Allow adding a select interface to a selected zone. robertdebock#4

ndgit · Mar 23, 2022 · 326f3ed · 326f3ed
1 parent ed4cdab
commit 326f3ed
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -61,6 +61,18 @@ firewall_services:
 #     protocol: tcp
 #   - name: 1337
 #     state: absent
+
+# A list of interfaces you would like to add/remove to/from a zone in firewalld.
+# firewall_interfaces: []
+
+# examples:
+# firewall_interfaces:
+#   - interface: eth0
+#     zone: trusted
+#   - interface: ens0
+#     zone: trusted
+#     state: disabled
+
 ```
 
 ## [Requirements](#requirements)

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -21,3 +21,14 @@ firewall_services:
 #     protocol: tcp
 #   - name: 1337
 #     state: absent
+
+# A list of interfaces you would like to add/remove to/from a zone in firewalld.
+# firewall_interfaces: []
+
+# examples:
+# firewall_interfaces:
+#   - interface: eth0
+#     zone: trusted
+#   - interface: ens0
+#     zone: trusted
+#     state: disabled
diff --git a/tasks/assert.yml b/tasks/assert.yml
@@ -64,3 +64,25 @@
   when:
     - firewall_services is defined
     - item.state is defined
+
+- name: test if firewall_interfaces is set correctly
+  ansible.builtin.assert:
+    that:
+      - firewall_interfaces is iterable
+    quiet: yes
+  when:
+    - firewall_interfaces is defined
+
+- name: test if item in firewall_interfaces is set correctly
+  ansible.builtin.assert:
+    that:
+      - item.interface is defined
+      - item.interface is string
+      - item.zone is defined
+      - item.zone is string
+    quiet: yes
+  loop: "{{ firewall_interfaces }}"
+  loop_control:
+    label: "{{ item.interface }}"
+  when:
+    - firewall_interfaces is defined
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -49,6 +49,41 @@
   loop_control:
     label: "{{ item.name }}"
 
+- name: add interface to a zone (firewalld-interface)
+  ansible.posix.firewalld:
+    zone: "{{ item.zone }}"
+    interface: "{{ item.interface }}"
+    permanent: yes
+    state: enabled
+  loop: "{{ firewall_interfaces }}"
+  when:
+    - ansible_connection not in [ "container", "docker", "community.docker.docker" ]
+    - firewall_interfaces is defined
+    - firewall_service == "firewalld"
+    - item.state is undefined or ( item.state is defined and item.state == "enabled" )
+  loop_control:
+    label: "{{ item.interface }}"
+  notify:
+    - reload firewalld
+
+- name: remove interface from a zone (firewalld-interface)
+  ansible.posix.firewalld:
+    zone: "{{ item.zone }}"
+    interface: "{{ item.interface }}"
+    permanent: yes
+    state: disabled
+  loop: "{{ firewall_interfaces }}"
+  when:
+    - ansible_connection not in [ "container", "docker", "community.docker.docker" ]
+    - firewall_interfaces is defined
+    - firewall_service == "firewalld"
+    - item.state is defined
+    - item.state == "disabled"
+  loop_control:
+    label: "{{ item.interface }}"
+  notify:
+    - reload firewalld
+
 - name: open ports (firewalld-port)
   ansible.posix.firewalld:
     port: "{{ item.name }}/{{ item.protocol | default(firewall_default_protocol) }}"