Merge c4ff0545f1 into 9343c6f56f

Merge pull request #682 from saito-hideki/pr/ci_update_20250929
Ignore pylint errors caused by compatibility checks for six SUMMARY Ignore pylint errors caused by compatibility checks for six: pylint:ansible-bad-import-from Ansible Core 2.16 supports Python2 environment, and six is required to maintain compatibility with Python 2. We plan to continue supporting Ansible Core 2.16 at this time. Additionally, removing the standalone ansible-lint test because it is already included in ansible-test sanity. ISSUE TYPE CI tests Request COMPONENT NAME ansible.posix ADDITIONAL INFORMATION None Reviewed-by: Andrew Klychkov <aklychko@redhat.com> Reviewed-by: Felix Fontein <felix@fontein.de> Reviewed-by: Hideki Saito <saito@fgrep.org>
2026-01-11 07:05:27 +01:00 · 2025-10-17 13:49:00 +02:00 · 2025-10-02 05:55:28 +00:00 · 2025-10-02 14:02:56 +09:00 · 2025-08-01 14:21:01 +05:00
9 changed files with 220 additions and 13 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -4,7 +4,8 @@
 # SPDX-FileCopyrightText: 2024, Ansible Project

 skip_list:
-  - meta-runtime[unsupported-version]  # Tis rule doesn't make any sense
+  - meta-runtime[unsupported-version]  # This rule doesn't make any sense
  - fqcn[deep]  # This rule produces false positives for files in tests/unit/plugins/action/fixtures/
+  - sanity[cannot-ignore]  # This rule is skipped to keep backward compatibility with Python 2
 exclude_paths:
  - changelogs/
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -43,7 +43,7 @@ pool: Standard

 stages:
  - stage: Sanity_devel
-    displayName: Ansible devel sanity
+    displayName: Ansible devel Sanity & Units & Lint
    dependsOn: []
    jobs:
      - template: templates/matrix.yml
@ -58,7 +58,7 @@ stages:
            - name: Lint
              test: lint
  - stage: Sanity_2_19
-    displayName: Ansible 2.19 sanitay & Units & Lint
+    displayName: Ansible 2.19 Sanity & Units & Lint
    dependsOn: []
    jobs:
      - template: templates/matrix.yml
@ -73,7 +73,7 @@ stages:
            - name: Lint
              test: lint
  - stage: Sanity_2_18
-    displayName: Ansible 2.18 sanity & Units & Lint
+    displayName: Ansible 2.18 Sanity & Units & Lint
    dependsOn: []
    jobs:
      - template: templates/matrix.yml
@ -88,7 +88,7 @@ stages:
            - name: Lint
              test: lint
  - stage: Sanity_2_17
-    displayName: Ansible 2.17 sanity & Units & Lint
+    displayName: Ansible 2.17 Sanity & Units & Lint
    dependsOn: []
    jobs:
      - template: templates/matrix.yml
@ -103,7 +103,7 @@ stages:
            - name: Lint
              test: lint
  - stage: Sanity_2_16
-    displayName: Ansible 2.16 sanity & Units & Lint
+    displayName: Ansible 2.16 Sanity & Units & Lint
    dependsOn: []
    jobs:
      - template: templates/matrix.yml
@ -115,6 +115,8 @@ stages:
              test: sanity
            - name: Units
              test: units
+            - name: Lint
+              test: lint
  ## Docker
  - stage: Docker_devel
    displayName: Docker devel
--- a/changelogs/fragments/682_update_ci_20250929.yml
+++ b/changelogs/fragments/682_update_ci_20250929.yml
@ -0,0 +1,4 @@
+trivial:
+  - Updatng AZP CI matrix to ignore ansible-bad-import-from on six(https://github.com/ansible-collections/ansible.posix/pull/682).
+  - Skipped sanity[cannot-ignore] to keep backward compatibility with Python2.
+  - Consolidate all ansible-lint option locations into .ansible-lint file.
--- a/plugins/modules/firewalld.py
+++ b/plugins/modules/firewalld.py
@ -28,6 +28,11 @@ options:
      - Name of a port or port range to add/remove to/from firewalld.
      - Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
    type: str
+  source_port:
+    description:
+      - Name of a source port or port range to add/remove to/from firewalld.
+      - Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges.
+    type: str
  port_forward:
    description:
      - Port and protocol to forward using firewalld.
@ -185,6 +190,13 @@ EXAMPLES = r'''
    permanent: true
    state: enabled

+- name: Permit traffic in home zone from port 20561/udp
+  ansible.posix.firewalld:
+    source_port: 20561/udp
+    zone: home
+    permanent: true
+    state: enabled
+
 - name: Permit traffic in dmz zone on http service
  ansible.posix.firewalld:
    zone: dmz
@ -552,6 +564,43 @@ class PortTransaction(FirewallTransaction):
        self.update_fw_settings(fw_zone, fw_settings)


+class SourcePortTransaction(FirewallTransaction):
+    """
+    SourcePortTransaction
+    """
+
+    def __init__(self, module, action_args=None, zone=None, desired_state=None, permanent=False, immediate=False):
+        super(SourcePortTransaction, self).__init__(
+            module, action_args=action_args, desired_state=desired_state, zone=zone, permanent=permanent, immediate=immediate
+        )
+
+    def get_enabled_immediate(self, port, protocol, timeout):
+        if self.fw_offline:
+            dummy, fw_settings = self.get_fw_zone_settings()
+            return fw_settings.querySourcePort(port=port, protocol=protocol)
+        return self.fw.querySourcePort(zone=self.zone, port=port, protocol=protocol)
+
+    def get_enabled_permanent(self, port, protocol, timeout):
+        dummy, fw_settings = self.get_fw_zone_settings()
+        return fw_settings.querySourcePort(port=port, protocol=protocol)
+
+    def set_enabled_immediate(self, port, protocol, timeout):
+        self.fw.addSourcePort(zone=self.zone, port=port, protocol=protocol, timeout=timeout)
+
+    def set_enabled_permanent(self, port, protocol, timeout):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+        fw_settings.addSourcePort(port=port, protocol=protocol)
+        self.update_fw_settings(fw_zone, fw_settings)
+
+    def set_disabled_immediate(self, port, protocol, timeout):
+        self.fw.removeSourcePort(zone=self.zone, port=port, protocol=protocol)
+
+    def set_disabled_permanent(self, port, protocol, timeout):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+        fw_settings.removeSourcePort(port=port, protocol=protocol)
+        self.update_fw_settings(fw_zone, fw_settings)
+
+
 class InterfaceTransaction(FirewallTransaction):
    """
    InterfaceTransaction
@ -879,6 +928,7 @@ def main():
            service=dict(type='str'),
            protocol=dict(type='str'),
            port=dict(type='str'),
+            source_port=dict(type='str'),
            port_forward=dict(type='list', elements='dict'),
            rich_rule=dict(type='str'),
            zone=dict(type='str'),
@ -900,8 +950,8 @@ def main():
            source=('permanent',),
        ),
        mutually_exclusive=[
-            ['icmp_block', 'icmp_block_inversion', 'service', 'protocol', 'port', 'port_forward', 'rich_rule',
-             'interface', 'forward', 'masquerade', 'source', 'target']
+            ['icmp_block', 'icmp_block_inversion', 'service', 'protocol', 'port', 'source_port', 'port_forward',
+             'rich_rule', 'interface', 'forward', 'masquerade', 'source', 'target']
        ],
    )

@ -957,6 +1007,17 @@ def main():
    else:
        port_protocol = None

+    source_port = None
+    if module.params['source_port'] is not None:
+        if '/' in module.params['source_port']:
+            source_port, source_port_protocol = module.params['source_port'].strip().split('/')
+        else:
+            source_port_protocol = None
+        if not source_port_protocol:
+            module.fail_json(msg='improper source_port format (missing protocol?)')
+    else:
+        source_port_protocol = None
+
    port_forward_toaddr = ''
    port_forward = None
    if module.params['port_forward'] is not None:
@ -973,7 +1034,7 @@ def main():
            port_forward_toaddr = port_forward['toaddr']

    modification = False
-    if any([icmp_block, icmp_block_inversion, service, protocol, port, port_forward, rich_rule,
+    if any([icmp_block, icmp_block_inversion, service, protocol, port, source_port, port_forward, rich_rule,
            interface, forward, masquerade, source, target]):
        modification = True
    if modification and desired_state in ['absent', 'present'] and target is None:
@ -1079,6 +1140,26 @@ def main():
                )
            )

+    if source_port is not None:
+
+        transaction = SourcePortTransaction(
+            module,
+            action_args=(source_port, source_port_protocol, timeout),
+            zone=zone,
+            desired_state=desired_state,
+            permanent=permanent,
+            immediate=immediate,
+        )
+
+        changed, transaction_msgs = transaction.run()
+        msgs = msgs + transaction_msgs
+        if changed is True:
+            msgs.append(
+                "Changed source_port %s to %s" % (
+                    "%s/%s" % (source_port, source_port_protocol), desired_state
+                )
+            )
+
    if port_forward is not None:
        transaction = ForwardPortTransaction(
            module,
--- a/tests/integration/targets/firewalld/tasks/run_all_tests.yml
+++ b/tests/integration/targets/firewalld/tasks/run_all_tests.yml
@ -21,6 +21,10 @@
 - name: Include port test cases for firewalld module
  ansible.builtin.include_tasks: port_test_cases.yml

+# firewalld source_port operation test cases
+- name: Include source_port test cases for firewalld module
+  ansible.builtin.include_tasks: source_port_test_cases.yml
+
 # firewalld source operation test cases
 - name: Include source test cases for firewalld module
  ansible.builtin.include_tasks: source_test_cases.yml
--- a/tests/integration/targets/firewalld/tasks/source_port_test_cases.yml
+++ b/tests/integration/targets/firewalld/tasks/source_port_test_cases.yml
@ -0,0 +1,107 @@
+---
+# Test playbook for the firewalld module - source_port operations
+
+- name: Firewalld source_port range test permanent enabled
+  ansible.posix.firewalld:
+    source_port: 5500-6850/tcp
+    permanent: true
+    state: enabled
+  register: result
+
+- name: Assert firewalld source_port range test permanent enabled worked
+  ansible.builtin.assert:
+    that:
+      - result is changed
+
+- name: Firewalld source_port range test permanent enabled rerun (verify not changed)
+  ansible.posix.firewalld:
+    source_port: 5500-6850/tcp
+    permanent: true
+    state: enabled
+  register: result
+
+- name: Assert firewalld source_port range test permanent enabled rerun worked (verify not changed)
+  ansible.builtin.assert:
+    that:
+      - result is not changed
+
+- name: Firewalld source_port test permanent enabled
+  ansible.posix.firewalld:
+    source_port: 6900/tcp
+    permanent: true
+    state: enabled
+  register: result
+
+- name: Assert firewalld source_port test permanent enabled worked
+  ansible.builtin.assert:
+    that:
+      - result is changed
+
+- name: Firewalld source_port test permanent enabled
+  ansible.posix.firewalld:
+    source_port: 6900/tcp
+    permanent: true
+    state: enabled
+  register: result
+
+- name: Assert firewalld source_port test permanent enabled worked
+  ansible.builtin.assert:
+    that:
+      - result is not changed
+
+- name: Firewalld source_port test disabled
+  ansible.posix.firewalld:
+    source_port: "{{ item }}"
+    permanent: true
+    state: disabled
+  loop:
+    - 6900/tcp
+    - 5500-6850/tcp
+
+- name: Firewalld source_port test permanent enabled
+  ansible.posix.firewalld:
+    source_port: 8081/tcp
+    permanent: true
+    state: enabled
+  register: result
+
+- name: Assert firewalld source_port test permanent enabled worked
+  ansible.builtin.assert:
+    that:
+      - result is changed
+
+- name: Firewalld source_port test permanent enabled rerun (verify not changed)
+  ansible.posix.firewalld:
+    source_port: 8081/tcp
+    permanent: true
+    state: enabled
+  register: result
+
+- name: Assert firewalld source_port test permanent enabled rerun worked (verify not changed)
+  ansible.builtin.assert:
+    that:
+      - result is not changed
+
+- name: Firewalld source_port test permanent disabled
+  ansible.posix.firewalld:
+    source_port: 8081/tcp
+    permanent: true
+    state: disabled
+  register: result
+
+- name: Assert firewalld source_port test permanent disabled worked
+  ansible.builtin.assert:
+    that:
+      - result is changed
+
+- name: Firewalld source_port test permanent disabled rerun (verify not changed)
+  ansible.posix.firewalld:
+    source_port: 8081/tcp
+    permanent: true
+    state: disabled
+  register: result
+
+- name: Assert firewalld source_port test permanent disabled rerun worked (verify not changed)
+  ansible.builtin.assert:
+    that:
+      - result is not changed
--- a/tests/integration/targets/firewalld/tasks/source_test_cases.yml
+++ b/tests/integration/targets/firewalld/tasks/source_test_cases.yml
@ -85,4 +85,4 @@
      - result is not changed
      - >
        result.msg == 'parameters are mutually exclusive:
-        icmp_block|icmp_block_inversion|service|protocol|port|port_forward|rich_rule|interface|forward|masquerade|source|target'
+        icmp_block|icmp_block_inversion|service|protocol|port|source_port|port_forward|rich_rule|interface|forward|masquerade|source|target'
--- a/tests/sanity/ignore-2.20.txt
+++ b/tests/sanity/ignore-2.20.txt
@ -1 +1,10 @@
 tests/utils/shippable/timing.py shebang
+plugins/action/synchronize.py pylint:ansible-bad-import-from
+plugins/callback/cgroup_perf_recap.py pylint:ansible-bad-import-from
+plugins/modules/mount.py pylint:ansible-bad-import-from
+plugins/modules/sysctl.py pylint:ansible-bad-import-from
+plugins/shell/csh.py pylint:ansible-bad-import-from
+plugins/shell/fish.py pylint:ansible-bad-import-from
+tests/unit/mock/procenv.py pylint:ansible-bad-import-from
+tests/unit/mock/yaml_helper.py pylint:ansible-bad-import-from
+tests/unit/modules/conftest.py pylint:ansible-bad-import-from
--- a/tests/utils/shippable/lint.sh
+++ b/tests/utils/shippable/lint.sh
@ -9,6 +9,5 @@ command -v ansible
 pip install --upgrade --user pip
 pip install --upgrade --user ansible-lint

-PATH="${PATH/\~/${HOME}}" ansible-lint \
-                                    --exclude changelogs/ \
-                                    --profile=production
+# To specify additional options, you can specify them into .ansible-lint file.
+PATH="${PATH/\~/${HOME}}" ansible-lint
Author	SHA1	Message	Date
Zhanibek Adilbekov	52bdbfb55d	Merge `c4ff0545f1` into `9343c6f56f`	2025-10-17 13:49:00 +02:00
softwarefactory-project-zuul[bot]	9343c6f56f	Merge pull request #682 from saito-hideki/pr/ci_update_20250929 Ignore pylint errors caused by compatibility checks for six SUMMARY Ignore pylint errors caused by compatibility checks for six: pylint:ansible-bad-import-from Ansible Core 2.16 supports Python2 environment, and six is required to maintain compatibility with Python 2. We plan to continue supporting Ansible Core 2.16 at this time. Additionally, removing the standalone ansible-lint test because it is already included in ansible-test sanity. ISSUE TYPE CI tests Request COMPONENT NAME ansible.posix ADDITIONAL INFORMATION None Reviewed-by: Andrew Klychkov <aklychko@redhat.com> Reviewed-by: Felix Fontein <felix@fontein.de> Reviewed-by: Hideki Saito <saito@fgrep.org>	2025-10-02 05:55:28 +00:00
saito-hideki	9dc73a686a	Ignore pylint errors caused by compatibility checks for six * This is a temporary measure until we stop covering Python2 * Skipped sanity[cannot-ignore] to keep backward compatibility with Python2 * Consolidate all ansible-lint option locations into .ansible-lint * Fixed some typos Signed-off-by: saito-hideki <saito@fgrep.org>	2025-10-02 14:02:56 +09:00
Zhanibek Adilbekov	c4ff0545f1	Firewalld: Add functionality to set source_port	2025-08-01 14:21:01 +05:00