From 5a38230dbf9308a140053311aa0927cda3cf4983 Mon Sep 17 00:00:00 2001 From: Evert Hessel Date: Sat, 22 Jan 2022 18:10:15 +0100 Subject: [PATCH] Add support for firewalld intra zone forwarding --- plugins/modules/firewalld.py | 73 +++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 2 deletions(-) diff --git a/plugins/modules/firewalld.py b/plugins/modules/firewalld.py index 39a3b18..33277e4 100644 --- a/plugins/modules/firewalld.py +++ b/plugins/modules/firewalld.py @@ -106,6 +106,10 @@ options: description: - The masquerade setting you would like to enable/disable to/from zones within firewalld. type: str + forward: + description: + - Whether intra zone forwarding should be enabled/disabled for a zone in firewalld. + type: bool offline: description: - Whether to run this module even when firewalld is offline. @@ -183,6 +187,12 @@ EXAMPLES = r''' permanent: yes zone: dmz +- ansible.posix.firewalld: + forward: yes + state: enabled + permanent: yes + zone: dmz + - ansible.posix.firewalld: zone: custom state: present @@ -386,6 +396,49 @@ class MasqueradeTransaction(FirewallTransaction): self.update_fw_settings(fw_zone, fw_settings) +class ForwardTransaction(FirewallTransaction): + """ + ForwardTransaction + """ + + def __init__(self, module, action_args=None, zone=None, desired_state=None, permanent=False, immediate=False): + super(ForwardTransaction, self).__init__( + module, action_args=action_args, desired_state=desired_state, zone=zone, permanent=permanent, immediate=immediate + ) + + self.enabled_msg = "Enabled intra zone forwarding on zone %s" % self.zone + self.disabled_msg = "Disabled intra zone forwarding on zone %s" % self.zone + + def get_enabled_immediate(self): + if self.fw.queryForward(self.zone) is True: + return True + else: + return False + + def get_enabled_permanent(self): + fw_zone, fw_settings = self.get_fw_zone_settings() + if fw_settings.getForward() is True: + return True + else: + return False + + def set_enabled_immediate(self): + self.fw.addForward(self.zone) + + def set_enabled_permanent(self): + fw_zone, fw_settings = self.get_fw_zone_settings() + fw_settings.setForward(True) + self.update_fw_settings(fw_zone, fw_settings) + + def set_disabled_immediate(self): + self.fw.removeForward(self.zone) + + def set_disabled_permanent(self): + fw_zone, fw_settings = self.get_fw_zone_settings() + fw_settings.setForward(False) + self.update_fw_settings(fw_zone, fw_settings) + + class PortTransaction(FirewallTransaction): """ PortTransaction @@ -751,6 +804,7 @@ def main(): timeout=dict(type='int', default=0), interface=dict(type='str'), masquerade=dict(type='str'), + forward=dict(type='bool'), offline=dict(type='bool'), target=dict(type='str', choices=['default', 'ACCEPT', 'DROP', '%%REJECT%%']), ), @@ -762,7 +816,7 @@ def main(): ), mutually_exclusive=[ ['icmp_block', 'icmp_block_inversion', 'service', 'port', 'port_forward', 'rich_rule', - 'interface', 'masquerade', 'source', 'target'] + 'interface', 'masquerade', 'forward', 'source', 'target'] ], ) @@ -772,6 +826,7 @@ def main(): timeout = module.params['timeout'] interface = module.params['interface'] masquerade = module.params['masquerade'] + forward = module.params['forward'] # Sanity checks FirewallTransaction.sanity_check(module) @@ -822,7 +877,7 @@ def main(): modification = False if any([icmp_block, icmp_block_inversion, service, port, port_forward, rich_rule, - interface, masquerade, source, target]): + interface, masquerade, forward, source, target]): modification = True if modification and desired_state in ['absent', 'present'] and target is None: module.fail_json( @@ -994,6 +1049,20 @@ def main(): 'The type of the option will be changed from string to boolean in a future release. ' 'To avoid unexpected behavior, please change the value to boolean.' % masquerade) + if forward is not None: + + transaction = ForwardTransaction( + module, + action_args=(), + zone=zone, + desired_state=desired_state, + permanent=permanent, + immediate=immediate, + ) + + changed, transaction_msgs = transaction.run() + msgs = msgs + transaction_msgs + if target is not None: transaction = ZoneTargetTransaction(