Firewalld: direct rules support

[lf-]

ISSUE TYPE

• Feature Idea

COMPONENT NAME

firewalld module

ANSIBLE VERSION

ansible 2.3.0 (devel 9f2d8c2409) last updated 2017/01/01 20:16:08 (GMT -600)
  config file = /home/lf/.ansible.cfg
  configured module search path = Default w/o overrides

CONFIGURATION

OS / ENVIRONMENT

Fedora 25 Server

SUMMARY

It is not currently possible to reproduce configurations such as that created by running firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m owner --uid-owner $UID -j ACCEPT because the firewalld module doesn't support direct rules.

See previous issue at ansible/ansible-modules-extras#209.

[ansibot]

cc @maxamillion
click here for bot help

[cornfeedhobo]

Yeah, this would be nice. If no one tackles this in the coming months, I'll take a swing.

[mscherer]

So, as I did needed that, but the code of firewalld module was a bit too complex to undertand fast (and needed the feature for another task), I did wrote a separate module: https://github.com/gluster/gluster.org_ansible_configuration/tree/master/roles/firewalld_direct/library

It is not much documented or anything (yet), but feel free to use that code to add the feature

[maxamillion]

@mscherer thanks! I'll add that to the firewalld module as soon as I'm done getting the recent refactor work merged (which will hopefully make it easier to contribute to).

[mscherer]

I am not sure that all feature should be added to the same module. For example, now, I have a need for adding a zone (because I decided to do a whole firewall using firewalld and ansible), and I think this would be better as a separate module. But then, would services, port, etc be better splitted as well ?

[maxamillion]

@mscherer I'm open to either, I like the idea of not having too much "module span" so we don't duplicate the code for interacting with the firewalld API but if it is preferred to be separate, that's fine too.

[mscherer]

We can create a shared module library, I would also dislike duplicating the various "is firewalld is running" code, etc. But I am quite new to the firewalld API, and there is also the issue of compatibility with existing playbooks :/

[kaechele]

Hi there. I'd need the direct rule support as well. I'm also not sure whether this should be a separate module because it will add some more possible args to the module (type, table, chain, priority and arg).
I'll have a stab at it shortly.
I did try to tackle the zone operations in this PR #32845
Let me know in that PR what you think.

[5ghz]

I have been added DirectRule operation support #34027 please review

[drmuey]

This would be incredibly useful, specifically so we can do the -m owner --uid-owner bit /2¢

[maxamillion]

So #34027 was supposed to have merged a long time ago and I completely missed that the bot didn't merge it. I'll cherry-pick the PR to preserve contributor credit and history, resolve the conflict, and get a new PR open.

[maxamillion]

Correction, the code bases are too diverged to effectively cherry-pick.

[kdimiche]

Is there an update to enabling direct rules? Last status was 8/23.

[maxamillion]

@kdimiche ongoing PR #49514

[maxamillion]

resolved_by_pr #49514