New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewalld: direct rules support #21439

Open
lf- opened this Issue Feb 15, 2017 · 15 comments

Comments

Projects
None yet
10 participants
@lf-

lf- commented Feb 15, 2017

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

firewalld module

ANSIBLE VERSION
ansible 2.3.0 (devel 9f2d8c2409) last updated 2017/01/01 20:16:08 (GMT -600)
  config file = /home/lf/.ansible.cfg
  configured module search path = Default w/o overrides
CONFIGURATION
OS / ENVIRONMENT

Fedora 25 Server

SUMMARY

It is not currently possible to reproduce configurations such as that created by running firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m owner --uid-owner $UID -j ACCEPT because the firewalld module doesn't support direct rules.

See previous issue at ansible/ansible-modules-extras#209.

@ansibot

This comment has been minimized.

Contributor

ansibot commented Feb 15, 2017

@cornfeedhobo

This comment has been minimized.

cornfeedhobo commented May 8, 2017

Yeah, this would be nice. If no one tackles this in the coming months, I'll take a swing.

@mscherer

This comment has been minimized.

Contributor

mscherer commented Jul 5, 2017

So, as I did needed that, but the code of firewalld module was a bit too complex to undertand fast (and needed the feature for another task), I did wrote a separate module: https://github.com/gluster/gluster.org_ansible_configuration/tree/master/roles/firewalld_direct/library

It is not much documented or anything (yet), but feel free to use that code to add the feature

@maxamillion

This comment has been minimized.

Contributor

maxamillion commented Jul 6, 2017

@mscherer thanks! I'll add that to the firewalld module as soon as I'm done getting the recent refactor work merged (which will hopefully make it easier to contribute to).

@mscherer

This comment has been minimized.

Contributor

mscherer commented Jul 7, 2017

I am not sure that all feature should be added to the same module. For example, now, I have a need for adding a zone (because I decided to do a whole firewall using firewalld and ansible), and I think this would be better as a separate module. But then, would services, port, etc be better splitted as well ?

@maxamillion

This comment has been minimized.

Contributor

maxamillion commented Jul 7, 2017

@mscherer I'm open to either, I like the idea of not having too much "module span" so we don't duplicate the code for interacting with the firewalld API but if it is preferred to be separate, that's fine too.

@mscherer

This comment has been minimized.

Contributor

mscherer commented Jul 8, 2017

We can create a shared module library, I would also dislike duplicating the various "is firewalld is running" code, etc. But I am quite new to the firewalld API, and there is also the issue of compatibility with existing playbooks :/

@kaechele

This comment has been minimized.

Contributor

kaechele commented Nov 13, 2017

Hi there. I'd need the direct rule support as well. I'm also not sure whether this should be a separate module because it will add some more possible args to the module (type, table, chain, priority and arg).
I'll have a stab at it shortly.
I did try to tackle the zone operations in this PR #32845
Let me know in that PR what you think.

@5ghz

This comment has been minimized.

5ghz commented Dec 19, 2017

I have been added DirectRule operation support #34027 please review

@ansibot ansibot added feature and removed feature_idea labels Mar 2, 2018

@drmuey

This comment has been minimized.

drmuey commented Aug 23, 2018

This would be incredibly useful, specifically so we can do the -m owner --uid-owner bit /2¢

@maxamillion

This comment has been minimized.

Contributor

maxamillion commented Aug 23, 2018

So #34027 was supposed to have merged a long time ago and I completely missed that the bot didn't merge it. I'll cherry-pick the PR to preserve contributor credit and history, resolve the conflict, and get a new PR open.

@maxamillion

This comment has been minimized.

Contributor

maxamillion commented Aug 24, 2018

Correction, the code bases are too diverged to effectively cherry-pick.

@kdimiche

This comment has been minimized.

kdimiche commented Dec 13, 2018

Is there an update to enabling direct rules? Last status was 8/23.

@maxamillion

This comment has been minimized.

Contributor

maxamillion commented Dec 13, 2018

@kdimiche ongoing PR #49514

@maxamillion

This comment has been minimized.

Contributor

maxamillion commented Dec 13, 2018

resolved_by_pr #49514

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment