# Imports try: import firewall.config FW_VERSION = firewall.config.VERSION from firewall.client import Rich_Rule from firewall.client import FirewallClient from firewall.client import FirewallClientZoneSettings from firewall.errors import FirewallError fw = None fw_offline = False import_failure = False try: fw = FirewallClient() fw.getDefaultZone() except (AttributeError, FirewallError): # Firewalld is not currently running, permanent-only operations fw_offline = True # Import other required parts of the firewalld API # # NOTE: # online and offline operations do not share a common firewalld API from firewall.core.fw_test import Firewall_test fw = Firewall_test() fw.start() except ImportError: import_failure = True
# (c) 2017, Michael Scherer ([email protected]) #TODO DOCUMENTATION, example, license from ansible.module_utils.basic import AnsibleModule HAVE_FIREWALLD = True FIREWALLD_RUNNING = True try: import firewall.config FW_VERSION = firewall.config.VERSION from firewall.client import FirewallClient, FirewallClientZoneSettings try: fw = FirewallClient() fw.getDefaultZone() except AttributeError: FIREWALLD_RUNNING = False except ImportError: HAVE_FIREWALLD = False def main(): module = AnsibleModule( argument_spec=dict( name=dict(required=True), state=dict(choices=['present', 'absent'], required=True), no_reload=dict(type='bool', default='no'), ), supports_check_mode=False
def main(): global module ## make module global so we don't have to pass it to action_handler every ## function call global module module = AnsibleModule(argument_spec=dict( service=dict(required=False, default=None), port=dict(required=False, default=None), rich_rule=dict(required=False, default=None), zone=dict(required=False, default=None), immediate=dict(type='bool', default=False), source=dict(required=False, default=None), permanent=dict(type='bool', required=False, default=None), state=dict(choices=['enabled', 'disabled'], required=True), timeout=dict(type='int', required=False, default=0), interface=dict(required=False, default=None), masquerade=dict(required=False, default=None), offline=dict(type='bool', required=False, default=None), ), supports_check_mode=True) ## Handle running (online) daemon vs non-running (offline) daemon global fw global fw_offline global Rich_Rule global FirewallClientZoneSettings ## Imports try: import firewall.config FW_VERSION = firewall.config.VERSION from firewall.client import Rich_Rule from firewall.client import FirewallClient fw = None fw_offline = False try: fw = FirewallClient() fw.getDefaultZone() except AttributeError: ## Firewalld is not currently running, permanent-only operations ## Import other required parts of the firewalld API ## ## NOTE: ## online and offline operations do not share a common firewalld API from firewall.core.fw_test import Firewall_test from firewall.client import FirewallClientZoneSettings fw = Firewall_test() fw.start() fw_offline = True except ImportError: ## Make python 2.4 shippable ci tests happy e = sys.exc_info()[1] module.fail_json( msg= 'firewalld and its python 2 module are required for this module, version 2.0.11 or newer required ' '(3.0.9 or newer for offline operations) \n %s' % e) if fw_offline: ## Pre-run version checking if FW_VERSION < "0.3.9": module.fail_json( msg= 'unsupported version of firewalld, offline operations require >= 3.0.9' ) else: ## Pre-run version checking if FW_VERSION < "0.2.11": module.fail_json( msg='unsupported version of firewalld, requires >= 2.0.11') ## Check for firewalld running try: if fw.connected is False: module.fail_json( msg= 'firewalld service must be running, or try with offline=true' ) except AttributeError: module.fail_json(msg="firewalld connection can't be established,\ installed version (%s) likely too old. Requires firewalld >= 2.0.11" % FW_VERSION) ## Verify required params are provided if module.params['source'] is None and module.params['permanent'] is None: module.fail_json(msg='permanent is a required parameter') if module.params['interface'] is not None and module.params['zone'] is None: module.fail(msg='zone is a required parameter') if module.params['immediate'] and fw_offline: module.fail( msg= 'firewall is not currently running, unable to perform immediate actions without a running firewall daemon' ) ## Global Vars changed = False msgs = [] service = module.params['service'] rich_rule = module.params['rich_rule'] source = module.params['source'] if module.params['port'] is not None: port, protocol = module.params['port'].split('/') if protocol is None: module.fail_json(msg='improper port format (missing protocol?)') else: port = None if module.params['zone'] is not None: zone = module.params['zone'] else: if fw_offline: zone = fw.get_default_zone() else: zone = fw.getDefaultZone() permanent = module.params['permanent'] desired_state = module.params['state'] immediate = module.params['immediate'] timeout = module.params['timeout'] interface = module.params['interface'] masquerade = module.params['masquerade'] modification_count = 0 if service is not None: modification_count += 1 if port is not None: modification_count += 1 if rich_rule is not None: modification_count += 1 if interface is not None: modification_count += 1 if masquerade is not None: modification_count += 1 if modification_count > 1: module.fail_json( msg= 'can only operate on port, service, rich_rule or interface at once' ) if service is not None: if immediate and permanent: is_enabled_permanent = action_handler( get_service_enabled_permanent, (zone, service)) is_enabled_immediate = action_handler(get_service_enabled, (zone, service)) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler(set_service_enabled_permanent, (zone, service)) changed = True if not is_enabled_immediate: action_handler(set_service_enabled, (zone, service, timeout)) changed = True elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler(set_service_disabled_permanent, (zone, service)) changed = True if is_enabled_immediate: action_handler(set_service_disabled, (zone, service)) changed = True elif permanent and not immediate: is_enabled = action_handler(get_service_enabled_permanent, (zone, service)) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_service_enabled_permanent, (zone, service)) changed = True elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_service_disabled_permanent, (zone, service)) changed = True elif immediate and not permanent: is_enabled = action_handler(get_service_enabled, (zone, service)) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_service_enabled, (zone, service, timeout)) changed = True elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_service_disabled, (zone, service)) changed = True if changed is True: msgs.append("Changed service %s to %s" % (service, desired_state)) # FIXME - source type does not handle non-permanent mode, this was an # oversight in the past. if source is not None: is_enabled = action_handler(get_source, (zone, source)) if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(add_source, (zone, source)) changed = True msgs.append("Added %s to zone %s" % (source, zone)) elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(remove_source, (zone, source)) changed = True msgs.append("Removed %s from zone %s" % (source, zone)) if port is not None: if immediate and permanent: is_enabled_permanent = action_handler(get_port_enabled_permanent, (zone, [port, protocol])) is_enabled_immediate = action_handler(get_port_enabled, (zone, [port, protocol])) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler(set_port_enabled_permanent, (zone, port, protocol)) changed = True if not is_enabled_immediate: action_handler(set_port_enabled, (zone, port, protocol, timeout)) changed = True elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler(set_port_disabled_permanent, (zone, port, protocol)) changed = True if is_enabled_immediate: action_handler(set_port_disabled, (zone, port, protocol)) changed = True elif permanent and not immediate: is_enabled = action_handler(get_port_enabled_permanent, (zone, [port, protocol])) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_port_enabled_permanent, (zone, port, protocol)) changed = True elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_port_disabled_permanent, (zone, port, protocol)) changed = True if immediate and not permanent: is_enabled = action_handler(get_port_enabled, (zone, [port, protocol])) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_port_enabled, (zone, port, protocol, timeout)) changed = True elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_port_disabled, (zone, port, protocol)) changed = True if changed is True: msgs.append("Changed port %s to %s" % ("%s/%s" % (port, protocol), \ desired_state)) if rich_rule is not None: if immediate and permanent: is_enabled_permanent = action_handler( get_rich_rule_enabled_permanent, (zone, rich_rule)) is_enabled_immediate = action_handler(get_rich_rule_enabled, (zone, rich_rule)) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler(set_rich_rule_enabled_permanent, (zone, rich_rule)) changed = True if not is_enabled_immediate: action_handler(set_rich_rule_enabled, (zone, rich_rule, timeout)) changed = True elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler(set_rich_rule_disabled_permanent, (zone, rich_rule)) changed = True if is_enabled_immediate: action_handler(set_rich_rule_disabled, (zone, rich_rule)) changed = True if permanent and not immediate: is_enabled = action_handler(get_rich_rule_enabled_permanent, (zone, rich_rule)) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_rich_rule_enabled_permanent, (zone, rich_rule)) changed = True elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_rich_rule_disabled_permanent, (zone, rich_rule)) changed = True if immediate and not permanent: is_enabled = action_handler(get_rich_rule_enabled, (zone, rich_rule)) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_rich_rule_enabled, (zone, rich_rule, timeout)) changed = True elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_rich_rule_disabled, (zone, rich_rule)) changed = True if changed is True: msgs.append("Changed rich_rule %s to %s" % (rich_rule, desired_state)) if interface is not None: if immediate and permanent: is_enabled_permanent = action_handler(get_interface_permanent, (zone, interface)) is_enabled_immediate = action_handler(get_interface, (zone, interface)) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: change_zone_of_interface_permanent(zone, interface) changed = True if not is_enabled_immediate: change_zone_of_interface(zone, interface) changed = True if changed: msgs.append("Changed %s to zone %s" % (interface, zone)) elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: remove_interface_permanent(zone, interface) changed = True if is_enabled_immediate: remove_interface(zone, interface) changed = True if changed: msgs.append("Removed %s from zone %s" % (interface, zone)) elif permanent and not immediate: is_enabled = action_handler(get_interface_permanent, (zone, interface)) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) change_zone_of_interface_permanent(zone, interface) changed = True msgs.append("Changed %s to zone %s" % (interface, zone)) elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) remove_interface_permanent(zone, interface) changed = True msgs.append("Removed %s from zone %s" % (interface, zone)) elif immediate and not permanent: is_enabled = action_handler(get_interface, (zone, interface)) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) change_zone_of_interface(zone, interface) changed = True msgs.append("Changed %s to zone %s" % (interface, zone)) elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) remove_interface(zone, interface) changed = True msgs.append("Removed %s from zone %s" % (interface, zone)) if masquerade is not None: if immediate and permanent: is_enabled_permanent = action_handler( get_masquerade_enabled_permanent, (zone, )) is_enabled_immediate = action_handler(get_masquerade_enabled, (zone, )) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler(set_masquerade_permanent, (zone, True)) changed = True if not is_enabled_immediate: action_handler(set_masquerade_enabled, (zone, )) changed = True if changed: msgs.append("Added masquerade to zone %s" % (zone)) elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler(set_masquerade_permanent, (zone, False)) changed = True if is_enabled_immediate: action_handler(set_masquerade_disabled, (zone, )) changed = True if changed: msgs.append("Removed masquerade from zone %s" % (zone)) elif permanent and not immediate: is_enabled = action_handler(get_masquerade_enabled_permanent, (zone, )) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_permanent, (zone, True)) changed = True msgs.append("Added masquerade to zone %s" % (zone)) elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_permanent, (zone, False)) changed = True msgs.append("Removed masquerade from zone %s" % (zone)) elif immediate and not permanent: is_enabled = action_handler(get_masquerade_enabled, (zone, )) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled is False: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_enabled, (zone)) changed = True msgs.append("Added masquerade to zone %s" % (zone)) elif desired_state == "disabled": if is_enabled is True: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_disabled, (zone)) changed = True msgs.append("Removed masquerade from zone %s" % (zone)) if fw_offline: msgs.append("(offline operation: only on-disk configs were altered)") module.exit_json(changed=changed, msg=', '.join(msgs))
def main(): global module ## make module global so we don't have to pass it to action_handler every ## function call global module module = AnsibleModule( argument_spec = dict( service=dict(required=False,default=None), port=dict(required=False,default=None), rich_rule=dict(required=False,default=None), zone=dict(required=False,default=None), immediate=dict(type='bool',default=False), source=dict(required=False,default=None), permanent=dict(type='bool',required=False,default=None), state=dict(choices=['enabled', 'disabled'], required=True), timeout=dict(type='int',required=False,default=0), interface=dict(required=False,default=None), masquerade=dict(required=False,default=None), offline=dict(type='bool',required=False,default=None), ), supports_check_mode=True ) ## Handle running (online) daemon vs non-running (offline) daemon global fw global fw_offline global Rich_Rule global FirewallClientZoneSettings ## Imports try: import firewall.config FW_VERSION = firewall.config.VERSION from firewall.client import Rich_Rule from firewall.client import FirewallClient fw = None fw_offline = False try: fw = FirewallClient() fw.getDefaultZone() except AttributeError: ## Firewalld is not currently running, permanent-only operations ## Import other required parts of the firewalld API ## ## NOTE: ## online and offline operations do not share a common firewalld API from firewall.core.fw_test import Firewall_test from firewall.client import FirewallClientZoneSettings fw = Firewall_test() fw.start() fw_offline = True except ImportError: ## Make python 2.4 shippable ci tests happy e = sys.exc_info()[1] module.fail_json(msg='firewalld and its python 2 module are required for this module, version 2.0.11 or newer required (3.0.9 or newer for offline operations) \n %s' % e) if fw_offline: ## Pre-run version checking if FW_VERSION < "0.3.9": module.fail_json(msg='unsupported version of firewalld, offline operations require >= 3.0.9') else: ## Pre-run version checking if FW_VERSION < "0.2.11": module.fail_json(msg='unsupported version of firewalld, requires >= 2.0.11') ## Check for firewalld running try: if fw.connected == False: module.fail_json(msg='firewalld service must be running, or try with offline=true') except AttributeError: module.fail_json(msg="firewalld connection can't be established,\ installed version (%s) likely too old. Requires firewalld >= 2.0.11" % FW_VERSION) ## Verify required params are provided if module.params['source'] == None and module.params['permanent'] == None: module.fail_json(msg='permanent is a required parameter') if module.params['interface'] != None and module.params['zone'] == None: module.fail(msg='zone is a required parameter') if module.params['immediate'] and fw_offline: module.fail(msg='firewall is not currently running, unable to perform immediate actions without a running firewall daemon') ## Global Vars changed=False msgs = [] service = module.params['service'] rich_rule = module.params['rich_rule'] source = module.params['source'] if module.params['port'] != None: port, protocol = module.params['port'].split('/') if protocol == None: module.fail_json(msg='improper port format (missing protocol?)') else: port = None if module.params['zone'] != None: zone = module.params['zone'] else: if fw_offline: zone = fw.get_default_zone() else: zone = fw.getDefaultZone() permanent = module.params['permanent'] desired_state = module.params['state'] immediate = module.params['immediate'] timeout = module.params['timeout'] interface = module.params['interface'] masquerade = module.params['masquerade'] modification_count = 0 if service != None: modification_count += 1 if port != None: modification_count += 1 if rich_rule != None: modification_count += 1 if interface != None: modification_count += 1 if masquerade != None: modification_count += 1 if modification_count > 1: module.fail_json(msg='can only operate on port, service, rich_rule or interface at once') if service != None: if immediate and permanent: is_enabled_permanent = action_handler( get_service_enabled_permanent, (zone, service) ) is_enabled_immediate = action_handler( get_service_enabled, (zone, service) ) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler( set_service_enabled_permanent, (zone, service) ) changed=True if not is_enabled_immediate: action_handler( set_service_enabled, (zone, service, timeout) ) changed=True elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler( set_service_disabled_permanent, (zone, service) ) changed=True if is_enabled_immediate: action_handler( set_service_disabled, (zone, service) ) changed=True elif permanent and not immediate: is_enabled = action_handler( get_service_enabled_permanent, (zone, service) ) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler( set_service_enabled_permanent, (zone, service) ) changed=True elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler( set_service_disabled_permanent, (zone, service) ) changed=True elif immediate and not permanent: is_enabled = action_handler( get_service_enabled, (zone, service) ) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler( set_service_enabled, (zone, service, timeout) ) changed=True elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler( set_service_disabled, (zone, service) ) changed=True if changed == True: msgs.append("Changed service %s to %s" % (service, desired_state)) # FIXME - source type does not handle non-permanent mode, this was an # oversight in the past. if source != None: is_enabled = action_handler(get_source, (zone, source)) if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler(add_source, (zone, source)) changed=True msgs.append("Added %s to zone %s" % (source, zone)) elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler(remove_source, (zone, source)) changed=True msgs.append("Removed %s from zone %s" % (source, zone)) if port != None: if immediate and permanent: is_enabled_permanent = action_handler( get_port_enabled_permanent, (zone,[port, protocol]) ) is_enabled_immediate = action_handler( get_port_enabled, (zone, [port, protocol]) ) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler( set_port_enabled_permanent, (zone, port, protocol) ) changed=True if not is_enabled_immediate: action_handler( set_port_enabled, (zone, port, protocol, timeout) ) changed=True elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler( set_port_disabled_permanent, (zone, port, protocol) ) changed=True if is_enabled_immediate: action_handler( set_port_disabled, (zone, port, protocol) ) changed=True elif permanent and not immediate: is_enabled = action_handler( get_port_enabled_permanent, (zone, [port, protocol]) ) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler( set_port_enabled_permanent, (zone, port, protocol) ) changed=True elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler( set_port_disabled_permanent, (zone, port, protocol) ) changed=True if immediate and not permanent: is_enabled = action_handler( get_port_enabled, (zone, [port,protocol]) ) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler( set_port_enabled, (zone, port, protocol, timeout) ) changed=True elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler( set_port_disabled, (zone, port, protocol) ) changed=True if changed == True: msgs.append("Changed port %s to %s" % ("%s/%s" % (port, protocol), \ desired_state)) if rich_rule != None: if immediate and permanent: is_enabled_permanent = action_handler( get_rich_rule_enabled_permanent, (zone, rich_rule) ) is_enabled_immediate = action_handler( get_rich_rule_enabled, (zone, rich_rule) ) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler( set_rich_rule_enabled_permanent, (zone, rich_rule) ) changed=True if not is_enabled_immediate: action_handler( set_rich_rule_enabled, (zone, rich_rule, timeout) ) changed=True elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler( set_rich_rule_disabled_permanent, (zone, rich_rule) ) changed=True if is_enabled_immediate: action_handler( set_rich_rule_disabled, (zone, rich_rule) ) changed=True if permanent and not immediate: is_enabled = action_handler( get_rich_rule_enabled_permanent, (zone, rich_rule) ) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler( set_rich_rule_enabled_permanent, (zone, rich_rule) ) changed=True elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler( set_rich_rule_disabled_permanent, (zone, rich_rule) ) changed=True if immediate and not permanent: is_enabled = action_handler( get_rich_rule_enabled, (zone, rich_rule) ) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler( set_rich_rule_enabled, (zone, rich_rule, timeout) ) changed=True elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler( set_rich_rule_disabled, (zone, rich_rule) ) changed=True if changed == True: msgs.append("Changed rich_rule %s to %s" % (rich_rule, desired_state)) if interface != None: if immediate and permanent: is_enabled_permanent = action_handler( get_interface_permanent, (zone, interface) ) is_enabled_immediate = action_handler( get_interface, (zone, interface) ) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: change_zone_of_interface_permanent(zone, interface) changed=True if not is_enabled_immediate: change_zone_of_interface(zone, interface) changed=True if changed: msgs.append("Changed %s to zone %s" % (interface, zone)) elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: remove_interface_permanent(zone, interface) changed=True if is_enabled_immediate: remove_interface(zone, interface) changed=True if changed: msgs.append("Removed %s from zone %s" % (interface, zone)) elif permanent and not immediate: is_enabled = action_handler( get_interface_permanent, (zone, interface) ) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) change_zone_of_interface_permanent(zone, interface) changed=True msgs.append("Changed %s to zone %s" % (interface, zone)) elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) remove_interface_permanent(zone, interface) changed=True msgs.append("Removed %s from zone %s" % (interface, zone)) elif immediate and not permanent: is_enabled = action_handler( get_interface, (zone, interface) ) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) change_zone_of_interface(zone, interface) changed=True msgs.append("Changed %s to zone %s" % (interface, zone)) elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) remove_interface(zone, interface) changed=True msgs.append("Removed %s from zone %s" % (interface, zone)) if masquerade != None: if immediate and permanent: is_enabled_permanent = action_handler( get_masquerade_enabled_permanent, (zone) ) is_enabled_immediate = action_handler(get_masquerade_enabled, (zone)) msgs.append('Permanent and Non-Permanent(immediate) operation') if desired_state == "enabled": if not is_enabled_permanent or not is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if not is_enabled_permanent: action_handler(set_masquerade_permanent, (zone, True)) changed=True if not is_enabled_immediate: action_handler(set_masquerade_enabled, (zone)) changed=True if changed: msgs.append("Added masquerade to zone %s" % (zone)) elif desired_state == "disabled": if is_enabled_permanent or is_enabled_immediate: if module.check_mode: module.exit_json(changed=True) if is_enabled_permanent: action_handler(set_masquerade_permanent, (zone, False)) changed=True if is_enabled_immediate: action_handler(set_masquerade_disabled, (zone)) changed=True if changed: msgs.append("Removed masquerade from zone %s" % (zone)) elif permanent and not immediate: is_enabled = action_handler(get_masquerade_enabled_permanent, (zone)) msgs.append('Permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_permanent, (zone, True)) changed=True msgs.append("Added masquerade to zone %s" % (zone)) elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_permanent, (zone, False)) changed=True msgs.append("Removed masquerade from zone %s" % (zone)) elif immediate and not permanent: is_enabled = action_handler(get_masquerade_enabled, (zone)) msgs.append('Non-permanent operation') if desired_state == "enabled": if is_enabled == False: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_enabled, (zone)) changed=True msgs.append("Added masquerade to zone %s" % (zone)) elif desired_state == "disabled": if is_enabled == True: if module.check_mode: module.exit_json(changed=True) action_handler(set_masquerade_disabled, (zone)) changed=True msgs.append("Removed masquerade from zone %s" % (zone)) if fw_offline: msgs.append("(offline operation: only on-disk configs were altered)") module.exit_json(changed=changed, msg=', '.join(msgs))
def installFirewall(self): """install firewall""" log.debug1("%s.installFirewall()", self._log_prefix) # are there any firewall settings to apply? if len(self._settings["firewall"]["services"]) + \ len(self._settings["firewall"]["ports"]) < 1: return # create firewall client fw = FirewallClient() log.debug2("TRACE: Firewall client created") # Make sure firewalld is running by getting the # default zone try: default_zone = fw.getDefaultZone() except DBusException: # firewalld is not running log.error("Firewalld is not running or rolekit cannot access it") raise # save changes to the firewall try: fw_changes = self._settings["firewall-changes"] except KeyError: fw_changes = { } log.debug2("TRACE: Checking for zones: {}".format(self._settings)) try: zones = self._settings["firewall_zones"] except KeyError: zones = [] # if firewall_zones setting is empty, use default zone if len(zones) < 1: zones = [ default_zone ] log.debug2("TRACE: default zone {}".format(zones[0])) for zone in zones: log.debug2("TRACE: Processing zone {0}".format(zone)) # get permanent zone settings, run-time settings do not need a # special treatment z_perm = fw.config().getZoneByName(zone).getSettings() for service in self._settings["firewall"]["services"]: try: fw.addService(zone, service, 0) except Exception as e: if not "ALREADY_ENABLED" in str(e): raise else: fw_changes.setdefault(zone, {}).setdefault("services", {}).setdefault(service, []).append("runtime") if not z_perm.queryService(service): z_perm.addService(service) fw_changes.setdefault(zone, {}).setdefault("services", {}).setdefault(service, []).append("permanent") for port_proto in self._settings["firewall"]["ports"]: port, proto = port_proto.split("/") try: fw.addPort(zone, port, proto, 0) except Exception as e: if not "ALREADY_ENABLED" in str(e): raise else: fw_changes.setdefault(zone, {}).setdefault("ports", {}).setdefault(port_proto, []).append("runtime") if not z_perm.queryPort(port, proto): z_perm.addPort(port, proto) fw_changes.setdefault(zone, {}).setdefault("ports", {}).setdefault(port_proto, []).append("permanent") fw.config().getZoneByName(zone).update(z_perm) self._settings["firewall-changes"] = fw_changes self._settings.write()
def main(): module = AnsibleModule( argument_spec=dict( service=dict(required=False, type="list", default=[]), port=dict(required=False, type="list", default=[]), trust=dict(required=False, type="list", default=[]), trust_by_mac=dict(required=False, type="list", default=[]), masq=dict(required=False, type="list", default=[]), masq_by_mac=dict(required=False, type="list", default=[]), forward_port=dict(required=False, type="list", default=[]), forward_port_by_mac=dict(required=False, type="list", default=[]), zone=dict(required=False, type="str", default=None), state=dict(choices=["enabled", "disabled"], required=True), ), required_one_of=([ "service", "port", "trust", "trust_by_mac", "masq", "masq_by_mac", "forward_prot", ], ), supports_check_mode=True, ) if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL: module.fail_json(msg="No firewall backend could be imported.") service = module.params["service"] port = [] for port_proto in module.params["port"]: _port, _protocol = port_proto.split("/") if _protocol is None: module.fail_json(msg="improper port format (missing protocol?)") port.append((_port, _protocol)) trust = module.params["trust"] trust_by_mac = [] for item in