Basic ability to set masquerade options from ansible, according to current code design/layout (mostly) (#2017)

* Support for masquerade settings Ability to enable and disable masquerade settings from ansible via: - firewalld: mapping=masquerade state=disabled permanent=true zone=dmz Placeholder added (mapping) to support masquerade and port_forward choices initially - port_forward not implemented yet. * Permanent and Immediate zone handling differentiated * Corrected naming abstraction for masquerading functionality Removed mapping tag with port_forward choices - not applicable! * Added version info for new masquerade option Pull Request #2017 failing due to missing version info
9 years ago · e2e0f51739
parent e07cc7d9a2
commit e2e0f51739
1 changed files with 92 additions and 0 deletions
--- a/lib/ansible/modules/extras/system/firewalld.py
+++ b/lib/ansible/modules/extras/system/firewalld.py
@ -80,6 +80,12 @@ options:
      - "The amount of time the rule should be in effect for when non-permanent."
    required: false
    default: 0
+  masquerade:
+    description:
+      - 'The masquerade setting you would like to enable/disable to/from zones within firewalld'
+    required: false
+    default: null
+    version_added: "2.1"
 notes:
  - Not tested on any Debian based system.
  - Requires the python2 bindings of firewalld, who may not be installed by default if the distribution switched to python 3 
@ -95,6 +101,7 @@ EXAMPLES = '''
 - firewalld: rich_rule='rule service name="ftp" audit limit value="1/m" accept' permanent=true state=enabled
 - firewalld: source='192.168.1.0/24' zone=internal state=enabled
 - firewalld: zone=trusted interface=eth2 permanent=true state=enabled
+- firewalld: masquerade=yes state=enabled permanent=true zone=dmz
 '''

 import os
@ -114,6 +121,36 @@ try:
 except ImportError:
    HAS_FIREWALLD = False

+
+#####################
+# masquerade handling
+#
+def get_masquerade_enabled(zone):
+    if fw.queryMasquerade(zone) == True:
+        return True
+    else:
+        return False
+
+def get_masquerade_enabled_permanent(zone):
+    fw_zone = fw.config().getZoneByName(zone)
+    fw_settings = fw_zone.getSettings()
+    if fw_settings.getMasquerade() == True:
+        return True
+    else:
+        return False
+    
+def set_masquerade_enabled(zone):
+    fw.addMasquerade(zone)
+
+def set_masquerade_disabled(zone):
+    fw.removeMasquerade(zone)
+
+def set_masquerade_permanent(zone, masquerade):
+    fw_zone = fw.config().getZoneByName(zone)
+    fw_settings = fw_zone.getSettings()
+    fw_settings.setMasquerade(masquerade)
+    fw_zone.update(fw_settings)
+
 ################
 # port handling
 #
@ -286,6 +323,7 @@ def main():
            state=dict(choices=['enabled', 'disabled'], required=True),
            timeout=dict(type='int',required=False,default=0),
            interface=dict(required=False,default=None),
+            masquerade=dict(required=False,default=None),
        ),
        supports_check_mode=True
    )
@ -325,6 +363,15 @@ def main():
    immediate = module.params['immediate']
    timeout = module.params['timeout']
    interface = module.params['interface']
+    masquerade = module.params['masquerade']
+
+    ## Check for firewalld running
+    try:
+        if fw.connected == False:
+            module.fail_json(msg='firewalld service must be running')
+    except AttributeError:
+        module.fail_json(msg="firewalld connection can't be established,\
+                version likely too old. Requires firewalld >= 2.0.11")

    modification_count = 0
    if service != None:
@ -335,6 +382,8 @@ def main():
        modification_count += 1
    if interface != None:
        modification_count += 1
+    if masquerade != None:
+        modification_count += 1

    if modification_count > 1:
        module.fail_json(msg='can only operate on port, service, rich_rule or interface at once')
@ -502,6 +551,49 @@ def main():
                changed=True
                msgs.append("Removed %s from zone %s" % (interface, zone))

+    if masquerade != None:
+
+        if permanent:
+            is_enabled = get_masquerade_enabled_permanent(zone)
+            msgs.append('Permanent operation')
+            
+            if desired_state == "enabled":
+                if is_enabled == False:
+                    if module.check_mode:
+                        module.exit_json(changed=True)
+
+                    set_masquerade_permanent(zone, True)
+                    changed=True
+                    msgs.append("Added masquerade to zone %s" % (zone))
+            elif desired_state == "disabled":
+                if is_enabled == True:
+                    if module.check_mode:
+                        module.exit_json(changed=True)
+
+                    set_masquerade_permanent(zone, False)
+                    changed=True
+                    msgs.append("Removed masquerade from zone %s" % (zone))
+        if immediate or not permanent:
+            is_enabled = get_masquerade_enabled(zone)
+            msgs.append('Non-permanent operation')
+            
+            if desired_state == "enabled":
+                if is_enabled == False:
+                    if module.check_mode:
+                        module.exit_json(changed=True)
+
+                    set_masquerade_enabled(zone)
+                    changed=True
+                    msgs.append("Added masquerade to zone %s" % (zone))
+            elif desired_state == "disabled":
+                if is_enabled == True:
+                    if module.check_mode:
+                        module.exit_json(changed=True)
+
+                    set_masquerade_disabled(zone)
+                    changed=True
+                    msgs.append("Removed masquerade from zone %s" % (zone))
+
    module.exit_json(changed=changed, msg=', '.join(msgs))