carroarmato0/ansible.posix
1
0
Fork 0
mirror of https://github.com/ansible-collections/ansible.posix.git synced 2026-01-11 15:15:26 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #417 from rsguhr/protocol_support

Browse source 
firewalld: Add support for protocol parameter

SUMMARY
Fixes #416 - This PR implements the --add-protocol/--remove-protocol parameters for firewalld.
I have just copied and rewritten the code from service parameter. Please look carefully :)
ISSUE TYPE

Feature Pull Request

COMPONENT NAME
firewalld
ADDITIONAL INFORMATION
    - name: Allow OSPF traffic
      ansible.posix.firewalld:                                                  
        protocol: ospf                                                          
        zone: work                                                              
        state: enabled                                                          
        permanent: true

Reviewed-by: Hideki Saito <saito@fgrep.org>
This commit is contained in:
softwarefactory-project-zuul[bot] 2023-03-13 07:02:45 +00:00 committed by GitHub
commit 84c56e1814
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 142 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/417-add-protocol-parameter.yml Normal file
View file

@ -0,0 +1,2 @@
minor_changes:
- firewalld - add `protocol` parameter

73
plugins/modules/firewalld.py
View file

@ -19,6 +19,10 @@ options:
- Name of a service to add/remove to/from firewalld. - Name of a service to add/remove to/from firewalld.
- The service must be listed in output of firewall-cmd --get-services. - The service must be listed in output of firewall-cmd --get-services.
type: str type: str
protocol:
description:
- Name of a protocol to add/remove to/from firewalld.
type: str
port: port:
description: description:
- Name of a port or port range to add/remove to/from firewalld. - Name of a port or port range to add/remove to/from firewalld.
@ -144,6 +148,12 @@ EXAMPLES = r'''
permanent: true permanent: true
state: enabled state: enabled
- name: permit ospf traffic
ansible.posix.firewalld:
protocol: ospf
permanent: true
state: enabled
- name: do not permit traffic in default zone on port 8081/tcp - name: do not permit traffic in default zone on port 8081/tcp
ansible.posix.firewalld: ansible.posix.firewalld:
port: 8081/tcp port: 8081/tcp
@ -343,6 +353,47 @@ class ServiceTransaction(FirewallTransaction):
self.update_fw_settings(fw_zone, fw_settings) self.update_fw_settings(fw_zone, fw_settings)
class ProtocolTransaction(FirewallTransaction):
"""
ProtocolTransaction
"""
def __init__(self, module, action_args=None, zone=None, desired_state=None, permanent=False, immediate=False):
super(ProtocolTransaction, self).__init__(
module, action_args=action_args, desired_state=desired_state, zone=zone, permanent=permanent, immediate=immediate
)
def get_enabled_immediate(self, protocol, timeout):
if protocol in self.fw.getProtocols(self.zone):
return True
else:
return False
def get_enabled_permanent(self, protocol, timeout):
fw_zone, fw_settings = self.get_fw_zone_settings()
if protocol in fw_settings.getProtocols():
return True
else:
return False
def set_enabled_immediate(self, protocol, timeout):
self.fw.addProtocol(self.zone, protocol, timeout)
def set_enabled_permanent(self, protocol, timeout):
fw_zone, fw_settings = self.get_fw_zone_settings()
fw_settings.addProtocol(protocol)
self.update_fw_settings(fw_zone, fw_settings)
def set_disabled_immediate(self, protocol, timeout):
self.fw.removeProtocol(self.zone, protocol)
def set_disabled_permanent(self, protocol, timeout):
fw_zone, fw_settings = self.get_fw_zone_settings()
fw_settings.removeProtocol(protocol)
self.update_fw_settings(fw_zone, fw_settings)
class MasqueradeTransaction(FirewallTransaction): class MasqueradeTransaction(FirewallTransaction):
""" """
MasqueradeTransaction MasqueradeTransaction
@ -748,6 +799,7 @@ def main():
icmp_block=dict(type='str'), icmp_block=dict(type='str'),
icmp_block_inversion=dict(type='str'), icmp_block_inversion=dict(type='str'),
service=dict(type='str'), service=dict(type='str'),
protocol=dict(type='str'),
port=dict(type='str'), port=dict(type='str'),
port_forward=dict(type='list', elements='dict'), port_forward=dict(type='list', elements='dict'),
rich_rule=dict(type='str'), rich_rule=dict(type='str'),
@ -769,7 +821,7 @@ def main():
source=('permanent',), source=('permanent',),
), ),
mutually_exclusive=[ mutually_exclusive=[
['icmp_block', 'icmp_block_inversion', 'service', 'port', 'port_forward', 'rich_rule', ['icmp_block', 'icmp_block_inversion', 'service', 'protocol', 'port', 'port_forward', 'rich_rule',
'interface', 'masquerade', 'source', 'target'] 'interface', 'masquerade', 'source', 'target']
], ],
) )
@ -798,6 +850,7 @@ def main():
icmp_block = module.params['icmp_block'] icmp_block = module.params['icmp_block']
icmp_block_inversion = module.params['icmp_block_inversion'] icmp_block_inversion = module.params['icmp_block_inversion']
service = module.params['service'] service = module.params['service']
protocol = module.params['protocol']
rich_rule = module.params['rich_rule'] rich_rule = module.params['rich_rule']
source = module.params['source'] source = module.params['source']
zone = module.params['zone'] zone = module.params['zone']
@ -829,7 +882,7 @@ def main():
port_forward_toaddr = port_forward['toaddr'] port_forward_toaddr = port_forward['toaddr']
modification = False modification = False
if any([icmp_block, icmp_block_inversion, service, port, port_forward, rich_rule, if any([icmp_block, icmp_block_inversion, service, protocol, port, port_forward, rich_rule,
interface, masquerade, source, target]): interface, masquerade, source, target]):
modification = True modification = True
if modification and desired_state in ['absent', 'present'] and target is None: if modification and desired_state in ['absent', 'present'] and target is None:
@ -893,6 +946,22 @@ def main():
if changed is True: if changed is True:
msgs.append("Changed service %s to %s" % (service, desired_state)) msgs.append("Changed service %s to %s" % (service, desired_state))
if protocol is not None:
transaction = ProtocolTransaction(
module,
action_args=(protocol, timeout),
zone=zone,
desired_state=desired_state,
permanent=permanent,
immediate=immediate,
)
changed, transaction_msgs = transaction.run()
msgs = msgs + transaction_msgs
if changed is True:
msgs.append("Changed protocol %s to %s" % (protocol, desired_state))
if source is not None: if source is not None:
transaction = SourceTransaction( transaction = SourceTransaction(

65
tests/integration/targets/firewalld/tasks/protocol_test_cases.yml Normal file
View file

@ -0,0 +1,65 @@
# Test playbook for the firewalld module - protocol operations
# (c) 2022, Robért S. Guhr <rguhr@cronon.net>
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- name: firewalld protocol test permanent enabled
firewalld:
protocol: ospf
permanent: true
state: enabled
register: result
- name: assert firewalld protocol test permanent enabled worked
assert:
that:
- result is changed
- name: firewalld protocol test permanent enabled rerun (verify not changed)
firewalld:
protocol: ospf
permanent: true
state: enabled
register: result
- name: assert firewalld protocol test permanent enabled rerun worked (verify not changed)
assert:
that:
- result is not changed
- name: firewalld protocol test permanent disabled
firewalld:
protocol: ospf
permanent: true
state: disabled
register: result
- name: assert firewalld protocol test permanent disabled worked
assert:
that:
- result is changed
- name: firewalld protocol test permanent disabled rerun (verify not changed)
firewalld:
protocol: ospf
permanent: true
state: disabled
register: result
- name: assert firewalld protocol test permanent disabled rerun worked (verify not changed)
assert:
that:
- result is not changed

3
tests/integration/targets/firewalld/tasks/run_all_tests.yml
View file

@ -10,6 +10,9 @@
# firewalld service operation test cases # firewalld service operation test cases
- include_tasks: service_test_cases.yml - include_tasks: service_test_cases.yml
# firewalld protocol operation test cases
- include_tasks: protocol_test_cases.yml
# firewalld port operation test cases # firewalld port operation test cases
- include_tasks: port_test_cases.yml - include_tasks: port_test_cases.yml

2
tests/integration/targets/firewalld/tasks/source_test_cases.yml
View file

@ -82,4 +82,4 @@
assert: assert:
that: that:
- result is not changed - result is not changed
- "result.msg == 'parameters are mutually exclusive: icmp_block|icmp_block_inversion|service|port|port_forward|rich_rule|interface|masquerade|source|target'" - "result.msg == 'parameters are mutually exclusive: icmp_block|icmp_block_inversion|service|protocol|port|port_forward|rich_rule|interface|masquerade|source|target'"