firewalld: add zone target set (#526)

* firewalld: add zone target set Fixes https://github.com/ansible/ansible/issues/49232 Signed-off-by: Adam Miller <admiller@redhat.com> * fix sanity tests, add example of zone target setting Signed-off-by: Adam Miller <admiller@redhat.com> * test different zone/target combination as we're not hitting default settings Signed-off-by: Adam Miller <admiller@redhat.com> * fix enabled values for zone operations Signed-off-by: Adam Miller <admiller@redhat.com> * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2025-07-22 04:40:22 -07:00 · 2020-06-19 16:04:17 -05:00 · 2020-06-19 16:04:17 -05:00 · 42c5cdf01a
commit 42c5cdf01a
parent 42a43586f1
4 changed files with 154 additions and 1 deletions
--- a/plugins/modules/system/firewalld.py
+++ b/plugins/modules/system/firewalld.py
@ -83,6 +83,13 @@ options:
    description:
      - Whether to run this module even when firewalld is offline.
    type: bool
+  target:
+    description:
+      - firewalld Zone target
+      - If state is set to C(absent), this will reset the target to default
+    choices: [ default, ACCEPT, DROP, REJECT ]
+    type: str
+    version_added: 0.2.0
 notes:
  - Not tested on any Debian based system.
  - Requires the python2 bindings of firewalld, which may not be installed by default.
@ -161,6 +168,12 @@ EXAMPLES = r'''
    permanent: yes
    icmp_block: echo-request

+- firewalld:
+    zone: internal
+    state: present
+    permanent: yes
+    target: ACCEPT
+
 - name: Redirect port 443 to 8443 with Rich Rule
  firewalld:
    rich_rule: rule family=ipv4 forward-port port=443 protocol=tcp to-port=8443
@ -568,6 +581,53 @@ class SourceTransaction(FirewallTransaction):
        self.update_fw_settings(fw_zone, fw_settings)


+class ZoneTargetTransaction(FirewallTransaction):
+    """
+    ZoneTargetTransaction
+    """
+
+    def __init__(self, module, action_args=None, zone=None, desired_state=None,
+                 permanent=True, immediate=False, enabled_values=None, disabled_values=None):
+        super(ZoneTargetTransaction, self).__init__(
+            module, action_args=action_args, desired_state=desired_state, zone=zone,
+            permanent=permanent, immediate=immediate,
+            enabled_values=enabled_values or ["present", "enabled"],
+            disabled_values=disabled_values or ["absent", "disabled"])
+
+        self.enabled_msg = "Set zone %s target to %s" % \
+            (self.zone, action_args[0])
+
+        self.disabled_msg = "Reset zone %s target to default" % \
+            (self.zone)
+
+        self.tx_not_permanent_error_msg = "Zone operations must be permanent. " \
+            "Make sure you didn't set the 'permanent' flag to 'false' or the 'immediate' flag to 'true'."
+
+    def get_enabled_immediate(self, target):
+        self.module.fail_json(msg=self.tx_not_permanent_error_msg)
+
+    def get_enabled_permanent(self, target):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+        current_target = fw_settings.getTarget()
+        return (current_target == target)
+
+    def set_enabled_immediate(self, target):
+        self.module.fail_json(msg=self.tx_not_permanent_error_msg)
+
+    def set_enabled_permanent(self, target):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+        fw_settings.setTarget(target)
+        self.update_fw_settings(fw_zone, fw_settings)
+
+    def set_disabled_immediate(self, target):
+        self.module.fail_json(msg=self.tx_not_permanent_error_msg)
+
+    def set_disabled_permanent(self, target):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+        fw_settings.setTarget("default")
+        self.update_fw_settings(fw_zone, fw_settings)
+
+
 class ZoneTransaction(FirewallTransaction):
    """
    ZoneTransaction
@ -633,10 +693,12 @@ def main():
            interface=dict(type='str'),
            masquerade=dict(type='str'),
            offline=dict(type='bool'),
+            target=dict(type='str', required=False, choices=['default', 'ACCEPT', 'DROP', 'REJECT']),
        ),
        supports_check_mode=True,
        required_by=dict(
            interface=('zone',),
+            target=('zone',),
            source=('permanent',),
        ),
    )
@ -668,6 +730,7 @@ def main():
    rich_rule = module.params['rich_rule']
    source = module.params['source']
    zone = module.params['zone']
+    target = module.params['target']

    if module.params['port'] is not None:
        if '/' in module.params['port']:
@ -696,12 +759,14 @@ def main():
        modification_count += 1
    if source is not None:
        modification_count += 1
+    if target is not None:
+        modification_count += 1

    if modification_count > 1:
        module.fail_json(
            msg='can only operate on port, service, rich_rule, masquerade, icmp_block, icmp_block_inversion, interface or source at once'
        )
-    elif modification_count > 0 and desired_state in ['absent', 'present']:
+    elif (modification_count > 0) and (desired_state in ['absent', 'present']) and (target is None):
        module.fail_json(
            msg='absent and present state can only be used in zone level operations'
        )
@ -832,6 +897,20 @@ def main():
        changed, transaction_msgs = transaction.run()
        msgs = msgs + transaction_msgs

+    if target is not None:
+
+        transaction = ZoneTargetTransaction(
+            module,
+            action_args=(target,),
+            zone=zone,
+            desired_state=desired_state,
+            permanent=permanent,
+            immediate=immediate,
+        )
+
+        changed, transaction_msgs = transaction.run()
+        msgs = msgs + transaction_msgs
+
    ''' If there are no changes within the zone we are operating on the zone itself '''
    if modification_count == 0 and desired_state in ['absent', 'present']: