diff --git a/net_infrastructure/firewalld b/net_infrastructure/firewalld
new file mode 100644
index 00000000000..01d4f3fae6e
--- /dev/null
+++ b/net_infrastructure/firewalld
@@ -0,0 +1,299 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# (c) 2013, Adam Miller (maxamillion@fedoraproject.org)
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see .
+
+DOCUMENTATION = '''
+---
+module: firewalld
+short_description: Manage arbitrary ports/services with firewalld
+description:
+ - This module allows for addition or deletion of services and ports either tcp or udp in either running or permanent firewalld rules
+version_added: "1.3"
+options:
+ service:
+ description:
+ - "Name of a service to add/remove to/from firewalld - service must be listed in /etc/services"
+ required: false
+ default: null
+ port:
+ description:
+ - "Name of a port to add/remove to/from firewalld must be in the form PORT/PROTOCOL"
+ required: false
+ default: null
+ zone:
+ description:
+ - 'The firewalld zone to add/remove to/from (NOTE: default zone can be configured per system but "public" is default from upstream. Available choices can be extended based on per-system configs, listed here are "out of the box" defaults).'
+ required: false
+ default: system-default(public)
+ choices: [ "work", "drop", "internal", "external", "trusted", "home", "dmz", "public", "block"]
+ permanent:
+ description:
+ - "Should this configuration be in the running firewalld configuration or persist across reboots"
+ required: true
+ default: true
+ state:
+ description:
+ - "Should this port accept(enabled) or reject(disabled) connections"
+ required: true
+ default: enabled
+ timeout:
+ description:
+ - "The amount of time the rule should be in effect for when non-permanent"
+ required: false
+ default: 0
+notes:
+ - Not tested on any debian based system
+requirements: [ firewalld >= 0.2.11 ]
+author: Adam Miller
+'''
+
+EXAMPLES = '''
+- firewalld: service=https permanent=true state=enabled
+- firewalld: port=8081/tcp permanent=true state=disabled
+- firewalld: zone=dmz service=http permanent=true state=enabled
+'''
+
+import os
+import re
+import sys
+
+try:
+ import firewall.config
+ FW_VERSION = firewall.config.VERSION
+
+ from firewall.client import FirewallClient
+ fw = FirewallClient()
+except ImportError:
+ print "fail=True msg='firewalld required for this module'"
+ sys.exit(1)
+
+################
+# port handling
+#
+def get_port_enabled(zone, port_proto):
+ if port_proto in fw.getPorts(zone):
+ return True
+ else:
+ return False
+
+def set_port_enabled(zone, port, protocol, timeout):
+ fw.addPort(zone, port, protocol, timeout)
+
+def set_port_disabled(zone, port, protocol):
+ fw.removePort(zone, port, protocol)
+
+def get_port_enabled_permanent(zone, port_proto):
+ fw_zone = fw.config().getZoneByName(zone)
+ fw_settings = fw_zone.getSettings()
+ if tuple(port_proto) in fw_settings.getPorts():
+ return True
+ else:
+ return False
+
+def set_port_enabled_permanent(zone, port, protocol):
+ fw_zone = fw.config().getZoneByName(zone)
+ fw_settings = fw_zone.getSettings()
+ fw_settings.addPort(port, protocol)
+ fw_zone.update(fw_settings)
+
+def set_port_disabled_permanent(zone, port, protocol):
+ fw_zone = fw.config().getZoneByName(zone)
+ fw_settings = fw_zone.getSettings()
+ fw_settings.removePort(port, protocol)
+ fw_zone.update(fw_settings)
+
+
+####################
+# service handling
+#
+def get_service_enabled(zone):
+ if service in fw.getServices(zone):
+ return True
+ else:
+ return False
+
+def set_service_enabled(zone, service, timeout):
+ fw.addService(zone, service, timeout)
+
+def set_service_disabled(zone, service):
+ fw.removeService(zone, service)
+
+def get_service_enabled_permanent(zone, service):
+ fw_zone = fw.config().getZoneByName(zone)
+ fw_settings = fw_zone.getSettings()
+ if service in fw_settings.getServices():
+ return True
+ else:
+ return False
+
+def set_service_enabled_permanent(zone, service):
+ fw_zone = fw.config().getZoneByName(zone)
+ fw_settings = fw_zone.getSettings()
+ fw_settings.addService(service)
+ fw_zone.update(fw_settings)
+
+def set_service_disabled_permanent(zone, service):
+ fw_zone = fw.config().getZoneByName(zone)
+ fw_settings = fw_zone.getSettings()
+ fw_settings.removeService(service)
+ fw_zone.update(fw_settings)
+
+def main():
+
+ module = AnsibleModule(
+ argument_spec = dict(
+ service=dict(required=False,default=None),
+ port=dict(required=False,default=None),
+ zone=dict(required=False,default=None),
+ permanent=dict(type='bool',required=True),
+ state=dict(choices=['enabled', 'disabled'], required=True),
+ timeout=dict(required=False,default=0),
+ ),
+ supports_check_mode=True
+ )
+
+ ## Pre-run version checking
+ if FW_VERSION < "0.2.11":
+ module.fail_json(msg='unsupported version of firewalld, requires >= 2.0.11')
+
+ ## Global Vars
+ changed=False
+ msgs = []
+ service = module.params['service']
+
+ if module.params['port'] != None:
+ port, protocol = module.params['port'].split('/')
+ if protocol == None:
+ module.fail_json(msg='improper port format (missing protocol?)')
+ else:
+ port = None
+
+ if module.params['zone'] != None:
+ zone = module.params['zone']
+ else:
+ zone = fw.getDefaultZone()
+
+ permanent = module.params['permanent']
+ desired_state = module.params['state']
+ timeout = module.params['timeout']
+
+ ## Check for firewalld running
+ try:
+ if fw.connected == False:
+ module.fail_json(msg='firewalld service must be running')
+ except AttributeError:
+ module.fail_json(msg="firewalld connection can't be established,\
+ version likely too old. Requires firewalld >= 2.0.11")
+
+ if service != None and port != None:
+ module.fail_json(msg='can only operate on port or service at once')
+
+ if service != None:
+ if permanent:
+ is_enabled = get_service_enabled_permanent(zone, service)
+ msgs.append('Permanent operation')
+
+ if desired_state == "enabled":
+ if is_enabled == False:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_service_enabled_permanent(zone, service)
+ changed=True
+ elif desired_state == "disabled":
+ if is_enabled == True:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_service_disabled_permanent(zone, service)
+ changed=True
+ else:
+ is_enabled = get_service_enabled(zone, service)
+ msgs.append('Non-permanent operation')
+
+
+ if desired_state == "enabled":
+ if is_enabled == False:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_service_enabled(zone, service, timeout)
+ changed=True
+ elif desired_state == "disabled":
+ if is_enabled == True:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_service_disabled(zone, service)
+ changed=True
+
+ if changed == True:
+ msgs.append("Changed service %s to %s" % (service, desired_state))
+
+ if port != None:
+ if permanent:
+ is_enabled = get_port_enabled_permanent(zone, [port, protocol])
+ msgs.append('Permanent operation')
+
+ if desired_state == "enabled":
+ if is_enabled == False:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_port_enabled_permanent(zone, port, protocol)
+ changed=True
+ elif desired_state == "disabled":
+ if is_enabled == True:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_port_disabled_permanent(zone, port, protocol)
+ changed=True
+ else:
+ is_enabled = get_port_enabled(zone, [port,protocol])
+ msgs.append('Non-permanent operation')
+
+ if desired_state == "enabled":
+ if is_enabled == False:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_port_enabled(zone, port, protocol, timeout)
+ changed=True
+ elif desired_state == "disabled":
+ if is_enabled == True:
+ if module.check_mode:
+ module.exit_json(changed=True)
+
+ set_port_disabled(zone, port, protocol)
+ changed=True
+
+ if changed == True:
+ msgs.append("Changed port %s to %s" % ("%s/%s" % (port, protocol), \
+ desired_state))
+
+ module.exit_json(changed=changed, msg=', '.join(msgs))
+
+
+#################################################
+# include magic from lib/ansible/module_common.py
+#<>
+
+main()
+