a-c-m
/
community.general
mirror of https://github.com/ansible-collections/community.general.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
community.general/lib/ansible/modules/system/firewalld.py

1073 lines
37 KiB
Python
Raw Normal View History

Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2013, Adam Miller (maxamillion@fedoraproject.org)
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
Refreshed metadata for extras modules
2016-12-06 10:35:25 +00:00
ANSIBLE_METADATA = {'status': ['preview'],
'supported_by': 'committer',
'version': '1.0'}
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
DOCUMENTATION = '''
---
module: firewalld
short_description: Manage arbitrary ports/services with firewalld
description:
Added documentation and example for port ranges. Also added punctuation marks.
2014-11-20 20:48:41 +00:00
- This module allows for addition or deletion of services and ports either tcp or udp in either running or permanent firewalld rules.
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
version_added: "1.4"
options:
service:
description:
Update to firewalld doc Missinformation about where available firewalld services are listed
2016-10-21 13:57:45 +00:00
- "Name of a service to add/remove to/from firewalld - service must be listed in output of firewall-cmd --get-services."
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
required: false
default: null
port:
description:
Added documentation and example for port ranges. Also added punctuation marks.
2014-11-20 20:48:41 +00:00
- "Name of a port or port range to add/remove to/from firewalld. Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges."
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
required: false
default: null
rich_rule:
description:
Added documentation and example for port ranges. Also added punctuation marks.
2014-11-20 20:48:41 +00:00
- "Rich rule to add/remove to/from firewalld."
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
required: false
default: null
updated version added for source into the docs
2015-06-29 12:18:09 +00:00
source:
description:
- 'The source/network you would like to add/remove to/from firewalld'
required: false
default: null
version_added: "2.0"
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
interface:
description:
firewalld: fixes documentation - removes warning, aligning to existing documentation - adds version
2016-01-16 22:02:58 +00:00
- 'The interface you would like to add/remove to/from a zone in firewalld'
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
required: false
default: null
firewalld: fixes documentation - removes warning, aligning to existing documentation - adds version
2016-01-16 22:02:58 +00:00
version_added: "2.1"
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
zone:
description:
- 'The firewalld zone to add/remove to/from (NOTE: default zone can be configured per system but "public" is default from upstream. Available choices can be extended based on per-system configs, listed here are "out of the box" defaults).'
required: false
default: system-default(public)
Small improvement in documentation
2015-08-28 15:38:58 +00:00
choices: [ "work", "drop", "internal", "external", "trusted", "home", "dmz", "public", "block" ]
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
permanent:
description:
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
- "Should this configuration be in the running firewalld configuration or persist across reboots. As of Ansible version 2.3, permanent operations can operate on firewalld configs when it's not running (requires firewalld >= 3.0.9)"
Doc wrongly indicates permanent is required But it isn't. :)
2016-01-21 13:23:36 +00:00
required: false
default: null
Add a new option immediate= to immediately apply a permanent change Currently, either you apply the change in the configuration of firewalld ( without permanent=True ), or you apply it live. I most of the time want to do the 2 at the same time, ie open the port ( so I can use the service ) and make sure it stay open on reboot.
2014-09-27 00:50:10 +00:00
immediate:
description:
- "Should this configuration be applied immediately, if set as permanent"
required: false
default: false
version_added: "1.9"
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
state:
description:
Added documentation and example for port ranges. Also added punctuation marks.
2014-11-20 20:48:41 +00:00
- "Should this port accept(enabled) or reject(disabled) connections."
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
required: true
Small improvement in documentation
2015-08-28 15:38:58 +00:00
choices: [ "enabled", "disabled" ]
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
timeout:
description:
Added documentation and example for port ranges. Also added punctuation marks.
2014-11-20 20:48:41 +00:00
- "The amount of time the rule should be in effect for when non-permanent."
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
required: false
default: 0
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
masquerade:
description:
- 'The masquerade setting you would like to enable/disable to/from zones within firewalld'
required: false
default: null
version_added: "2.1"
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
notes:
firewalld: remove BabyJSON See https://github.com/ansible/ansible-modules-extras/issues/430
2015-05-27 18:54:26 +00:00
- Not tested on any Debian based system.
