diff --git a/lib/ansible/modules/extras/system/firewalld.py b/lib/ansible/modules/extras/system/firewalld.py index 391d22ea8e0..0610ffbbfbd 100644 --- a/lib/ansible/modules/extras/system/firewalld.py +++ b/lib/ansible/modules/extras/system/firewalld.py @@ -80,6 +80,12 @@ options: - "The amount of time the rule should be in effect for when non-permanent." required: false default: 0 + masquerade: + description: + - 'The masquerade setting you would like to enable/disable to/from zones within firewalld' + required: false + default: null + version_added: "2.1" notes: - Not tested on any Debian based system. - Requires the python2 bindings of firewalld, who may not be installed by default if the distribution switched to python 3 @@ -95,6 +101,7 @@ EXAMPLES = ''' - firewalld: rich_rule='rule service name="ftp" audit limit value="1/m" accept' permanent=true state=enabled - firewalld: source='192.168.1.0/24' zone=internal state=enabled - firewalld: zone=trusted interface=eth2 permanent=true state=enabled +- firewalld: masquerade=yes state=enabled permanent=true zone=dmz ''' import os @@ -114,6 +121,36 @@ try: except ImportError: HAS_FIREWALLD = False + +##################### +# masquerade handling +# +def get_masquerade_enabled(zone): + if fw.queryMasquerade(zone) == True: + return True + else: + return False + +def get_masquerade_enabled_permanent(zone): + fw_zone = fw.config().getZoneByName(zone) + fw_settings = fw_zone.getSettings() + if fw_settings.getMasquerade() == True: + return True + else: + return False + +def set_masquerade_enabled(zone): + fw.addMasquerade(zone) + +def set_masquerade_disabled(zone): + fw.removeMasquerade(zone) + +def set_masquerade_permanent(zone, masquerade): + fw_zone = fw.config().getZoneByName(zone) + fw_settings = fw_zone.getSettings() + fw_settings.setMasquerade(masquerade) + fw_zone.update(fw_settings) + ################ # port handling # @@ -286,6 +323,7 @@ def main(): state=dict(choices=['enabled', 'disabled'], required=True), timeout=dict(type='int',required=False,default=0), interface=dict(required=False,default=None), + masquerade=dict(required=False,default=None), ), supports_check_mode=True ) @@ -325,6 +363,15 @@ def main(): immediate = module.params['immediate'] timeout = module.params['timeout'] interface = module.params['interface'] + masquerade = module.params['masquerade'] + + ## Check for firewalld running + try: + if fw.connected == False: + module.fail_json(msg='firewalld service must be running') + except AttributeError: + module.fail_json(msg="firewalld connection can't be established,\ + version likely too old. Requires firewalld >= 2.0.11") modification_count = 0 if service != None: @@ -335,6 +382,8 @@ def main(): modification_count += 1 if interface != None: modification_count += 1 + if masquerade != None: + modification_count += 1 if modification_count > 1: module.fail_json(msg='can only operate on port, service, rich_rule or interface at once') @@ -502,6 +551,49 @@ def main(): changed=True msgs.append("Removed %s from zone %s" % (interface, zone)) + if masquerade != None: + + if permanent: + is_enabled = get_masquerade_enabled_permanent(zone) + msgs.append('Permanent operation') + + if desired_state == "enabled": + if is_enabled == False: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_permanent(zone, True) + changed=True + msgs.append("Added masquerade to zone %s" % (zone)) + elif desired_state == "disabled": + if is_enabled == True: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_permanent(zone, False) + changed=True + msgs.append("Removed masquerade from zone %s" % (zone)) + if immediate or not permanent: + is_enabled = get_masquerade_enabled(zone) + msgs.append('Non-permanent operation') + + if desired_state == "enabled": + if is_enabled == False: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_enabled(zone) + changed=True + msgs.append("Added masquerade to zone %s" % (zone)) + elif desired_state == "disabled": + if is_enabled == True: + if module.check_mode: + module.exit_json(changed=True) + + set_masquerade_disabled(zone) + changed=True + msgs.append("Removed masquerade from zone %s" % (zone)) + module.exit_json(changed=changed, msg=', '.join(msgs))