2015-03-16 11:34:07 +01:00
|
|
|
#!powershell
|
|
|
|
|
#
|
2015-09-23 09:35:17 +02:00
|
|
|
# (c) 2014, Timothy Vandenbrande <timothy.vandenbrande@gmail.com>
|
|
|
|
|
#
|
|
|
|
|
# This file is part of Ansible
|
|
|
|
|
#
|
|
|
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
#
|
2015-03-16 11:34:07 +01:00
|
|
|
# WANT_JSON
|
|
|
|
|
# POWERSHELL_COMMON
|
|
|
|
|
|
|
|
|
|
function getFirewallRule ($fwsettings) {
|
|
|
|
|
try {
|
2015-10-06 15:03:27 +02:00
|
|
|
|
2016-02-18 17:59:23 +01:00
|
|
|
#$output = Get-NetFirewallRule -name $($fwsettings.'Rule Name');
|
2016-08-03 11:05:08 +02:00
|
|
|
$rawoutput=@(netsh advfirewall firewall show rule name="$($fwsettings.'Rule Name')" verbose)
|
2015-03-16 11:34:07 +01:00
|
|
|
if (!($rawoutput -eq 'No rules match the specified criteria.')){
|
|
|
|
|
$rawoutput | Where {$_ -match '^([^:]+):\s*(\S.*)$'} | Foreach -Begin {
|
|
|
|
|
$FirstRun = $true;
|
|
|
|
|
$HashProps = @{};
|
|
|
|
|
} -Process {
|
|
|
|
|
if (($Matches[1] -eq 'Rule Name') -and (!($FirstRun))) {
|
|
|
|
|
#$output=New-Object -TypeName PSCustomObject -Property $HashProps;
|
|
|
|
|
$output=$HashProps;
|
|
|
|
|
$HashProps = @{};
|
|
|
|
|
};
|
|
|
|
|
$HashProps.$($Matches[1]) = $Matches[2];
|
|
|
|
|
$FirstRun = $false;
|
|
|
|
|
} -End {
|
|
|
|
|
#$output=New-Object -TypeName PSCustomObject -Property $HashProps;
|
|
|
|
|
$output=$HashProps;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
$exists=$false;
|
|
|
|
|
$correct=$true;
|
|
|
|
|
$diff=$false;
|
|
|
|
|
$multi=$false;
|
|
|
|
|
$correct=$false;
|
|
|
|
|
$difference=@();
|
|
|
|
|
$msg=@();
|
|
|
|
|
if ($($output|measure).count -gt 0) {
|
|
|
|
|
$exists=$true;
|
2016-02-18 17:59:23 +01:00
|
|
|
$msg += @("The rule '" + $fwsettings.'Rule Name' + "' exists.");
|
2015-03-16 11:34:07 +01:00
|
|
|
if ($($output|measure).count -gt 1) {
|
|
|
|
|
$multi=$true
|
2016-02-18 17:59:23 +01:00
|
|
|
$msg += @("The rule '" + $fwsettings.'Rule Name' + "' has multiple entries.");
|
2015-03-16 11:34:07 +01:00
|
|
|
ForEach($rule in $output.GetEnumerator()) {
|
|
|
|
|
ForEach($fwsetting in $fwsettings.GetEnumerator()) {
|
|
|
|
|
if ( $rule.$fwsetting -ne $fwsettings.$fwsetting) {
|
|
|
|
|
$diff=$true;
|
|
|
|
|
#$difference+=@($fwsettings.$($fwsetting.Key));
|
|
|
|
|
$difference+=@("output:$rule.$fwsetting,fwsetting:$fwsettings.$fwsetting");
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
if ($diff -eq $false) {
|
|
|
|
|
$correct=$true
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
} else {
|
|
|
|
|
ForEach($fwsetting in $fwsettings.GetEnumerator()) {
|
|
|
|
|
if ( $output.$($fwsetting.Key) -ne $fwsettings.$($fwsetting.Key)) {
|
|
|
|
|
|
|
|
|
|
if (($fwsetting.Key -eq 'RemoteIP') -and ($output.$($fwsetting.Key) -eq ($fwsettings.$($fwsetting.Key)+'-'+$fwsettings.$($fwsetting.Key)))) {
|
|
|
|
|
$donothing=$false
|
2016-02-18 17:59:23 +01:00
|
|
|
} elseif (($fwsetting.Key -eq 'DisplayName') -and ($output."Rule Name" -eq $fwsettings.$($fwsetting.Key))) {
|
2015-10-06 15:03:27 +02:00
|
|
|
$donothing=$false
|
2015-03-16 11:34:07 +01:00
|
|
|
} else {
|
|
|
|
|
$diff=$true;
|
|
|
|
|
$difference+=@($fwsettings.$($fwsetting.Key));
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
if ($diff -eq $false) {
|
|
|
|
|
$correct=$true
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
if ($correct) {
|
|
|
|
|
$msg += @("An identical rule exists");
|
|
|
|
|
} else {
|
|
|
|
|
$msg += @("The rule exists but has different values");
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
$msg += @("No rule could be found");
|
|
|
|
|
};
|
|
|
|
|
$result = @{
|
2016-01-18 15:27:36 +01:00
|
|
|
failed = $false
|
2015-03-16 11:34:07 +01:00
|
|
|
exists = $exists
|
|
|
|
|
identical = $correct
|
|
|
|
|
multiple = $multi
|
|
|
|
|
difference = $difference
|
|
|
|
|
msg = $msg
|
|
|
|
|
}
|
|
|
|
|
} catch [Exception]{
|
|
|
|
|
$result = @{
|
|
|
|
|
failed = $true
|
|
|
|
|
error = $_.Exception.Message
|
|
|
|
|
msg = $msg
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
return $result
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
function createFireWallRule ($fwsettings) {
|
|
|
|
|
$msg=@()
|
2016-02-18 17:59:23 +01:00
|
|
|
$execString="netsh advfirewall firewall add rule"
|
2015-03-16 11:34:07 +01:00
|
|
|
|
|
|
|
|
ForEach ($fwsetting in $fwsettings.GetEnumerator()) {
|
|
|
|
|
if ($fwsetting.key -eq 'Direction') {
|
|
|
|
|
$key='dir'
|
2016-02-18 17:59:23 +01:00
|
|
|
} elseif ($fwsetting.key -eq 'Rule Name') {
|
|
|
|
|
$key='name'
|
|
|
|
|
} elseif ($fwsetting.key -eq 'Enabled') {
|
|
|
|
|
$key='enable'
|
|
|
|
|
} elseif ($fwsetting.key -eq 'Profiles') {
|
|
|
|
|
$key='profile'
|
2015-03-16 11:34:07 +01:00
|
|
|
} else {
|
|
|
|
|
$key=$($fwsetting.key).ToLower()
|
|
|
|
|
};
|
|
|
|
|
$execString+=" ";
|
|
|
|
|
$execString+=$key;
|
|
|
|
|
$execString+="=";
|
2015-10-05 22:10:59 +02:00
|
|
|
$execString+='"';
|
2015-03-16 11:34:07 +01:00
|
|
|
$execString+=$fwsetting.value;
|
2015-10-05 22:10:59 +02:00
|
|
|
$execString+='"';
|
2015-03-16 11:34:07 +01:00
|
|
|
};
|
|
|
|
|
try {
|
|
|
|
|
#$msg+=@($execString);
|
|
|
|
|
$output=$(Invoke-Expression $execString| ? {$_});
|
|
|
|
|
$msg+=@("Created firewall rule $name");
|
|
|
|
|
|
|
|
|
|
$result=@{
|
2016-01-18 15:27:36 +01:00
|
|
|
failed = $false
|
2015-03-16 11:34:07 +01:00
|
|
|
output=$output
|
|
|
|
|
changed=$true
|
|
|
|
|
msg=$msg
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
} catch [Exception]{
|
|
|
|
|
$msg=@("Failed to create the rule")
|
|
|
|
|
$result=@{
|
|
|
|
|
output=$output
|
|
|
|
|
failed=$true
|
|
|
|
|
error=$_.Exception.Message
|
|
|
|
|
msg=$msg
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
return $result
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
function removeFireWallRule ($fwsettings) {
|
|
|
|
|
$msg=@()
|
|
|
|
|
try {
|
2016-02-18 17:59:23 +01:00
|
|
|
$rawoutput=@(netsh advfirewall firewall delete rule name="$($fwsettings.'Rule Name')")
|
2015-03-16 11:34:07 +01:00
|
|
|
$rawoutput | Where {$_ -match '^([^:]+):\s*(\S.*)$'} | Foreach -Begin {
|
|
|
|
|
$FirstRun = $true;
|
|
|
|
|
$HashProps = @{};
|
|
|
|
|
} -Process {
|
|
|
|
|
if (($Matches[1] -eq 'Rule Name') -and (!($FirstRun))) {
|
|
|
|
|
$output=$HashProps;
|
|
|
|
|
$HashProps = @{};
|
|
|
|
|
};
|
|
|
|
|
$HashProps.$($Matches[1]) = $Matches[2];
|
|
|
|
|
$FirstRun = $false;
|
|
|
|
|
} -End {
|
|
|
|
|
$output=$HashProps;
|
|
|
|
|
};
|
|
|
|
|
$msg+=@("Removed the rule")
|
|
|
|
|
$result=@{
|
|
|
|
|
failed=$false
|
|
|
|
|
changed=$true
|
|
|
|
|
msg=$msg
|
|
|
|
|
output=$output
|
|
|
|
|
};
|
|
|
|
|
} catch [Exception]{
|
|
|
|
|
$msg+=@("Failed to remove the rule")
|
|
|
|
|
$result=@{
|
|
|
|
|
failed=$true
|
|
|
|
|
error=$_.Exception.Message
|
|
|
|
|
msg=$msg
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
return $result
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Mount Drives
|
|
|
|
|
$change=$false;
|
|
|
|
|
$fail=$false;
|
|
|
|
|
$msg=@();
|
|
|
|
|
$fwsettings=@{}
|
|
|
|
|
|
|
|
|
|
# Variabelise the arguments
|
|
|
|
|
$params=Parse-Args $args;
|
|
|
|
|
|
2016-06-20 23:35:27 +02:00
|
|
|
$name = Get-AnsibleParam -obj $params -name "name" -failifempty $true
|
|
|
|
|
$direction = Get-AnsibleParam -obj $params -name "direction" -failifempty $true -validateSet "in","out"
|
|
|
|
|
$action = Get-AnsibleParam -obj $params -name "action" -failifempty $true -validateSet "allow","block","bypass"
|
|
|
|
|
$program = Get-AnsibleParam -obj $params -name "program"
|
|
|
|
|
$service = Get-AnsibleParam -obj $params -name "service" -default "any"
|
|
|
|
|
$description = Get-AnsibleParam -obj $params -name "description"
|
|
|
|
|
$enable = ConvertTo-Bool (Get-AnsibleParam -obj $params -name "enable" -default "true")
|
|
|
|
|
$winprofile = Get-AnsibleParam -obj $params -name "profile" -default "any"
|
|
|
|
|
$localip = Get-AnsibleParam -obj $params -name "localip" -default "any"
|
|
|
|
|
$remoteip = Get-AnsibleParam -obj $params -name "remoteip" -default "any"
|
|
|
|
|
$localport = Get-AnsibleParam -obj $params -name "localport" -default "any"
|
|
|
|
|
$remoteport = Get-AnsibleParam -obj $params -name "remoteport" -default "any"
|
|
|
|
|
$protocol = Get-AnsibleParam -obj $params -name "protocol" -default "any"
|
|
|
|
|
|
|
|
|
|
$state = Get-AnsibleParam -obj $params -name "state" -failifempty $true -validateSet "present","absent"
|
|
|
|
|
$force = ConvertTo-Bool (Get-AnsibleParam -obj $params -name "force" -default "false")
|
2015-03-16 11:34:07 +01:00
|
|
|
|
|
|
|
|
# Check the arguments
|
2016-06-20 23:35:27 +02:00
|
|
|
If ($enable -eq $true) {
|
|
|
|
|
$fwsettings.Add("Enabled", "yes");
|
|
|
|
|
} Else {
|
|
|
|
|
$fwsettings.Add("Enabled", "no");
|
2015-10-06 15:03:27 +02:00
|
|
|
};
|
|
|
|
|
|
2016-06-20 23:35:27 +02:00
|
|
|
$fwsettings.Add("Rule Name", $name)
|
|
|
|
|
#$fwsettings.Add("displayname", $name)
|
2015-03-16 11:34:07 +01:00
|
|
|
|
2016-06-20 23:35:27 +02:00
|
|
|
$state = $state.ToString().ToLower()
|
2016-06-23 08:45:29 +02:00
|
|
|
If ($state -eq "present"){
|
2015-03-16 11:34:07 +01:00
|
|
|
$fwsettings.Add("Direction", $direction)
|
|
|
|
|
$fwsettings.Add("Action", $action)
|
|
|
|
|
};
|
|
|
|
|
|
2016-06-20 23:35:27 +02:00
|
|
|
If ($description) {
|
|
|
|
|
$fwsettings.Add("Description", $description);
|
|
|
|
|
}
|
2015-03-16 11:34:07 +01:00
|
|
|
|
2016-06-20 23:35:27 +02:00
|
|
|
If ($program) {
|
|
|
|
|
$fwsettings.Add("Program", $program);
|
|
|
|
|
}
|
2015-03-16 11:34:07 +01:00
|
|
|
|
2016-06-20 23:35:27 +02:00
|
|
|
$fwsettings.Add("LocalIP", $localip);
|
|
|
|
|
$fwsettings.Add("RemoteIP", $remoteip);
|
|
|
|
|
$fwsettings.Add("LocalPort", $localport);
|
|
|
|
|
$fwsettings.Add("RemotePort", $remoteport);
|
|
|
|
|
$fwsettings.Add("Service", $service);
|
|
|
|
|
$fwsettings.Add("Protocol", $protocol);
|
|
|
|
|
$fwsettings.Add("Profiles", $winprofile)
|