module.params["trust_by_mac"]: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg="MAC address not found %s" % item) trust_by_mac.append(_interface) masq = module.params["masq"] masq_by_mac = [] for item in module.params["masq_by_mac"]: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg="MAC address not found %s" % item) masq_by_mac.append(_interface) forward_port = [] for item in module.params["forward_port"]: args = item.split(";") if len(args) == 4: _interface, __port, _to_port, _to_addr = args elif len(args) == 3: _interface = "" __port, _to_port, _to_addr = args else: module.fail_json(msg="improper forward_port format: %s" % item) _port, _protocol = __port.split("/") if _protocol is None: module.fail_json( msg="improper forward port format (missing protocol?)") if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None forward_port.append((_interface, _port, _protocol, _to_port, _to_addr)) forward_port_by_mac = [] for item in module.params["forward_port_by_mac"]: args = item.split(";") if len(args) != 4: module.fail_json(msg="improper forward_port_by_mac format") _mac_addr, __port, _to_port, _to_addr = args _port, _protocol = __port.split("/") if _protocol is None: module.fail_json( msg="improper forward_port_by_mac format (missing protocol?)") if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None _interface = get_device_for_mac(_mac_addr) if _interface is None: module.fail_json(msg="MAC address not found %s" % _mac_addr) forward_port_by_mac.append( (_interface, _port, _protocol, _to_port, _to_addr)) zone = module.params["zone"] if HAS_SYSTEM_CONFIG_FIREWALL and zone is not None: module.fail_json( msg="Zone can not be used with system-config-firewall/lokkit.") desired_state = module.params["state"] if HAS_FIREWALLD: fw = FirewallClient() def exception_handler(exception_message): module.fail_json(msg=exception_message) fw.setExceptionHandler(exception_handler) if not fw.connected: module.fail_json(msg="firewalld service must be running") trusted_zone = "trusted" external_zone = "external" if zone is not None: if zone not in fw.getZones(): module.fail_json(msg="Runtime zone '%s' does not exist." % zone) if zone not in fw.config().getZoneNames(): module.fail_json(msg="Permanent zone '%s' does not exist." % zone) else: zone = fw.getDefaultZone() fw_zone = fw.config().getZoneByName(zone) fw_settings = fw_zone.getSettings() changed = False changed_zones = {} # service for item in service: if desired_state == "enabled": if not fw.queryService(zone, item): fw.addService(zone, item) changed = True if not fw_settings.queryService(item): fw_settings.addService(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryService(zone, item): fw.removeService(zone, item) if fw_settings.queryService(item): fw_settings.removeService(item) changed = True changed_zones[fw_zone] = fw_settings # port for _port, _protocol in port: if desired_state == "enabled": if not fw.queryPort(zone, _port, _protocol): fw.addPort(zone, _port, _protocol) changed = True if not fw_settings.queryPort(_port, _protocol): fw_settings.addPort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryPort(zone, _port, _protocol): fw.removePort(zone, _port, _protocol) changed = True if fw_settings.queryPort(_port, _protocol): fw_settings.removePort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) if zone != trusted_zone: _fw_zone = fw.config().getZoneByName(trusted_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings for item in items: if desired_state == "enabled": if try_set_zone_of_interface(trusted_zone, item): changed = True else: if not fw.queryInterface(trusted_zone, item): fw.changeZoneOfInterface(trusted_zone, item) changed = True if not _fw_settings.queryInterface(item): _fw_settings.addInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(trusted_zone, item): fw.removeInterface(trusted_zone, item) changed = True if _fw_settings.queryInterface(item): _fw_settings.removeInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) if zone != external_zone: _fw_zone = fw.config().getZoneByName(external_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings for item in items: if desired_state == "enabled": if try_set_zone_of_interface(external_zone, item): changed = True else: if not fw.queryInterface(external_zone, item): fw.changeZoneOfInterface(external_zone, item) changed = True if not _fw_settings.queryInterface(item): _fw_settings.addInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(external_zone, item): fw.removeInterface(external_zone, item) changed = True if _fw_settings.queryInterface(item): _fw_settings.removeInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: if _interface != "": _zone = fw.getZoneOfInterface(_interface) else: _zone = zone if _zone != "" and _zone != zone: _fw_zone = fw.config().getZoneByName(_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings if desired_state == "enabled": if not fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.addForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if not _fw_settings.queryForwardPort( _port, _protocol, _to_port, _to_addr): _fw_settings.addForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.removeForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if _fw_settings.queryForwardPort(_port, _protocol, _to_port, _to_addr): _fw_settings.removeForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[_fw_zone] = _fw_settings # apply changes if changed: for _zone in changed_zones: _zone.update(changed_zones[_zone]) module.exit_json(changed=True) elif HAS_SYSTEM_CONFIG_FIREWALL: (config, old_config, _) = fw_lokkit.loadConfig(args=[], dbus_parser=True) changed = False # service for item in service: if config.services is None: config.services = [] if desired_state == "enabled": if item not in config.services: config.services.append(item) changed = True elif desired_state == "disabled": if item in config.services: config.services.remove(item) changed = True # port for _port, _protocol in port: if config.ports is None: config.ports = [] _range = getPortRange(_port) if _range < 0: module.fail_json(msg="invalid port definition %s" % _port) elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range %s" % _port) port_proto = (_range, _protocol) if desired_state == "enabled": if port_proto not in config.ports: config.ports.append(port_proto) changed = True elif desired_state == "disabled": if port_proto in config.ports: config.ports.remove(port_proto) changed = True # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: if config.trust is None: config.trust = [] items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) for item in items: if desired_state == "enabled": if item not in config.trust: config.trust.append(item) changed = True elif desired_state == "disabled": if item in config.trust: config.trust.remove(item) changed = True # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: if config.masq is None: config.masq = [] items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) for item in items: if desired_state == "enabled": if item not in config.masq: config.masq.append(item) changed = True elif desired_state == "disabled": if item in config.masq: config.masq.remove(item) changed = True # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: if config.forward_port is None: config.forward_port = [] items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: _range = getPortRange(_port) if _range < 0: module.fail_json(msg="invalid port definition") elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range") fwd_port = { "if": _interface, "port": _range, "proto": _protocol } if _to_port is not None: _range = getPortRange(_to_port) if _range < 0: module.fail_json(msg="invalid port definition %s" % _to_port) elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range") fwd_port["toport"] = _range if _to_addr is not None: fwd_port["toaddr"] = _to_addr if desired_state == "enabled": if fwd_port not in config.forward_port: config.forward_port.append(fwd_port) changed = True elif desired_state == "disabled": if fwd_port in config.forward_port: config.forward_port.remove(fwd_port) changed = True # apply changes if changed: fw_lokkit.updateFirewall(config, old_config) if module.check_mode: module.exit_json(changed=True) else: module.fail_json(msg="No firewalld and system-config-firewall") module.exit_json(changed=False)
def main(): module = AnsibleModule(argument_spec=dict( service=dict(required=False, type='list', default=[]), port=dict(required=False, type='list', default=[]), trust=dict(required=False, type='list', default=[]), trust_by_mac=dict(required=False, type='list', default=[]), masq=dict(required=False, type='list', default=[]), masq_by_mac=dict(required=False, type='list', default=[]), forward_port=dict(required=False, type='list', default=[]), forward_port_by_mac=dict(required=False, type='list', default=[]), state=dict(choices=['enabled', 'disabled'], required=True), ), required_one_of=([ 'service', 'port', 'trust', 'trust_by_mac', 'masq', 'masq_by_mac', 'forward_prot' ], ), supports_check_mode=True) if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL: module.fail_json(msg='No firewall backend could be imported.') service = module.params['service'] port = [] for port_proto in module.params['port']: _port, _protocol = port_proto.split('/') if _protocol is None: module.fail_json(msg='improper port format (missing protocol?)') port.append((_port, _protocol)) trust = module.params['trust'] trust_by_mac = [] for item in module.params['trust_by_mac']: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg='MAC address not found %s' % item) trust_by_mac.append(_interface) masq = module.params['masq'] masq_by_mac = [] for item in module.params['masq_by_mac']: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg='MAC address not found %s' % item) masq_by_mac.append(_interface) forward_port = [] for item in module.params['forward_port']: args = item.split(";") if len(args) != 4: module.fail_json(msg='improper forward_port format: %s' % item) _interface, __port, _to_port, _to_addr = args _port, _protocol = __port.split('/') if _protocol is None: module.fail_json(msg='improper port format (missing protocol?)') if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None forward_port.append((_interface, _port, _protocol, _to_port, _to_addr)) forward_port_by_mac = [] for item in module.params['forward_port_by_mac']: args = item.split(";") if len(args) != 4: module.fail_json(msg='improper forward_port_by_mac format') _mac_addr, __port, _to_port, _to_addr = args _port, _protocol = __port.split('/') if _protocol is None: module.fail_json(msg='improper port format (missing protocol?)') if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None _interface = get_device_for_mac(_mac_addr) if _interface is None: module.fail_json(msg='MAC address not found %s' % _mac_addr) forward_port_by_mac.append( (_interface, _port, _protocol, _to_port, _to_addr)) desired_state = module.params['state'] if HAS_FIREWALLD: fw = FirewallClient() def exception_handler(exception_message): module.fail_json(msg=exception_message) fw.setExceptionHandler(exception_handler) if not fw.connected: module.fail_json(msg='firewalld service must be running') trusted_zone = "trusted" external_zone = "external" default_zone = fw.getDefaultZone() fw_zone = fw.config().getZoneByName(default_zone) fw_settings = fw_zone.getSettings() changed = False changed_zones = {} # service for item in service: if desired_state == "enabled": if not fw.queryService(default_zone, item): fw.addService(default_zone, item) changed = True if not fw_settings.queryService(item): fw_settings.addService(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryService(default_zone, item): fw.removeService(default_zone, item) if fw_settings.queryService(item): fw_settings.removeService(item) changed = True changed_zones[fw_zone] = fw_settings # port for _port, _protocol in port: if desired_state == "enabled": if not fw.queryPort(default_zone, _port, _protocol): fw.addPort(default_zone, _port, _protocol) changed = True if not fw_settings.queryPort(_port, _protocol): fw_settings.addPort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryPort(default_zone, _port, _protocol): fw.removePort(default_zone, _port, _protocol) changed = True if fw_settings.queryPort(_port, _protocol): fw_settings.removePort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) if default_zone != trusted_zone: fw_zone = fw.config().getZoneByName(trusted_zone) fw_settings = fw_zone.getSettings() for item in items: if desired_state == "enabled": if try_set_zone_of_interface(trusted_zone, item): changed = True else: if not fw.queryInterface(trusted_zone, item): fw.changeZoneOfInterface(trusted_zone, item) changed = True if not fw_settings.queryInterface(item): fw_settings.addInterface(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(trusted_zone, item): fw.removeInterface(trusted_zone, item) changed = True if fw_settings.queryInterface(item): fw_settings.removeInterface(item) changed = True changed_zones[fw_zone] = fw_settings # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) if default_zone != external_zone: fw_zone = fw.config().getZoneByName(external_zone) fw_settings = fw_zone.getSettings() for item in items: if desired_state == "enabled": if try_set_zone_of_interface(external_zone, item): changed = True else: if not fw.queryInterface(external_zone, item): fw.changeZoneOfInterface(external_zone, item) changed = True if not fw_settings.queryInterface(item): fw_settings.addInterface(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(external_zone, item): fw.removeInterface(external_zone, item) changed = True if fw_settings.queryInterface(item): fw_settings.removeInterface(item) changed = True changed_zones[fw_zone] = fw_settings # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: if _interface != "": _zone = fw.getZoneOfInterface(_interface) if _zone != "" and _zone != default_zone: fw_zone = fw.config().getZoneByName(_zone) fw_settings = fw_zone.getSettings() if desired_state == "enabled": if not fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.addForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if not fw_settings.queryForwardPort( _port, _protocol, _to_port, _to_addr): fw_settings.addForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.removeForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if fw_settings.queryForwardPort(_port, _protocol, _to_port, _to_addr): fw_settings.removeForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[fw_zone] = fw_settings # apply changes if changed: for _zone in changed_zones: _zone.update(changed_zones[_zone]) if module.check_mode: module.exit_json(changed=True) elif HAS_SYSTEM_CONFIG_FIREWALL: (config, old_config, _) = fw_lokkit.loadConfig(args=[], dbus_parser=True) changed = False # service for item in service: if config.services is None: config.services = [] if desired_state == "enabled": if item not in config.services: config.services.append(item) changed = True elif desired_state == "disabled": if item in config.services: config.services.remove(item) changed = True # port for _port, _protocol in port: if config.ports is None: config.ports = [] _range = getPortRange(_port) if _range < 0: module.fail_json(msg='invalid port definition %s' % _port) elif _range is None: module.fail_json(msg='port _range is not unique.') elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg='invalid port range %s' % _port) port_proto = (_range, _protocol) if desired_state == "enabled": if port_proto not in config.ports: config.ports.append(port_proto) changed = True elif desired_state == "disabled": if port_proto in config.ports: config.ports.remove(port_proto) changed = True # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: if config.trust is None: config.trust = [] items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) for item in items: if desired_state == "enabled": if item not in config.trust: config.trust.append(item) changed = True elif desired_state == "disabled": if item in config.trust: config.trust.remove(item) changed = True # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: if config.masq is None: config.masq = [] items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) for item in items: if desired_state == "enabled": if item not in config.masq: config.masq.append(item) changed = True elif desired_state == "disabled": if item in config.masq: config.masq.remove(item) changed = True # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: if config.forward_port is None: config.forward_port = [] items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: _range = getPortRange(_port) if _range < 0: module.fail_json(msg='invalid port definition') elif _range is None: module.fail_json(msg='port _range is not unique.') elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg='invalid port range') fwd_port = { "if": _interface, "port": _range, "proto": _protocol } if _to_port is not None: _range = getPortRange(_to_port) if _range < 0: module.fail_json(msg='invalid port definition %s' % \ _to_port) elif _range is None: module.fail_json(msg='port _range is not unique.') elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg='invalid port range') fwd_port["toport"] = _range if _to_addr is not None: fwd_port["toaddr"] = _to_addr if desired_state == "enabled": if fwd_port not in config.forward_port: config.forward_port.append(fwd_port) changed = True elif desired_state == "disabled": if fwd_port in config.forward_port: config.forward_port.remove(fwd_port) changed = True # apply changes if changed: fw_lokkit.updateFirewall(config, old_config) if module.check_mode: module.exit_json(changed=True) else: module.fail_json(msg='No firewalld and system-config-firewall') module.exit_json(changed=False)