2013-08-13 09:27:45 -05:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2013, Adam Miller (maxamillion@fedoraproject.org)
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
DOCUMENTATION = '''
- - -
module : firewalld
short_description : Manage arbitrary ports / services with firewalld
description :
2014-11-20 20:48:41 +00:00
- This module allows for addition or deletion of services and ports either tcp or udp in either running or permanent firewalld rules .
2013-09-21 01:06:34 -05:00
version_added : " 1.4 "
2013-08-13 09:27:45 -05:00
options :
service :
description :
2014-11-20 20:48:41 +00:00
- " Name of a service to add/remove to/from firewalld - service must be listed in /etc/services. "
2013-08-13 09:27:45 -05:00
required : false
default : null
port :
description :
2014-11-20 20:48:41 +00:00
- " Name of a port or port range to add/remove to/from firewalld. Must be in the form PORT/PROTOCOL or PORT-PORT/PROTOCOL for port ranges. "
2013-08-13 09:27:45 -05:00
required : false
default : null
2013-10-10 20:09:52 +07:00
rich_rule :
description :
2014-11-20 20:48:41 +00:00
- " Rich rule to add/remove to/from firewalld. "
2013-10-10 20:09:52 +07:00
required : false
default : null
2014-11-21 14:26:47 +01:00
source :
description :
- ' The source/network you would like to add/remove to/from firewalld '
required : false
default : null
2015-06-29 14:18:09 +02:00
version_added : " 2.0 "
2013-08-13 09:27:45 -05:00
zone :
description :
- ' The firewalld zone to add/remove to/from (NOTE: default zone can be configured per system but " public " is default from upstream. Available choices can be extended based on per-system configs, listed here are " out of the box " defaults). '
required : false
default : system - default ( public )
2015-08-28 18:38:58 +03:00
choices : [ " work " , " drop " , " internal " , " external " , " trusted " , " home " , " dmz " , " public " , " block " ]
2013-08-13 09:27:45 -05:00
permanent :
description :
2014-11-20 20:48:41 +00:00
- " Should this configuration be in the running firewalld configuration or persist across reboots. "
2016-01-21 08:23:36 -05:00
required : false
default : null
2014-09-26 20:50:10 -04:00
immediate :
description :
- " Should this configuration be applied immediately, if set as permanent "
required : false
default : false
version_added : " 1.9 "
2013-08-13 09:27:45 -05:00
state :
description :
2014-11-20 20:48:41 +00:00
- " Should this port accept(enabled) or reject(disabled) connections. "
2013-08-13 09:27:45 -05:00
required : true
2015-08-28 18:38:58 +03:00
choices : [ " enabled " , " disabled " ]
2013-08-13 09:27:45 -05:00
timeout :
description :
2014-11-20 20:48:41 +00:00
- " The amount of time the rule should be in effect for when non-permanent. "
2013-08-13 09:27:45 -05:00
required : false
default : 0
notes :
2015-05-27 20:54:26 +02:00
- Not tested on any Debian based system .
2015-11-29 23:48:50 +01:00
- Requires the python2 bindings of firewalld , who may not be installed by default if the distribution switched to python 3
2015-05-27 20:54:26 +02:00
requirements : [ ' firewalld >= 0.2.11 ' ]
2015-09-08 15:28:05 +02:00
author : " Adam Miller (@maxamillion) "
2013-08-13 09:27:45 -05:00
'''
EXAMPLES = '''
- firewalld : service = https permanent = true state = enabled
- firewalld : port = 8081 / tcp permanent = true state = disabled
2014-11-20 20:48:41 +00:00
- firewalld : port = 161 - 162 / udp permanent = true state = enabled
2013-08-13 09:27:45 -05:00
- firewalld : zone = dmz service = http permanent = true state = enabled
2013-10-10 20:09:52 +07:00
- firewalld : rich_rule = ' rule service name= " ftp " audit limit value= " 1/m " accept ' permanent = true state = enabled
2014-11-21 14:26:47 +01:00
- firewalld : source = ' 192.168.1.0/24 ' zone = internal state = enabled
2013-08-13 09:27:45 -05:00
'''
import os
import re
try :
2013-08-16 17:29:57 -05:00
import firewall . config
FW_VERSION = firewall . config . VERSION
2015-10-11 23:17:23 +10:00
from firewall . client import Rich_Rule
2013-08-13 09:27:45 -05:00
from firewall . client import FirewallClient
fw = FirewallClient ( )
2015-10-21 13:36:28 +02:00
if not fw . connected :
HAS_FIREWALLD = False
else :
HAS_FIREWALLD = True
2013-08-13 09:27:45 -05:00
except ImportError :
2015-05-27 20:54:26 +02:00
HAS_FIREWALLD = False
2013-08-13 09:27:45 -05:00
################
# port handling
#
def get_port_enabled ( zone , port_proto ) :
if port_proto in fw . getPorts ( zone ) :
return True
else :
return False
def set_port_enabled ( zone , port , protocol , timeout ) :
fw . addPort ( zone , port , protocol , timeout )
def set_port_disabled ( zone , port , protocol ) :
fw . removePort ( zone , port , protocol )
def get_port_enabled_permanent ( zone , port_proto ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
if tuple ( port_proto ) in fw_settings . getPorts ( ) :
return True
else :
return False
def set_port_enabled_permanent ( zone , port , protocol ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . addPort ( port , protocol )
fw_zone . update ( fw_settings )
def set_port_disabled_permanent ( zone , port , protocol ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . removePort ( port , protocol )
fw_zone . update ( fw_settings )
2014-11-21 14:26:47 +01:00
####################
# source handling
2015-09-08 15:28:05 +02:00
#
2014-11-21 14:26:47 +01:00
def get_source ( zone , source ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
if source in fw_settings . getSources ( ) :
return True
else :
return False
def add_source ( zone , source ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . addSource ( source )
2015-09-08 15:28:05 +02:00
fw_zone . update ( fw_settings )
2014-11-21 14:26:47 +01:00
def remove_source ( zone , source ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . removeSource ( source )
2015-09-08 15:28:05 +02:00
fw_zone . update ( fw_settings )
2013-08-13 09:27:45 -05:00
####################
# service handling
#
2013-10-02 18:52:53 -05:00
def get_service_enabled ( zone , service ) :
2013-08-13 09:27:45 -05:00
if service in fw . getServices ( zone ) :
return True
else :
return False
def set_service_enabled ( zone , service , timeout ) :
fw . addService ( zone , service , timeout )
def set_service_disabled ( zone , service ) :
fw . removeService ( zone , service )
def get_service_enabled_permanent ( zone , service ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
if service in fw_settings . getServices ( ) :
return True
else :
return False
def set_service_enabled_permanent ( zone , service ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . addService ( service )
fw_zone . update ( fw_settings )
def set_service_disabled_permanent ( zone , service ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . removeService ( service )
fw_zone . update ( fw_settings )
2015-09-08 15:28:05 +02:00
2013-10-10 20:09:52 +07:00
####################
# rich rule handling
#
def get_rich_rule_enabled ( zone , rule ) :
2015-10-11 23:17:23 +10:00
# Convert the rule string to standard format
# before checking whether it is present
rule = str ( Rich_Rule ( rule_str = rule ) )
2013-10-10 20:09:52 +07:00
if rule in fw . getRichRules ( zone ) :
return True
else :
return False
def set_rich_rule_enabled ( zone , rule , timeout ) :
fw . addRichRule ( zone , rule , timeout )
def set_rich_rule_disabled ( zone , rule ) :
fw . removeRichRule ( zone , rule )
def get_rich_rule_enabled_permanent ( zone , rule ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
2015-10-11 23:17:23 +10:00
# Convert the rule string to standard format
# before checking whether it is present
rule = str ( Rich_Rule ( rule_str = rule ) )
2013-10-10 20:09:52 +07:00
if rule in fw_settings . getRichRules ( ) :
return True
else :
return False
def set_rich_rule_enabled_permanent ( zone , rule ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . addRichRule ( rule )
fw_zone . update ( fw_settings )
def set_rich_rule_disabled_permanent ( zone , rule ) :
fw_zone = fw . config ( ) . getZoneByName ( zone )
fw_settings = fw_zone . getSettings ( )
fw_settings . removeRichRule ( rule )
fw_zone . update ( fw_settings )
2013-08-13 09:27:45 -05:00
def main ( ) :
module = AnsibleModule (
argument_spec = dict (
service = dict ( required = False , default = None ) ,
port = dict ( required = False , default = None ) ,
2013-10-10 20:09:52 +07:00
rich_rule = dict ( required = False , default = None ) ,
2013-08-13 09:27:45 -05:00
zone = dict ( required = False , default = None ) ,
2014-09-26 20:50:10 -04:00
immediate = dict ( type = ' bool ' , default = False ) ,
2014-11-21 14:26:47 +01:00
source = dict ( required = False , default = None ) ,
permanent = dict ( type = ' bool ' , required = False , default = None ) ,
2013-08-13 09:27:45 -05:00
state = dict ( choices = [ ' enabled ' , ' disabled ' ] , required = True ) ,
2013-10-10 13:41:42 +07:00
timeout = dict ( type = ' int ' , required = False , default = 0 ) ,
2013-08-13 09:27:45 -05:00
) ,
supports_check_mode = True
)
2014-11-21 14:26:47 +01:00
if module . params [ ' source ' ] == None and module . params [ ' permanent ' ] == None :
module . fail ( msg = ' permanent is a required parameter ' )
2013-08-13 09:27:45 -05:00
2015-05-27 20:54:26 +02:00
if not HAS_FIREWALLD :
2015-11-29 23:48:50 +01:00
module . fail_json ( msg = ' firewalld and its python 2 module are required for this module ' )
2015-05-27 20:54:26 +02:00
2013-08-16 17:29:57 -05:00
## Pre-run version checking
if FW_VERSION < " 0.2.11 " :
module . fail_json ( msg = ' unsupported version of firewalld, requires >= 2.0.11 ' )
2013-08-13 09:27:45 -05:00
## Global Vars
changed = False
msgs = [ ]
service = module . params [ ' service ' ]
2013-10-10 20:09:52 +07:00
rich_rule = module . params [ ' rich_rule ' ]
2014-11-21 14:26:47 +01:00
source = module . params [ ' source ' ]
2013-08-13 09:27:45 -05:00
if module . params [ ' port ' ] != None :
port , protocol = module . params [ ' port ' ] . split ( ' / ' )
if protocol == None :
module . fail_json ( msg = ' improper port format (missing protocol?) ' )
else :
port = None
if module . params [ ' zone ' ] != None :
zone = module . params [ ' zone ' ]
else :
zone = fw . getDefaultZone ( )
permanent = module . params [ ' permanent ' ]
desired_state = module . params [ ' state ' ]
2014-09-26 20:50:10 -04:00
immediate = module . params [ ' immediate ' ]
2013-08-13 09:27:45 -05:00
timeout = module . params [ ' timeout ' ]
## Check for firewalld running
2013-09-09 10:03:59 -05:00
try :
if fw . connected == False :
module . fail_json ( msg = ' firewalld service must be running ' )
except AttributeError :
module . fail_json ( msg = " firewalld connection can ' t be established, \
version likely too old . Requires firewalld > = 2.0 .11 " )
2013-08-13 09:27:45 -05:00
2013-10-10 20:09:52 +07:00
modification_count = 0
if service != None :
modification_count + = 1
if port != None :
modification_count + = 1
if rich_rule != None :
modification_count + = 1
if modification_count > 1 :
module . fail_json ( msg = ' can only operate on port, service or rich_rule at once ' )
2013-08-13 09:27:45 -05:00
if service != None :
if permanent :
is_enabled = get_service_enabled_permanent ( zone , service )
msgs . append ( ' Permanent operation ' )
if desired_state == " enabled " :
if is_enabled == False :
if module . check_mode :
module . exit_json ( changed = True )
set_service_enabled_permanent ( zone , service )
changed = True
elif desired_state == " disabled " :
if is_enabled == True :
if module . check_mode :
module . exit_json ( changed = True )
set_service_disabled_permanent ( zone , service )
changed = True
2014-09-26 20:50:10 -04:00
if immediate or not permanent :
2013-08-13 09:27:45 -05:00
is_enabled = get_service_enabled ( zone , service )
msgs . append ( ' Non-permanent operation ' )
if desired_state == " enabled " :
if is_enabled == False :
if module . check_mode :
module . exit_json ( changed = True )
set_service_enabled ( zone , service , timeout )
changed = True
elif desired_state == " disabled " :
if is_enabled == True :
if module . check_mode :
module . exit_json ( changed = True )
set_service_disabled ( zone , service )
changed = True
if changed == True :
msgs . append ( " Changed service %s to %s " % ( service , desired_state ) )
2014-11-21 14:26:47 +01:00
if source != None :
is_enabled = get_source ( zone , source )
if desired_state == " enabled " :
if is_enabled == False :
if module . check_mode :
module . exit_json ( changed = True )
add_source ( zone , source )
changed = True
msgs . append ( " Added %s to zone %s " % ( source , zone ) )
elif desired_state == " disabled " :
if is_enabled == True :
if module . check_mode :
module . exit_json ( changed = True )
remove_source ( zone , source )
changed = True
msgs . append ( " Removed %s from zone %s " % ( source , zone ) )
2013-08-13 09:27:45 -05:00
if port != None :
if permanent :
is_enabled = get_port_enabled_permanent ( zone , [ port , protocol ] )
msgs . append ( ' Permanent operation ' )
if desired_state == " enabled " :
if is_enabled == False :
if module . check_mode :
module . exit_json ( changed = True )
set_port_enabled_permanent ( zone , port , protocol )
changed = True
elif desired_state == " disabled " :
if is_enabled == True :
if module . check_mode :
module . exit_json ( changed = True )
set_port_disabled_permanent ( zone , port , protocol )
changed = True
2014-09-26 20:50:10 -04:00
if immediate or not permanent :
2013-08-13 09:27:45 -05:00
is_enabled = get_port_enabled ( zone , [ port , protocol ] )
msgs . append ( ' Non-permanent operation ' )
if desired_state == " enabled " :
if is_enabled == False :
if module . check_mode :
module . exit_json ( changed = True )
set_port_enabled ( zone , port , protocol , timeout )
changed = True
elif desired_state == " disabled " :
if is_enabled == True :
if module . check_mode :
module . exit_json ( changed = True )
set_port_disabled ( zone , port , protocol )
changed = True
if changed == True :
msgs . append ( " Changed port %s to %s " % ( " %s / %s " % ( port , protocol ) , \
desired_state ) )
2013-10-10 20:09:52 +07:00
if rich_rule != None :
if permanent :
is_enabled = get_rich_rule_enabled_permanent ( zone , rich_rule )
msgs . append ( ' Permanent operation ' )
if desired_state == " enabled " :
if is_enabled == False :
if module . check_mode :
module . exit_json ( changed = True )
set_rich_rule_enabled_permanent ( zone , rich_rule )
changed = True
elif desired_state == " disabled " :
if is_enabled == True :
if module . check_mode :
module . exit_json ( changed = True )
set_rich_rule_disabled_permanent ( zone , rich_rule )
changed = True
2014-09-26 20:50:10 -04:00
if immediate or not permanent :
2013-10-10 20:09:52 +07:00
is_enabled = get_rich_rule_enabled ( zone , rich_rule )
msgs . append ( ' Non-permanent operation ' )
if desired_state == " enabled " :
if is_enabled == False :
if module . check_mode :
module . exit_json ( changed = True )
set_rich_rule_enabled ( zone , rich_rule , timeout )
changed = True
elif desired_state == " disabled " :
if is_enabled == True :
if module . check_mode :
module . exit_json ( changed = True )
set_rich_rule_disabled ( zone , rich_rule )
changed = True
if changed == True :
msgs . append ( " Changed rich_rule %s to %s " % ( rich_rule , desired_state ) )
2013-08-13 09:27:45 -05:00
module . exit_json ( changed = changed , msg = ' , ' . join ( msgs ) )
#################################################
2013-12-02 15:11:23 -05:00
# import module snippets
from ansible . module_utils . basic import *
2013-08-13 09:27:45 -05:00
main ( )