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
- Requires the python2 bindings of firewalld, which may not be installed by default if the distribution switched to python 3
firewalld: remove BabyJSON See https://github.com/ansible/ansible-modules-extras/issues/430
2015-05-27 18:54:26 +00:00
requirements: [ 'firewalld >= 0.2.11' ]
fix #894 by actually updating with the modified settings
2015-09-08 13:28:05 +00:00
author: "Adam Miller (@maxamillion)"
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
'''
EXAMPLES = '''
Native YAML - system (#3625) * Native YAML - system * Remove comment that is not applicable to the code
2016-12-02 15:48:22 +00:00
- firewalld:
service: https
permanent: true
state: enabled
- firewalld:
port: 8081/tcp
permanent: true
state: disabled
- firewalld:
port: 161-162/udp
permanent: true
state: enabled
- firewalld:
zone: dmz
service: http
permanent: true
state: enabled
- firewalld:
rich_rule: 'rule service name="ftp" audit limit value="1/m" accept'
permanent: true
state: enabled
- firewalld:
source: 192.0.2.0/24
zone: internal
state: enabled
- firewalld:
zone: trusted
interface: eth2
permanent: true
state: enabled
- firewalld:
masquerade: yes
state: enabled
permanent: true
zone: dmz
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
'''
Fix a couple undefined variables One was a typo and one needed to have the variable defined in that scope
2016-10-12 20:26:54 +00:00
from ansible.module_utils.basic import AnsibleModule
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
import sys
#####################
# Globals
#
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw = None
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
module = None
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_offline = False
Rich_Rule = None
FirewallClientZoneSettings = None
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
Fix a couple undefined variables One was a typo and one needed to have the variable defined in that scope
2016-10-12 20:26:54 +00:00
module = None
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
#####################
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
# exception handling
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
#
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
def action_handler(action_func, action_func_args):
"""
Function to wrap calls to make actions on firewalld in try/except
logic and emit (hopefully) useful error messages
"""
msgs = []
try:
return action_func(*action_func_args)
except Exception:
# Make python 2.4 shippable ci tests happy
e = sys.exc_info()[1]
# If there are any commonly known errors that we should provide more
# context for to help the users diagnose what's wrong. Handle that here
if "INVALID_SERVICE" in "%s" % e:
msgs.append("Services are defined by port/tcp relationship and named as they are in /etc/services (on most systems)")
if len(msgs) > 0:
module.fail_json(
msg='ERROR: Exception caught: %s %s' % (e, ', '.join(msgs))
)
else:
module.fail_json(msg='ERROR: Exception caught: %s' % e)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
#####################
# fw_offline helpers
#
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
def get_fw_zone_settings(zone):
if fw_offline:
fw_zone = fw.config.get_zone(zone)
fw_settings = FirewallClientZoneSettings(
list(fw.config.get_zone_config(fw_zone))
)
else:
fw_zone = fw.config().getZoneByName(zone)
fw_settings = fw_zone.getSettings()
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
return (fw_zone, fw_settings)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
def update_fw_settings(fw_zone, fw_settings):
if fw_offline:
fw.config.set_zone_config(fw_zone, fw_settings.settings)
else:
fw_zone.update(fw_settings)
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
#####################
# masquerade handling
#
def get_masquerade_enabled(zone):
if fw.queryMasquerade(zone) == True:
return True
else:
return False
def get_masquerade_enabled_permanent(zone):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
if fw_settings.getMasquerade() == True:
return True
else:
return False
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
def set_masquerade_enabled(zone):
fw.addMasquerade(zone)
def set_masquerade_disabled(zone):
fw.removeMasquerade(zone)
def set_masquerade_permanent(zone, masquerade):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
fw_settings.setMasquerade(masquerade)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
################
# port handling
#
def get_port_enabled(zone, port_proto):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
if fw_offline:
fw_zone, fw_settings = get_fw_zone_settings(zone)
ports_list = fw_settings.getPorts()
else:
ports_list = fw.getPorts(zone)
if port_proto in ports_list:
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
return True
else:
return False
def set_port_enabled(zone, port, protocol, timeout):
fw.addPort(zone, port, protocol, timeout)
def set_port_disabled(zone, port, protocol):
fw.removePort(zone, port, protocol)
def get_port_enabled_permanent(zone, port_proto):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
if tuple(port_proto) in fw_settings.getPorts():
return True
else:
return False
def set_port_enabled_permanent(zone, port, protocol):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
fw_settings.addPort(port, protocol)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
def set_port_disabled_permanent(zone, port, protocol):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
fw_settings.removePort(port, protocol)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
####################
# source handling
fix #894 by actually updating with the modified settings
2015-09-08 13:28:05 +00:00
#
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
def get_source(zone, source):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
if source in fw_settings.getSources():
return True
else:
return False
def add_source(zone, source):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
fw_settings.addSource(source)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
def remove_source(zone, source):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
fw_settings.removeSource(source)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
####################
# interface handling
#
def get_interface(zone, interface):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
if fw_offline:
fw_zone, fw_settings = get_fw_zone_settings(zone)
interface_list = fw_settings.getInterfaces()
else:
interface_list = fw.getInterfaces(zone)
Fix the interface handling code to allow permanent and non-permanent operations. Also avoid using add_interface because it breaks in cases where the interface is already bound to a different zone.