2015-03-16 11:34:07 +01:00
|
|
|
|
|
|
|
|
$output=@()
|
|
|
|
|
$capture=getFirewallRule ($fwsettings);
|
|
|
|
|
if ($capture.failed -eq $true) {
|
|
|
|
|
$msg+=$capture.msg;
|
|
|
|
|
$result=New-Object psobject @{
|
|
|
|
|
changed=$false
|
|
|
|
|
failed=$true
|
|
|
|
|
error=$capture.error
|
|
|
|
|
msg=$msg
|
|
|
|
|
};
|
|
|
|
|
Exit-Json $result;
|
|
|
|
|
} else {
|
|
|
|
|
$diff=$capture.difference
|
|
|
|
|
$msg+=$capture.msg;
|
|
|
|
|
$identical=$capture.identical;
|
|
|
|
|
$multiple=$capture.multiple;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2016-06-20 23:35:27 +02:00
|
|
|
switch ($state){
|
2015-03-16 11:34:07 +01:00
|
|
|
"present" {
|
|
|
|
|
if ($capture.exists -eq $false) {
|
|
|
|
|
$capture=createFireWallRule($fwsettings);
|
|
|
|
|
$msg+=$capture.msg;
|
|
|
|
|
$change=$true;
|
|
|
|
|
if ($capture.failed -eq $true){
|
|
|
|
|
$result=New-Object psobject @{
|
|
|
|
|
failed=$capture.failed
|
|
|
|
|
error=$capture.error
|
|
|
|
|
output=$capture.output
|
|
|
|
|
changed=$change
|
|
|
|
|
msg=$msg
|
|
|
|
|
difference=$diff
|
|
|
|
|
fwsettings=$fwsettings
|
|
|
|
|
};
|
|
|
|
|
Exit-Json $result;
|
|
|
|
|
}
|
2015-10-06 15:03:27 +02:00
|
|
|
} elseif ($capture.identical -eq $false) {
|
2015-03-16 11:34:07 +01:00
|
|
|
if ($force -eq $true) {
|
|
|
|
|
$capture=removeFirewallRule($fwsettings);
|
|
|
|
|
$msg+=$capture.msg;
|
|
|
|
|
$change=$true;
|
|
|
|
|
if ($capture.failed -eq $true){
|
|
|
|
|
$result=New-Object psobject @{
|
|
|
|
|
failed=$capture.failed
|
|
|
|
|
error=$capture.error
|
|
|
|
|
changed=$change
|
|
|
|
|
msg=$msg
|
|
|
|
|
output=$capture.output
|
|
|
|
|
fwsettings=$fwsettings
|
|
|
|
|
};
|
|
|
|
|
Exit-Json $result;
|
|
|
|
|
}
|
|
|
|
|
$capture=createFireWallRule($fwsettings);
|
|
|
|
|
$msg+=$capture.msg;
|
|
|
|
|
$change=$true;
|
|
|
|
|
if ($capture.failed -eq $true){
|
|
|
|
|
$result=New-Object psobject @{
|
|
|
|
|
failed=$capture.failed
|
|
|
|
|
error=$capture.error
|
|
|
|
|
changed=$change
|
|
|
|
|
msg=$msg
|
|
|
|
|
difference=$diff
|
|
|
|
|
fwsettings=$fwsettings
|
|
|
|
|
};
|
|
|
|
|
Exit-Json $result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
$fail=$true
|
|
|
|
|
$msg+=@("There was already a rule $name with different values, use force=True to overwrite it");
|
|
|
|
|
}
|
|
|
|
|
} elseif ($capture.identical -eq $true) {
|
|
|
|
|
$msg+=@("Firewall rule $name was already created");
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
"absent" {
|
|
|
|
|
if ($capture.exists -eq $true) {
|
|
|
|
|
$capture=removeFirewallRule($fwsettings);
|
|
|
|
|
$msg+=$capture.msg;
|
|
|
|
|
$change=$true;
|
|
|
|
|
if ($capture.failed -eq $true){
|
|
|
|
|
$result=New-Object psobject @{
|
|
|
|
|
failed=$capture.failed
|
|
|
|
|
error=$capture.error
|
|
|
|
|
changed=$change
|
|
|
|
|
msg=$msg
|
|
|
|
|
output=$capture.output
|
|
|
|
|
fwsettings=$fwsettings
|
|
|
|
|
};
|
|
|
|
|
Exit-Json $result;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
$msg+=@("Firewall rule $name did not exist");
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$result=New-Object psobject @{
|
|
|
|
|
failed=$fail
|
|
|
|
|
changed=$change
|
|
|
|
|
msg=$msg
|
|
|
|
|
difference=$diff
|
|
|
|
|
fwsettings=$fwsettings
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exit-Json $result;
|
