From aa29a4fd9ce13600cc72c67583c5df2c1a297cf2 Mon Sep 17 00:00:00 2001 From: codehopper-uk Date: Sat, 16 Apr 2016 13:15:00 +0100 Subject: [PATCH] Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017) * Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info --- system/firewalld.py | 92 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/system/firewalld.py b/system/firewalld.py index 2638ff759e8..c65e554edb8 100644 --- a/system/firewalld.py +++ b/system/firewalld.py @@ -80,6 +80,12 @@ options: - "The amount of time the rule should be in effect for when non-permanent." required: false default: 0 + masquerade: + description: + - 'The masquerade setting you would like to enable/disable to/from zones within firewalld' + required: false + default: null + version_added: "2.1" notes: - Not tested on any Debian based system. - Requires the python2 bindings of firewalld, who may not be installed by default if the distribution switched to python 3 @@ -95,6 +101,7 @@ EXAMPLES = ''' - firewalld: rich_rule='rule service name="ftp" audit limit value="1/m" accept' permanent=true state=enabled - firewalld: source='192.168.1.0/24' zone=internal state=enabled - firewalld: zone=trusted interface=eth2 permanent=true state=enabled +- firewalld: masquerade=yes state=enabled permanent=true zone=dmz ''' import os @@ -114,6 +121,36 @@ try: except ImportError: HAS_FIREWALLD = False + +##################### +# masquerade handling +# +def get_masquerade_enabled(zone): + if fw.queryMasquerade(zone) == True: + return True + else: + return False + +def get_masquerade_enabled_permanent(zone): + fw_zone = fw.config().getZoneByName(zone) + fw_settings = fw_zone.getSettings() + if fw_settings.getMasquerade() == True: + return True + else: + return False + +def set_masquerade_enabled(zone): + fw.addMasquerade(zone) + +def set_masquerade_disabled(zone): + fw.removeMasquerade(zone) + +def set_masquerade_permanent(zone, masquerade): + fw_zone = fw.config().getZoneByName(zone) + fw_settings = fw_zone.getSettings() + fw_settings.setMasquerade(masquerade) + fw_zone.update(fw_settings) + ################ # port handling # @@ -287,6 +324,7 @@ def main(): state=dict(choices=['enabled', 'disabled'], required=True), timeout=dict(type='int',required=False,default=0), interface=dict(required=False,default=None), + masquerade=dict(required=False,default=None), ), supports_check_mode=True ) @@ -327,6 +365,15 @@ def main(): immediate = module.params['immediate'] timeout = module.params['timeout'] interface = module.params['interface'] + masquerade = module.params['masquerade'] + + ## Check for firewalld running + try: + if fw.connected == False: + module.fail_json(msg='firewalld service must be running') + except AttributeError: + module.fail_json(msg="firewalld connection can't be established,\ + version likely too old. Requires firewalld >= 2.0.11") modification_count = 0 if service != None: @@ -337,6 +384,8 @@ def main(): modification_count += 1 if interface != None: modification_count += 1 + if masquerade != None: + modification_count += 1 if modification_count > 1: module.fail_json(msg='can only operate on port, service, rich_rule or interface at once') @@ -504,6 +553,49 @@ def main(): changed=True msgs.append("Removed %s from zone %s" % (interface, zone)) + if masquerade != None: + + if permanent: + is_enabled = get_masquerade_enabled_permanent(zone) + msgs.append('Permanent operation') + + if desired_state == "enabled": + if is_enabled == False: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_permanent(zone, True) + changed=True + msgs.append("Added masquerade to zone %s" % (zone)) + elif desired_state == "disabled": + if is_enabled == True: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_permanent(zone, False) + changed=True + msgs.append("Removed masquerade from zone %s" % (zone)) + if immediate or not permanent: + is_enabled = get_masquerade_enabled(zone) + msgs.append('Non-permanent operation') + + if desired_state == "enabled": + if is_enabled == False: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_enabled(zone) + changed=True + msgs.append("Added masquerade to zone %s" % (zone)) + elif desired_state == "disabled": + if is_enabled == True: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_disabled(zone) + changed=True + msgs.append("Removed masquerade from zone %s" % (zone)) + module.exit_json(changed=changed, msg=', '.join(msgs))