2016-05-02 15:16:07 +00:00
if interface in fw.getInterfaces(zone):
return True
else:
return False
def change_zone_of_interface(zone, interface):
fw.changeZoneOfInterface(zone, interface)
def remove_interface(zone, interface):
fw.removeInterface(zone, interface)
def get_interface_permanent(zone, interface):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
if interface in fw_settings.getInterfaces():
return True
else:
return False
Fix the interface handling code to allow permanent and non-permanent operations. Also avoid using add_interface because it breaks in cases where the interface is already bound to a different zone.
2016-05-02 15:16:07 +00:00
def change_zone_of_interface_permanent(zone, interface):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
if fw_offline:
iface_zone_objs = [ ]
for zone in fw.config.get_zones():
old_zone_obj = fw.config.get_zone(zone)
if interface in old_zone_obj.interfaces:
iface_zone_objs.append(old_zone_obj)
if len(iface_zone_objs) > 1:
# Even it shouldn't happen, it's actually possible that
# the same interface is in several zone XML files
module.fail_json(
msg = 'ERROR: interface {} is in {} zone XML file, can only be in one'.format(
interface,
len(iface_zone_objs)
)
)
old_zone_obj = iface_zone_objs[0]
if old_zone_obj.name != zone:
old_zone_settings = FirewallClientZoneSettings(
fw.config.get_zone_config(old_zone_obj)
)
old_zone_settings.removeInterface(interface) # remove from old
fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings)
fw_settings.addInterface(interface) # add to new
fw.config.set_zone_config(fw_zone, fw_settings.settings)
else:
old_zone_name = fw.config().getZoneOfInterface(interface)
if old_zone_name != zone:
if old_zone_name:
old_zone_obj = fw.config().getZoneByName(old_zone_name)
old_zone_settings = old_zone_obj.getSettings()
old_zone_settings.removeInterface(interface) # remove from old
old_zone_obj.update(old_zone_settings)
fw_settings.addInterface(interface) # add to new
fw_zone.update(fw_settings)
Fix the interface handling code to allow permanent and non-permanent operations. Also avoid using add_interface because it breaks in cases where the interface is already bound to a different zone.
2016-05-02 15:16:07 +00:00
def remove_interface_permanent(zone, interface):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
fw_settings.removeInterface(interface)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
####################
# service handling
#
def get_service_enabled(zone, service):
if service in fw.getServices(zone):
return True
else:
return False
def set_service_enabled(zone, service, timeout):
fw.addService(zone, service, timeout)
def set_service_disabled(zone, service):
fw.removeService(zone, service)
def get_service_enabled_permanent(zone, service):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
if service in fw_settings.getServices():
return True
else:
return False
def set_service_enabled_permanent(zone, service):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
fw_settings.addService(service)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
def set_service_disabled_permanent(zone, service):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
fw_settings.removeService(service)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
####################
# rich rule handling
#
def get_rich_rule_enabled(zone, rule):
Fix for ansible-modules-extras issue #1080
2015-10-11 13:17:23 +00:00
# Convert the rule string to standard format
# before checking whether it is present
rule = str(Rich_Rule(rule_str=rule))
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
if rule in fw.getRichRules(zone):
return True
else:
return False
def set_rich_rule_enabled(zone, rule, timeout):
fw.addRichRule(zone, rule, timeout)
def set_rich_rule_disabled(zone, rule):
fw.removeRichRule(zone, rule)
def get_rich_rule_enabled_permanent(zone, rule):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Fix for ansible-modules-extras issue #1080
2015-10-11 13:17:23 +00:00
# Convert the rule string to standard format
# before checking whether it is present
rule = str(Rich_Rule(rule_str=rule))
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
if rule in fw_settings.getRichRules():
return True
else:
return False
def set_rich_rule_enabled_permanent(zone, rule):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
fw_settings.addRichRule(rule)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
def set_rich_rule_disabled_permanent(zone, rule):
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
fw_zone, fw_settings = get_fw_zone_settings(zone)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
fw_settings.removeRichRule(rule)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
update_fw_settings(fw_zone, fw_settings)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
def main():
Fix a couple undefined variables One was a typo and one needed to have the variable defined in that scope
2016-10-12 20:26:54 +00:00
global module
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
## make module global so we don't have to pass it to action_handler every
## function call
global module
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
module = AnsibleModule(
argument_spec = dict(
service=dict(required=False,default=None),
port=dict(required=False,default=None),
rich_rule=dict(required=False,default=None),
zone=dict(required=False,default=None),
Add a new option immediate= to immediately apply a permanent change Currently, either you apply the change in the configuration of firewalld ( without permanent=True ), or you apply it live. I most of the time want to do the 2 at the same time, ie open the port ( so I can use the service ) and make sure it stay open on reboot.
2014-09-27 00:50:10 +00:00
immediate=dict(type='bool',default=False),
Cleaning up diffs after extras modules merge
2016-12-08 05:34:16 +00:00
source=dict(required=False,default=None),
permanent=dict(type='bool',required=False,default=None),
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
state=dict(choices=['enabled', 'disabled'], required=True),
timeout=dict(type='int',required=False,default=0),
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
interface=dict(required=False,default=None),
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
masquerade=dict(required=False,default=None),
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
offline=dict(type='bool',required=False,default=None),
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
),
supports_check_mode=True
)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
## Handle running (online) daemon vs non-running (offline) daemon
global fw
global fw_offline
global Rich_Rule
global FirewallClientZoneSettings
## Imports
try:
import firewall.config
FW_VERSION = firewall.config.VERSION
from firewall.client import Rich_Rule
from firewall.client import FirewallClient
fw = None
fw_offline = False
try:
fw = FirewallClient()
fw.getDefaultZone()
except AttributeError:
## Firewalld is not currently running, permanent-only operations
## Import other required parts of the firewalld API
##
## NOTE:
## online and offline operations do not share a common firewalld API
from firewall.core.fw_test import Firewall_test
from firewall.client import FirewallClientZoneSettings
fw = Firewall_test()
fw.start()
fw_offline = True
except ImportError:
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
## Make python 2.4 shippable ci tests happy
e = sys.exc_info()[1]
module.fail_json(msg='firewalld and its python 2 module are required for this module, version 2.0.11 or newer required (3.0.9 or newer for offline operations) \n %s' % e)
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
if fw_offline:
## Pre-run version checking
if FW_VERSION < "0.3.9":
module.fail_json(msg='unsupported version of firewalld, offline operations require >= 3.0.9')
else:
## Pre-run version checking
if FW_VERSION < "0.2.11":
module.fail_json(msg='unsupported version of firewalld, requires >= 2.0.11')
## Check for firewalld running
try:
if fw.connected == False:
module.fail_json(msg='firewalld service must be running, or try with offline=true')
except AttributeError:
module.fail_json(msg="firewalld connection can't be established,\
installed version (%s) likely too old. Requires firewalld >= 2.0.11" % FW_VERSION)
## Verify required params are provided
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if module.params['source'] is None and module.params['permanent'] is None:
Fix #1809, use the proper method to fail
2016-03-17 17:07:47 +00:00
module.fail_json(msg='permanent is a required parameter')
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if module.params['interface'] is not None and module.params['zone'] is None:
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
module.fail(msg='zone is a required parameter')
Fix a couple undefined variables One was a typo and one needed to have the variable defined in that scope
2016-10-12 20:26:54 +00:00
if module.params['immediate'] and fw_offline:
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
module.fail(msg='firewall is not currently running, unable to perform immediate actions without a running firewall daemon')
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
## Global Vars
changed=False
msgs = []
service = module.params['service']
rich_rule = module.params['rich_rule']
Cleaning up diffs after extras modules merge
2016-12-08 05:34:16 +00:00
source = module.params['source']
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if module.params['port'] is not None:
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
port, protocol = module.params['port'].split('/')
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if protocol is None:
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
module.fail_json(msg='improper port format (missing protocol?)')
else:
port = None
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if module.params['zone'] is not None:
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
zone = module.params['zone']
else:
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
if fw_offline:
zone = fw.get_default_zone()
else:
zone = fw.getDefaultZone()
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
permanent = module.params['permanent']
desired_state = module.params['state']
Add a new option immediate= to immediately apply a permanent change Currently, either you apply the change in the configuration of firewalld ( without permanent=True ), or you apply it live. I most of the time want to do the 2 at the same time, ie open the port ( so I can use the service ) and make sure it stay open on reboot.
2014-09-27 00:50:10 +00:00
immediate = module.params['immediate']
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
timeout = module.params['timeout']
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
interface = module.params['interface']
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
masquerade = module.params['masquerade']
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
modification_count = 0
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if service is not None:
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
modification_count += 1
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if port is not None:
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
modification_count += 1
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if rich_rule is not None:
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
modification_count += 1
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if interface is not None:
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
modification_count += 1
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if masquerade is not None:
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
modification_count += 1
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
if modification_count > 1:
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
module.fail_json(msg='can only operate on port, service, rich_rule or interface at once')
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if service is not None:
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
if immediate and permanent:
is_enabled_permanent = action_handler(
get_service_enabled_permanent,
(zone, service)
)
is_enabled_immediate = action_handler(
get_service_enabled,
(zone, service)
)
msgs.append('Permanent and Non-Permanent(immediate) operation')
if desired_state == "enabled":
if not is_enabled_permanent or not is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if not is_enabled_permanent:
action_handler(
set_service_enabled_permanent,
(zone, service)
)
changed=True
if not is_enabled_immediate:
action_handler(
set_service_enabled,
(zone, service, timeout)
)
changed=True
elif desired_state == "disabled":
if is_enabled_permanent or is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if is_enabled_permanent:
action_handler(
set_service_disabled_permanent,
(zone, service)
)
changed=True
if is_enabled_immediate:
action_handler(
set_service_disabled,
(zone, service)
)
changed=True
elif permanent and not immediate:
is_enabled = action_handler(
get_service_enabled_permanent,
(zone, service)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
msgs.append('Permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_service_enabled_permanent,
(zone, service)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_service_disabled_permanent,
(zone, service)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
elif immediate and not permanent:
is_enabled = action_handler(
get_service_enabled,
(zone, service)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
msgs.append('Non-permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_service_enabled,
(zone, service, timeout)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_service_disabled,
(zone, service)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
if changed == True:
msgs.append("Changed service %s to %s" % (service, desired_state))
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
# FIXME - source type does not handle non-permanent mode, this was an
# oversight in the past.
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if source is not None:
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
is_enabled = action_handler(get_source, (zone, source))
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(add_source, (zone, source))
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
changed=True
msgs.append("Added %s to zone %s" % (source, zone))
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(remove_source, (zone, source))
added a source/network add/remove to/from zone for firewalld - removed useless comment
2014-11-21 14:39:07 +00:00
changed=True
msgs.append("Removed %s from zone %s" % (source, zone))
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if port is not None:
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
if immediate and permanent:
is_enabled_permanent = action_handler(
get_port_enabled_permanent,
(zone,[port, protocol])
)
is_enabled_immediate = action_handler(
get_port_enabled,
(zone, [port, protocol])
)
msgs.append('Permanent and Non-Permanent(immediate) operation')
if desired_state == "enabled":
if not is_enabled_permanent or not is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if not is_enabled_permanent:
action_handler(
set_port_enabled_permanent,
(zone, port, protocol)
)
changed=True
if not is_enabled_immediate:
action_handler(
set_port_enabled,
(zone, port, protocol, timeout)
)
changed=True
elif desired_state == "disabled":
if is_enabled_permanent or is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if is_enabled_permanent:
action_handler(
set_port_disabled_permanent,
(zone, port, protocol)
)
changed=True
if is_enabled_immediate:
action_handler(
set_port_disabled,
(zone, port, protocol)
)
changed=True
elif permanent and not immediate:
is_enabled = action_handler(
get_port_enabled_permanent,
(zone, [port, protocol])
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
msgs.append('Permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_port_enabled_permanent,
(zone, port, protocol)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_port_disabled_permanent,
(zone, port, protocol)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
if immediate and not permanent:
is_enabled = action_handler(
get_port_enabled,
(zone, [port,protocol])
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
msgs.append('Non-permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_port_enabled,
(zone, port, protocol, timeout)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_port_disabled,
(zone, port, protocol)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
if changed == True:
msgs.append("Changed port %s to %s" % ("%s/%s" % (port, protocol), \
desired_state))
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if rich_rule is not None:
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
if immediate and permanent:
is_enabled_permanent = action_handler(
get_rich_rule_enabled_permanent,
(zone, rich_rule)
)
is_enabled_immediate = action_handler(
get_rich_rule_enabled,
(zone, rich_rule)
)
msgs.append('Permanent and Non-Permanent(immediate) operation')
if desired_state == "enabled":
if not is_enabled_permanent or not is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if not is_enabled_permanent:
action_handler(
set_rich_rule_enabled_permanent,
(zone, rich_rule)
)
changed=True
if not is_enabled_immediate:
action_handler(
set_rich_rule_enabled,
(zone, rich_rule, timeout)
)
changed=True
elif desired_state == "disabled":
if is_enabled_permanent or is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if is_enabled_permanent:
action_handler(
set_rich_rule_disabled_permanent,
(zone, rich_rule)
)
changed=True
if is_enabled_immediate:
action_handler(
set_rich_rule_disabled,
(zone, rich_rule)
)
changed=True
if permanent and not immediate:
is_enabled = action_handler(
get_rich_rule_enabled_permanent,
(zone, rich_rule)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
msgs.append('Permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_rich_rule_enabled_permanent,
(zone, rich_rule)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_rich_rule_disabled_permanent,
(zone, rich_rule)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
if immediate and not permanent:
is_enabled = action_handler(
get_rich_rule_enabled,
(zone, rich_rule)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
msgs.append('Non-permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_rich_rule_enabled,
(zone, rich_rule, timeout)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(
set_rich_rule_disabled,
(zone, rich_rule)
)
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
changed=True
if changed == True:
msgs.append("Changed rich_rule %s to %s" % (rich_rule, desired_state))
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if interface is not None:
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
if immediate and permanent:
is_enabled_permanent = action_handler(
get_interface_permanent,
(zone, interface)
)
is_enabled_immediate = action_handler(
get_interface,
(zone, interface)
)
msgs.append('Permanent and Non-Permanent(immediate) operation')
if desired_state == "enabled":
if not is_enabled_permanent or not is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if not is_enabled_permanent:
change_zone_of_interface_permanent(zone, interface)
changed=True
if not is_enabled_immediate:
change_zone_of_interface(zone, interface)
changed=True
if changed:
msgs.append("Changed %s to zone %s" % (interface, zone))
elif desired_state == "disabled":
if is_enabled_permanent or is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if is_enabled_permanent:
remove_interface_permanent(zone, interface)
changed=True
if is_enabled_immediate:
remove_interface(zone, interface)
changed=True
if changed:
msgs.append("Removed %s from zone %s" % (interface, zone))
elif permanent and not immediate:
is_enabled = action_handler(
get_interface_permanent,
(zone, interface)
)
Fix the interface handling code to allow permanent and non-permanent operations. Also avoid using add_interface because it breaks in cases where the interface is already bound to a different zone.
2016-05-02 15:16:07 +00:00
msgs.append('Permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
Fix the interface handling code to allow permanent and non-permanent operations. Also avoid using add_interface because it breaks in cases where the interface is already bound to a different zone.
2016-05-02 15:16:07 +00:00
change_zone_of_interface_permanent(zone, interface)
changed=True
msgs.append("Changed %s to zone %s" % (interface, zone))
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
Fix the interface handling code to allow permanent and non-permanent operations. Also avoid using add_interface because it breaks in cases where the interface is already bound to a different zone.
2016-05-02 15:16:07 +00:00
remove_interface_permanent(zone, interface)
changed=True
msgs.append("Removed %s from zone %s" % (interface, zone))
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
elif immediate and not permanent:
is_enabled = action_handler(
get_interface,
(zone, interface)
)
Fix the interface handling code to allow permanent and non-permanent operations. Also avoid using add_interface because it breaks in cases where the interface is already bound to a different zone.
2016-05-02 15:16:07 +00:00
msgs.append('Non-permanent operation')
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
change_zone_of_interface(zone, interface)
changed=True
msgs.append("Changed %s to zone %s" % (interface, zone))
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
remove_interface(zone, interface)
changed=True
msgs.append("Removed %s from zone %s" % (interface, zone))
firewalld: add/remove interfaces to/from zones
2016-01-10 22:18:09 +00:00
PEP 8 cleanup. (#20789) * PEP 8 E703 cleanup. * PEP 8 E701 cleanup. * PEP 8 E711 cleanup. * PEP 8 W191 and E101 cleanup.
2017-01-28 08:12:11 +00:00
if masquerade is not None:
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
if immediate and permanent:
is_enabled_permanent = action_handler(
get_masquerade_enabled_permanent,
(zone)
)
is_enabled_immediate = action_handler(get_masquerade_enabled, (zone))
msgs.append('Permanent and Non-Permanent(immediate) operation')
if desired_state == "enabled":
if not is_enabled_permanent or not is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if not is_enabled_permanent:
action_handler(set_masquerade_permanent, (zone, True))
changed=True
if not is_enabled_immediate:
action_handler(set_masquerade_enabled, (zone))
changed=True
if changed:
msgs.append("Added masquerade to zone %s" % (zone))
elif desired_state == "disabled":
if is_enabled_permanent or is_enabled_immediate:
if module.check_mode:
module.exit_json(changed=True)
if is_enabled_permanent:
action_handler(set_masquerade_permanent, (zone, False))
changed=True
if is_enabled_immediate:
action_handler(set_masquerade_disabled, (zone))
changed=True
if changed:
msgs.append("Removed masquerade from zone %s" % (zone))
elif permanent and not immediate:
is_enabled = action_handler(get_masquerade_enabled_permanent, (zone))
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
msgs.append('Permanent operation')
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(set_masquerade_permanent, (zone, True))
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
changed=True
msgs.append("Added masquerade to zone %s" % (zone))
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(set_masquerade_permanent, (zone, False))
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
changed=True
msgs.append("Removed masquerade from zone %s" % (zone))
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
elif immediate and not permanent:
is_enabled = action_handler(get_masquerade_enabled, (zone))
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
msgs.append('Non-permanent operation')
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(set_masquerade_enabled, (zone))
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
changed=True
msgs.append("Added masquerade to zone %s" % (zone))
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
provide useful error when invalid service name provided add offline mode to firewalld permanent operations Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-06 21:38:39 +00:00
action_handler(set_masquerade_disabled, (zone))
Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
2016-04-16 12:15:00 +00:00
changed=True
msgs.append("Removed masquerade from zone %s" % (zone))
add offline mode to firewalld Signed-off-by: Adam Miller <maxamillion@fedoraproject.org>
2016-10-05 22:31:50 +00:00
if fw_offline:
msgs.append("(offline operation: only on-disk configs were altered)")
Copying snapshot of extras modules
2014-09-26 01:01:01 +00:00
module.exit_json(changed=changed, msg=', '.join(msgs))
Fix a couple undefined variables One was a typo and one needed to have the variable defined in that scope
2016-10-12 20:26:54 +00:00
if __name__ == '__main__':
main()