def define_zone(z, zdata, masquerade=None, errors=None, changes=None, apply_retry=0, **kwargs): if errors is None: errors = [] if changes is None: changes = [] if 'target' in zdata: msg = 'Configure zone {0}: {1[target]}' else: msg = 'Configure zone {0}' log.info(msg.format(z, zdata)) if not in_zones(z): try: zn = fw().config().addZone(z, FirewallClientZoneSettings()) except (Exception, ) as ex: if 'NAME_CONFLICT' in "{0}".format(ex): mark_reload() lazy_reload() if not in_zones(z): zn = fw().config().addZone(z, FirewallClientZoneSettings()) else: zn = get_zone(z) else: raise ex zn.setShort(z) zn.setDescription(z) msg = ' - Zone {0} created'.format(z) log.info(msg) changes.append(msg) mark_reload() else: zn = get_zone(z) masquerade = bool(masquerade) cmask = bool(zn.getMasquerade()) if cmask is not masquerade: zn.setMasquerade(masquerade) msg = ' - Masquerade: {0}/{1}'.format(z, masquerade) log.info(msg) changes.append(msg) target = zdata.get('target', None) if 'target' in zdata: ztarget = "{0}".format(zn.getTarget()) if not target: target = DEFAULT_TARGET if target: target = { 'reject': '%%REJECT%%', 'default': 'default' }.get(target.lower(), target.upper()) if ztarget != target: msg = ' - Zone {0} edited'.format(z) log.info(msg) changes.append(msg) zn.setTarget(target) mark_reload()
def get_fw_zone_settings(self): if self.fw_offline: fw_zone = self.fw.config.get_zone(self.zone) fw_settings = FirewallClientZoneSettings( list(self.fw.config.get_zone_config(fw_zone))) else: fw_zone = self.fw.config().getZoneByName(self.zone) fw_settings = fw_zone.getSettings() return (fw_zone, fw_settings)
def change_zone_of_interface_permanent(zone, interface): fw_zone, fw_settings = get_fw_zone_settings(zone) if fw_offline: iface_zone_objs = [] for zone in fw.config.get_zones(): old_zone_obj = fw.config.get_zone(zone) if interface in old_zone_obj.interfaces: iface_zone_objs.append(old_zone_obj) if len(iface_zone_objs) > 1: # Even it shouldn't happen, it's actually possible that # the same interface is in several zone XML files module.fail_json( msg= 'ERROR: interface {} is in {} zone XML file, can only be in one' .format(interface, len(iface_zone_objs))) old_zone_obj = iface_zone_objs[0] if old_zone_obj.name != zone: old_zone_settings = FirewallClientZoneSettings( fw.config.get_zone_config(old_zone_obj)) old_zone_settings.removeInterface(interface) # remove from old fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings) fw_settings.addInterface(interface) # add to new fw.config.set_zone_config(fw_zone, fw_settings.settings) else: old_zone_name = fw.config().getZoneOfInterface(interface) if old_zone_name != zone: if old_zone_name: old_zone_obj = fw.config().getZoneByName(old_zone_name) old_zone_settings = old_zone_obj.getSettings() old_zone_settings.removeInterface(interface) # remove from old old_zone_obj.update(old_zone_settings) fw_settings.addInterface(interface) # add to new fw_zone.update(fw_settings)
def set_enabled_permanent(self, interface): fw_zone, fw_settings = self.get_fw_zone_settings() if self.fw_offline: iface_zone_objs = [] for zone in self.fw.config.get_zones(): old_zone_obj = self.fw.config.get_zone(zone) if interface in old_zone_obj.interfaces: iface_zone_objs.append(old_zone_obj) if len(iface_zone_objs) > 1: # Even it shouldn't happen, it's actually possible that # the same interface is in several zone XML files module.fail_json( msg='ERROR: interface {} is in {} zone XML file, can only be in one'.format( interface, len(iface_zone_objs) ) ) old_zone_obj = iface_zone_objs[0] if old_zone_obj.name != self.zone: old_zone_settings = FirewallClientZoneSettings( self.fw.config.get_zone_config(old_zone_obj) ) old_zone_settings.removeInterface(interface) # remove from old self.fw.config.set_zone_config( old_zone_obj, old_zone_settings.settings ) fw_settings.addInterface(interface) # add to new self.fw.config.set_zone_config(fw_zone, fw_settings.settings) else: old_zone_name = self.fw.config().getZoneOfInterface(interface) if old_zone_name != self.zone: if old_zone_name: old_zone_obj = self.fw.config().getZoneByName(old_zone_name) old_zone_settings = old_zone_obj.getSettings() old_zone_settings.removeInterface(interface) # remove from old old_zone_obj.update(old_zone_settings) fw_settings.addInterface(interface) # add to new fw_zone.update(fw_settings)
def main(): module = AnsibleModule(argument_spec=dict( name=dict(required=True), state=dict(choices=['present', 'absent'], required=True), no_reload=dict(type='bool', default='no'), ), supports_check_mode=False) if not HAVE_FIREWALLD: module.fail_json(msg='firewalld and the python module are required ' 'for this module') if not FIREWALLD_RUNNING: module.fail_json(msg='firewalld is not running, and offline operations' ' are not supported yet') name = module.params['name'] state = module.params['state'] no_reload = module.params['no_reload'] fw = FirewallClient().config() zones = fw.getZoneNames() changed = False if state == 'present': if name not in zones: fw.addZone(name, FirewallClientZoneSettings()) changed = True else: if name in zones: z = fw.getZoneByName(name) z.remove() changed = True if changed and not no_reload: FirewallClient().reload() result = dict(changed=changed) module.exit_json(**result)
