.setRichRules(rule)
nz = fw_config.addZone("zone1", zone.settings)
nz.remove()
rule = [
'rule family=ipv4 source address="192.168.0.0/24" service name=tftp log prefix=tftp level=info limit value=1/m accept'
]
zone = FirewallClientZoneSettings()
zone.setRichRules(rule)
nz = fw_config.addZone("zone2", zone.settings)
nz.remove()
rule = [
'rule family=ipv4 source not address=192.168.0.0/24 service name=dns log prefix=dns level=info limit value=2/m accept '
]
from firewall import config
from firewall.config.dbus import *
from firewall.client import FirewallClientZoneSettings
from firewall.dbus_utils import dbus_to_python
bus = dbus.SystemBus()
dbus_obj = bus.get_object(config.dbus.DBUS_INTERFACE,
config.dbus.DBUS_PATH_CONFIG)
fw = dbus.Interface(dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE)
fw_config = dbus.Interface(dbus_obj,
dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG)
rule = ['rule service name=ftp audit limit value="1/m" accept ',
'rule protocol value=ah accept ',
'rule protocol value=esp accept ']
zone = FirewallClientZoneSettings()
zone.setRichRules(rule)
fw_config.addZone("zone1", zone.settings)
rule = ['rule family=ipv4 source address="192.168.0.0/24" service name=tftp log prefix=tftp level=info limit value=1/m accept']
zone = FirewallClientZoneSettings()
zone.setRichRules(rule)
fw_config.addZone("zone2", zone.settings)
rule = ['rule family=ipv4 source not address=192.168.0.0/24 service name=dns log prefix=dns level=info limit value=2/m accept ']
zone = FirewallClientZoneSettings()
zone.setRichRules(rule)
fw_config.addZone("zone3", zone.settings)
rule = ['rule family=ipv6 source address=1:2:3:4:6:: service name=radius log prefix=dns level=info limit value=3/m reject limit value=20/m ']
zone = FirewallClientZoneSettings()
