ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

firewalld: add/remove interfaces to/from zones

Browse source
This commit is contained in:
mo@oclab.net 2016-01-10 23:18:09 +01:00 committed by Matt Clay
parent aabd6390d4
commit 8b2d484032
1 changed files with 58 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
lib/ansible/modules/extras/system/firewalld.py
View file

@ -47,6 +47,11 @@ options:
required: false required: false
default: null default: null
version_added: "2.0" version_added: "2.0"
interface:
description:
- 'The interface you would like to add/remove to/from a zone in firewalld - zone must be specified'
required: false
default: null
zone: zone:
description: description:
- 'The firewalld zone to add/remove to/from (NOTE: default zone can be configured per system but "public" is default from upstream. Available choices can be extended based on per-system configs, listed here are "out of the box" defaults).' - 'The firewalld zone to add/remove to/from (NOTE: default zone can be configured per system but "public" is default from upstream. Available choices can be extended based on per-system configs, listed here are "out of the box" defaults).'
@ -87,6 +92,8 @@ EXAMPLES = '''
- firewalld: port=161-162/udp permanent=true state=enabled - firewalld: port=161-162/udp permanent=true state=enabled
- firewalld: zone=dmz service=http permanent=true state=enabled - firewalld: zone=dmz service=http permanent=true state=enabled
- firewalld: rich_rule='rule service name="ftp" audit limit value="1/m" accept' permanent=true state=enabled - firewalld: rich_rule='rule service name="ftp" audit limit value="1/m" accept' permanent=true state=enabled
- firewalld: source='192.168.1.0/24' zone=internal state=enabled
- firewalld: zone=trusted interface=eth2 permanent=true state=enabled
''' '''
import os import os
@ -164,6 +171,29 @@ def remove_source(zone, source):
fw_settings.removeSource(source) fw_settings.removeSource(source)
fw_zone.update(fw_settings) fw_zone.update(fw_settings)
####################
# interface handling
#
def get_interface(zone, interface):
fw_zone = fw.config().getZoneByName(zone)
fw_settings = fw_zone.getSettings()
if interface in fw_settings.getInterfaces():
return True
else:
return False
def add_interface(zone, interface):
fw_zone = fw.config().getZoneByName(zone)
fw_settings = fw_zone.getSettings()
fw_settings.addInterface(interface)
fw_zone.update(fw_settings)
def remove_interface(zone, interface):
fw_zone = fw.config().getZoneByName(zone)
fw_settings = fw_zone.getSettings()
fw_settings.removeInterface(interface)
fw_zone.update(fw_settings)
#################### ####################
# service handling # service handling
# #
@ -254,12 +284,16 @@ def main():
immediate=dict(type='bool',default=False), immediate=dict(type='bool',default=False),
state=dict(choices=['enabled', 'disabled'], required=True), state=dict(choices=['enabled', 'disabled'], required=True),
timeout=dict(type='int',required=False,default=0), timeout=dict(type='int',required=False,default=0),
interface=dict(required=False,default=None),
), ),
supports_check_mode=True supports_check_mode=True
) )
if module.params['source'] == None and module.params['permanent'] == None: if module.params['source'] == None and module.params['permanent'] == None:
module.fail_json(msg='permanent is a required parameter') module.fail_json(msg='permanent is a required parameter')
if module.params['interface'] != None and module.params['zone'] == None:
module.fail(msg='zone is a required parameter')
if not HAS_FIREWALLD: if not HAS_FIREWALLD:
module.fail_json(msg='firewalld and its python 2 module are required for this module') module.fail_json(msg='firewalld and its python 2 module are required for this module')
@ -289,6 +323,7 @@ def main():
desired_state = module.params['state'] desired_state = module.params['state']
immediate = module.params['immediate'] immediate = module.params['immediate']
timeout = module.params['timeout'] timeout = module.params['timeout']
interface = module.params['interface']
## Check for firewalld running ## Check for firewalld running
try: try:
@ -305,9 +340,11 @@ def main():
modification_count += 1 modification_count += 1
if rich_rule != None: if rich_rule != None:
modification_count += 1 modification_count += 1
if interface != None:
modification_count += 1
if modification_count > 1: if modification_count > 1:
module.fail_json(msg='can only operate on port, service or rich_rule at once') module.fail_json(msg='can only operate on port, service, rich_rule or interface at once')
if service != None: if service != None:
if permanent: if permanent:
@ -369,6 +406,7 @@ def main():
remove_source(zone, source) remove_source(zone, source)
changed=True changed=True
msgs.append("Removed %s from zone %s" % (source, zone)) msgs.append("Removed %s from zone %s" % (source, zone))
if port != None: if port != None:
if permanent: if permanent:
is_enabled = get_port_enabled_permanent(zone, [port, protocol]) is_enabled = get_port_enabled_permanent(zone, [port, protocol])
@ -452,6 +490,25 @@ def main():
if changed == True: if changed == True:
msgs.append("Changed rich_rule %s to %s" % (rich_rule, desired_state)) msgs.append("Changed rich_rule %s to %s" % (rich_rule, desired_state))
if interface != None:
is_enabled = get_interface(zone, interface)
if desired_state == "enabled":
if is_enabled == False:
if module.check_mode:
module.exit_json(changed=True)
add_interface(zone, interface)
changed=True
msgs.append("Added %s to zone %s" % (interface, zone))
elif desired_state == "disabled":
if is_enabled == True:
if module.check_mode:
module.exit_json(changed=True)
remove_interface(zone, interface)
changed=True
msgs.append("Removed %s from zone %s" % (interface, zone))
module.exit_json(changed=changed, msg=', '.join(msgs)) module.exit_json(changed=changed, msg=', '.join(msgs))