def set_enabled_permanent(self): self.fw.config().addZone(self.zone, FirewallClientZoneSettings())
def test_zones(self): """ /org/fedoraproject/FirewallD1/config listZones() getZoneByName(String name) addZone(String name, Dict of {String, Variant} zone_settings) /org/fedoraproject/FirewallD1/config/zone/<id> getSettings() loadDefaults() update() rename() remove() """ print("\nGetting invalid zone") self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, "dummyname") zone_version = "1.0" zone_short = "Testing" zone_description = "this is just a testing zone" zone_target = DEFAULT_ZONE_TARGET zone_services = ["dhcpv6-client", "ssh"] zone_ports = [("123", "tcp"), ("666-667", "udp")] zone_icmpblocks = ["redirect", "echo-reply"] zone_masquerade = False zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"), ("123", "udp", "321", "192.168.1.1")] settings = FirewallClientZoneSettings() settings.setVersion(zone_version) settings.setShort(zone_short) settings.setDescription(zone_description) settings.setTarget(zone_target) settings.setServices(zone_services) settings.setPorts(zone_ports) settings.setIcmpBlocks(zone_icmpblocks) settings.setMasquerade(zone_masquerade) settings.setForwardPorts(zone_forward_ports) print("Adding zone with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addZone, "home", settings) print("Adding zone with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addZone, "", settings) zone_name = "test" print("Adding proper zone") self.fw.config().addZone(zone_name, settings) print("Checking the saved (permanent) settings") config_zone = self.fw.config().getZoneByName(zone_name) self.assertIsInstance(config_zone, firewall.client.FirewallClientConfigZone) zone_settings = config_zone.getSettings() self.assertIsInstance(zone_settings, firewall.client.FirewallClientZoneSettings) self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), "default") self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print("Updating settings") zone_services.append("mdns") zone_settings.setServices(zone_services) config_zone.update(zone_settings) print("Reloading firewalld") self.fw.reload() print("Checking of runtime settings") self.assertTrue(zone_name in self.fw.getZones()) self.assertEquals( self.fw.getServices(zone_name).sort(), zone_services.sort()) self.assertEquals( self.fw.getPorts(zone_name).sort(), zone_ports.sort()) self.assertEquals( self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort()) self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade) self.assertEquals( self.fw.getForwardPorts(zone_name).sort(), zone_forward_ports.sort()) print("Renaming zone to name that already exists") config_zone = self.fw.config().getZoneByName(zone_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename, "home") new_zone_name = "renamed" print("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name)) config_zone.rename(new_zone_name) print( "Checking whether the zone '%s' is accessible (it shouldn't be)" % zone_name) self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, zone_name) print("Checking whether the zone '%s' is accessible" % new_zone_name) config_zone = self.fw.config().getZoneByName(new_zone_name) zone_settings = config_zone.getSettings() self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), "default") self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print("Removing the zone '%s'" % new_zone_name) config_zone.remove() print( "Checking whether the removed zone is accessible (it shouldn't be)" ) self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, new_zone_name)
def test_zones(self): """ /org/fedoraproject/FirewallD1/config listZones() getZoneByName(String name) addZone(String name, Dict of {String, Variant} zone_settings) /org/fedoraproject/FirewallD1/config/zone/<id> getSettings() loadDefaults() update() rename() remove() """ print ("\nGetting invalid zone") self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, "dummyname") zone_version = "1.0" zone_short = "Testing" zone_description = "this is just a testing zone" zone_target = DEFAULT_ZONE_TARGET zone_services = ["dhcpv6-client", "ssh"] zone_ports = [("123", "tcp"), ("666-667", "udp")] zone_icmpblocks = ["redirect", "echo-reply"] zone_masquerade = False zone_forward_ports = [("443", "tcp", "441", "192.168.0.2"), ("123", "udp", "321", "192.168.1.1")] settings = FirewallClientZoneSettings() settings.setVersion(zone_version) settings.setShort(zone_short) settings.setDescription(zone_description) settings.setTarget(zone_target) settings.setServices(zone_services) settings.setPorts(zone_ports) settings.setIcmpBlocks(zone_icmpblocks) settings.setMasquerade(zone_masquerade) settings.setForwardPorts(zone_forward_ports) print ("Adding zone with name that already exists") self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', self.fw.config().addZone, "home", settings) print ("Adding zone with empty name") self.assertRaisesRegexp(Exception, 'INVALID_NAME', self.fw.config().addZone, "", settings) zone_name = "test" print ("Adding proper zone") self.fw.config().addZone (zone_name, settings) print ("Checking the saved (permanent) settings") config_zone = self.fw.config().getZoneByName(zone_name) self.assertIsInstance(config_zone, firewall.client.FirewallClientConfigZone) zone_settings = config_zone.getSettings() self.assertIsInstance(zone_settings, firewall.client.FirewallClientZoneSettings) self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), zone_target) self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print ("Updating settings") zone_services.append("mdns") zone_settings.setServices(zone_services) config_zone.update(zone_settings) print ("Reloading firewalld") self.fw.reload() print ("Checking of runtime settings") self.assertTrue(zone_name in self.fw.getZones()) self.assertEquals(self.fw.getServices(zone_name).sort(), zone_services.sort()) self.assertEquals(self.fw.getPorts(zone_name).sort(), zone_ports.sort()) self.assertEquals(self.fw.getIcmpBlocks(zone_name).sort(), zone_icmpblocks.sort()) self.assertEquals(self.fw.queryMasquerade(zone_name), zone_masquerade) self.assertEquals(self.fw.getForwardPorts(zone_name).sort(), zone_forward_ports.sort()) print ("Renaming zone to name that already exists") config_zone = self.fw.config().getZoneByName(zone_name) self.assertRaisesRegexp(Exception, 'NAME_CONFLICT', config_zone.rename, "home") new_zone_name = "renamed" print ("Renaming zone '%s' to '%s'" % (zone_name, new_zone_name)) config_zone.rename(new_zone_name) print ("Checking whether the zone '%s' is accessible (it shouldn't be)" % zone_name) self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, zone_name) print ("Checking whether the zone '%s' is accessible" % new_zone_name) config_zone = self.fw.config().getZoneByName(new_zone_name) zone_settings = config_zone.getSettings() self.assertEquals(zone_settings.getVersion(), zone_version) self.assertEquals(zone_settings.getShort(), zone_short) self.assertEquals(zone_settings.getDescription(), zone_description) self.assertEquals(zone_settings.getTarget(), zone_target) self.assertEquals(zone_settings.getServices().sort(), zone_services.sort()) self.assertEquals(zone_settings.getPorts().sort(), zone_ports.sort()) self.assertEquals(zone_settings.getIcmpBlocks().sort(), zone_icmpblocks.sort()) self.assertEquals(zone_settings.getMasquerade(), zone_masquerade) self.assertEquals(zone_settings.getForwardPorts().sort(), zone_forward_ports.sort()) print ("Removing the zone '%s'" % new_zone_name) config_zone.remove() print ("Checking whether the removed zone is accessible (it shouldn't be)") self.assertRaisesRegexp(Exception, 'INVALID_ZONE', self.fw.config().getZoneByName, new_zone_name)
# # To use in git tree: PYTHONPATH=.. python firewalld-test.py import dbus from firewall.client import FirewallClientConfig, FirewallClientZoneSettings bus = dbus.SystemBus() fw_config = FirewallClientConfig(bus) rule = [ 'rule service name=ftp audit limit value="1/m" accept ', 'rule protocol value=ah accept ', 'rule protocol value=esp accept ' ] zone = FirewallClientZoneSettings() zone.setRichRules(rule) nz = fw_config.addZone("zone1", zone.settings) nz.remove() rule = [ 'rule family=ipv4 source address="192.168.0.0/24" service name=tftp log prefix=tftp level=info limit value=1/m accept' ] zone = FirewallClientZoneSettings() zone.setRichRules(rule) nz = fw_config.addZone("zone2", zone.settings) nz.remove() rule = [ 'rule family=ipv4 source not address=192.168.0.0/24 service name=dns log prefix=dns level=info limit value=2/m accept ' ]
from firewall import config from firewall.config.dbus import * from firewall.client import FirewallClientZoneSettings from firewall.dbus_utils import dbus_to_python bus = dbus.SystemBus() dbus_obj = bus.get_object(config.dbus.DBUS_INTERFACE, config.dbus.DBUS_PATH_CONFIG) fw = dbus.Interface(dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE) fw_config = dbus.Interface(dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG) rule = ['rule service name=ftp audit limit value="1/m" accept ', 'rule protocol value=ah accept ', 'rule protocol value=esp accept '] zone = FirewallClientZoneSettings() zone.setRichRules(rule) fw_config.addZone("zone1", zone.settings) rule = ['rule family=ipv4 source address="192.168.0.0/24" service name=tftp log prefix=tftp level=info limit value=1/m accept'] zone = FirewallClientZoneSettings() zone.setRichRules(rule) fw_config.addZone("zone2", zone.settings) rule = ['rule family=ipv4 source not address=192.168.0.0/24 service name=dns log prefix=dns level=info limit value=2/m accept '] zone = FirewallClientZoneSettings() zone.setRichRules(rule) fw_config.addZone("zone3", zone.settings) rule = ['rule family=ipv6 source address=1:2:3:4:6:: service name=radius log prefix=dns level=info limit value=3/m reject limit value=20/m '] zone = FirewallClientZoneSettings()