mirror of
https://github.com/ansible-collections/ansible.posix.git
synced 2026-01-11 23:25:28 +01:00
Add missing documentation and fix linting errors introducted with firewalld default parameter. Update to fail if not explicitly both immedate AND permanent when the firewall daemon is online.
This commit is contained in:
Gregory Furlong
parent
628a53eb1a
commit
0438630004
1 changed files with 21 additions and 6 deletions
|
|
@ -106,6 +106,11 @@ options:
|
||||||
description:
|
description:
|
||||||
- The masquerade setting you would like to enable/disable to/from zones within firewalld.
|
- The masquerade setting you would like to enable/disable to/from zones within firewalld.
|
||||||
type: str
|
type: str
|
||||||
|
default:
|
||||||
|
description:
|
||||||
|
- Indicates that the targeted zone should be set as firewalld's default zone.
|
||||||
|
- This change must always be both immediate (when firewalld is running) and permanent.
|
||||||
|
type: bool
|
||||||
offline:
|
offline:
|
||||||
description:
|
description:
|
||||||
- Whether to run this module even when firewalld is offline.
|
- Whether to run this module even when firewalld is offline.
|
||||||
|
|
@ -213,6 +218,13 @@ EXAMPLES = r'''
|
||||||
permanent: yes
|
permanent: yes
|
||||||
immediate: yes
|
immediate: yes
|
||||||
state: enabled
|
state: enabled
|
||||||
|
|
||||||
|
- name: Set the default zone to 'trusted'
|
||||||
|
ansible.builtin.firewalld:
|
||||||
|
zone: trusted
|
||||||
|
permanent: true
|
||||||
|
default: true
|
||||||
|
state: enabled
|
||||||
'''
|
'''
|
||||||
|
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
|
@ -696,6 +708,7 @@ class ZoneTransaction(FirewallTransaction):
|
||||||
zone_obj = self.fw.config().getZoneByName(self.zone)
|
zone_obj = self.fw.config().getZoneByName(self.zone)
|
||||||
zone_obj.remove()
|
zone_obj.remove()
|
||||||
|
|
||||||
|
|
||||||
class DefaultZoneTransaction(FirewallTransaction):
|
class DefaultZoneTransaction(FirewallTransaction):
|
||||||
"""
|
"""
|
||||||
DefaultZoneTransaction
|
DefaultZoneTransaction
|
||||||
|
|
@ -708,18 +721,18 @@ class DefaultZoneTransaction(FirewallTransaction):
|
||||||
self.upstream_default_zone = FALLBACK_ZONE
|
self.upstream_default_zone = FALLBACK_ZONE
|
||||||
self.enabled_msg = "Updated default zone to %s" % self.zone
|
self.enabled_msg = "Updated default zone to %s" % self.zone
|
||||||
self.disabled_msg = "Reverted default zone from %s to upstream default %s" % (self.zone, self.upstream_default_zone)
|
self.disabled_msg = "Reverted default zone from %s to upstream default %s" % (self.zone, self.upstream_default_zone)
|
||||||
self.tx_not_permanent_error_msg = "Zone operations must be permanent. " \
|
if (not permanent) or not (fw_offline or immediate):
|
||||||
"Make sure you didn't set the 'permanent' flag to 'false' or the 'immediate' flag to 'true'."
|
self.module.fail_json(msg="Default zone changes must be permanent and when daemon is online must also be immediate")
|
||||||
|
|
||||||
def get_enabled_immediate(self):
|
def get_enabled_immediate(self):
|
||||||
self.module.fail_json(msg=self.tx_not_permanent_error_msg)
|
return self.fw.getDefaultZone() == self.zone
|
||||||
|
|
||||||
def get_enabled_permanent(self):
|
def get_enabled_permanent(self):
|
||||||
default_zone = self.fw.get_default_zone() if fw_offline else self.fw.getDefaultZone()
|
default_zone = self.fw.get_default_zone() if fw_offline else self.fw.getDefaultZone()
|
||||||
return self.zone == default_zone
|
return self.zone == default_zone
|
||||||
|
|
||||||
def set_enabled_immediate(self):
|
def set_enabled_immediate(self):
|
||||||
self.module.fail_json(msg=self.tx_not_permanent_error_msg)
|
pass # permanent default zone change will also apply immediately to a running daemon
|
||||||
|
|
||||||
def set_enabled_permanent(self):
|
def set_enabled_permanent(self):
|
||||||
if fw_offline:
|
if fw_offline:
|
||||||
|
|
@ -728,7 +741,7 @@ class DefaultZoneTransaction(FirewallTransaction):
|
||||||
self.fw.setDefaultZone(self.zone)
|
self.fw.setDefaultZone(self.zone)
|
||||||
|
|
||||||
def set_disabled_immediate(self):
|
def set_disabled_immediate(self):
|
||||||
self.module.fail_json(msg=self.tx_not_permanent_error_msg)
|
pass # permanent default zone change will also apply immediately to a running daemon
|
||||||
|
|
||||||
def set_disabled_permanent(self):
|
def set_disabled_permanent(self):
|
||||||
if fw_offline:
|
if fw_offline:
|
||||||
|
|
@ -736,6 +749,7 @@ class DefaultZoneTransaction(FirewallTransaction):
|
||||||
else:
|
else:
|
||||||
self.fw.setDefaultZone(self.upstream_default_zone)
|
self.fw.setDefaultZone(self.upstream_default_zone)
|
||||||
|
|
||||||
|
|
||||||
class ForwardPortTransaction(FirewallTransaction):
|
class ForwardPortTransaction(FirewallTransaction):
|
||||||
"""
|
"""
|
||||||
ForwardPortTransaction
|
ForwardPortTransaction
|
||||||
|
|
@ -772,6 +786,7 @@ class ForwardPortTransaction(FirewallTransaction):
|
||||||
fw_settings.removeForwardPort(port, proto, toport, toaddr)
|
fw_settings.removeForwardPort(port, proto, toport, toaddr)
|
||||||
self.update_fw_settings(fw_zone, fw_settings)
|
self.update_fw_settings(fw_zone, fw_settings)
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
|
|
||||||
module = AnsibleModule(
|
module = AnsibleModule(
|
||||||
|
|
@ -803,7 +818,7 @@ def main():
|
||||||
),
|
),
|
||||||
mutually_exclusive=[
|
mutually_exclusive=[
|
||||||
['icmp_block', 'icmp_block_inversion', 'service', 'port', 'port_forward', 'rich_rule',
|
['icmp_block', 'icmp_block_inversion', 'service', 'port', 'port_forward', 'rich_rule',
|
||||||
'interface', 'masquerade', 'source', 'target','default']
|
'interface', 'masquerade', 'source', 'target', 'default']
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue