search

ansible-collections / ansible.posix

Ansible Collection for Posix
Other
159 stars 153 forks source link

Support for setting the default firewalld zone #296

Open jwatt opened 3 years ago

jwatt commented 3 years ago
SUMMARY

Unless I'm missing something in the docs for the firewalld module, it is possible to create zones but not to set the default zone. I guess this can be worked around by using a command with firewall-cmd --set-default-zone=<zone> but it would be cleaner if the firewalld module supported this.

ISSUE TYPE
COMPONENT NAME

ansible.posix.firewalld

ADDITIONAL INFORMATION

I'd like to use ansible to create a new zone and set it as the default.

saito-hideki commented 2 years ago

@jwatt indeed. thank you for the feature request! :)

nodiscc commented 2 years ago

The correct solution solution to this, is probably to edit the main firewalld.conf configuration file, since the default zone is explicitly defined in this file:

$ sudo head -n6 /etc/firewalld/firewalld.conf
# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public

I don't think this should be handled by the firewalld module. template or lineinfile are sufficient.

gnfzdz commented 1 year ago

@jwatt @saito-hideki This should be pretty trivial to implement so I'm open to raising a pull request. Even ignoring the simple alternative mentioned by @nodiscc though, there are a few quirks that give me pause.

  1. At least with firewall-cmd, the change appears to be applied both immediate and permanent, regardless of whether the --permanent argument is actually passed. Assuming that's a fundamental limitation of the underlying firewalld python library (which I haven't confirmed yet), we could guard against misuse here by returning an error if an invalid combination of immediate/permanent is actually passed. The same pattern is currently used when adding/removing a zone.
  2. More importantly, I'm not sure there's an obvious api for this feature that feels consistent with the rest of the module. Assuming state remains a required parameter, how should the negative values be interpreted?

Options for the positive case seem pretty straightforward

- ansible.posix.firewalld:
    zone: custom
    default: True
    state: enabled

- ansible.posix.firewalld:
    default_zone: custom
    state: enabled

But if default zone is already 'custom', how should these cases behave?

One option would be to switch back to the upstream default (public)? Alternatively, the negative cases could just be ignored (and documented accordingly).

- ansible.posix.firewalld:
    zone: custom
    default: True
    state: disabled

- ansible.posix.firewalld:
    zone: custom
    default: False
    state: enabled

- ansible.posix.firewalld:
    default_zone: custom
    state: disabled