Templating firewalld zones with ansible - issue with xml or vars

Question

Templating firewalld zones with ansible - issue with xml manipulation I am running into a small bit of confusion for the rule family.

whats in my CORRECTED vars file:

firewalld_zones: 
  - name: public
    short: "Public"
    description: "Public Zone"
    service:
      - { name: ssh }
      - { name: dhcpv6-client }
    port:
      - { protocol: tcp, port: 8000 }
      - { protocol: tcp, port: 8089 }
      - { protocol: udp, port: 52311 }
      - { protocol: udp, port: 514 }
      - { protocol: tcp, port: 8191 }
      - { protocol: tcp, port: 8888 }
    masquerade: true
    forward-port:
      - { to-port: 8000, protocol: tcp, port: 443 }
    rule:
      - family: ipv4
        source:
          - address: "172.18.0.0/16"
          - action: accept
      - family: ipv4
        source:
          - address: "172.17.0.0/16"
          - action: accept

What i get with corrected vars and template:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>PUBLIC</short>
  <description>Public Zone</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="8000"/>
  <port protocol="tcp" port="8089"/>
  <port protocol="udp" port="52311"/>
  <port protocol="udp" port="514"/>
  <port protocol="tcp" port="8191"/>
  <port protocol="tcp" port="8888"/>
  <masquerade/>
  <forward-port to-port="8000" protocol="tcp" port="443"/>
  <rule family="ipv4">
    <source address="172.18.0.0/16"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="172.17.0.0/16"/>
    <accept/>
  </rule>
</zone>

would you be able to provide an example vars for mixing rules with rule family? I have tried a bazzilion itterations and have had no luck. :(

contents of my CORRECTED template file:

<?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
  <short>{{ item.short|default(item.name)|upper }}</short>
{% if item.description is defined %}
  <description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
  <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
  <{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
  <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
  {% for name,value in subtag.items() %}
{% if name in ['action'] %}
  <{{ value }}/>
{% else %}
  <{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
  </rule>
{% endfor %}
</zone>

Michael Hampton · Answer 1 · 2021-02-02T18:40:14.630

0

The template is expecting source but you typed source address. I'm a bit surprised that Ansible didn't complain about this as it's pretty obviously an error.

It should look something like this:

    rule:
      - {family: ipv4, source: {address: 172.18.0.0/16}, action: accept}
      - {family: ipv4, source: {address: 172.17.0.0/16}, action: accept}

edited Feb 02 '21 at 18:40

answered Feb 02 '21 at 18:14

Michael Hampton

244,070
43
506
972

when i use source, i get an error in the ansible run. ``` { "msg": "AnsibleUndefinedVariable: 'str object' has no attribute 'items'", ... ], "rule": [ { "family": "ipv4", "source": "172.18.0.0/16", "action": true }, { "family": "ipv4", "source": "172.17.0.0/16", "action": true } ] }, "ansible_loop_var": "item", "_ansible_item_label": "public" } ``` – Wipiid Feb 02 '21 at 18:24
@Wipiid Eh? What error? – Michael Hampton Feb 02 '21 at 18:25
"msg": "AnsibleUndefinedVariable: 'str object' has no attribute 'items'", – Wipiid Feb 02 '21 at 18:30
@Wipiid Ah right. I think I see what's going on. Check revision 2 above. – Michael Hampton Feb 02 '21 at 18:40
still trying to make sense of the comment section ;) That removed the error however the rule section is still empty `code` `code` – Wipiid Feb 02 '21 at 18:47
' ` – Wipiid Feb 02 '21 at 18:59
Hmm. It should be very close to that. I'll think about it a bit more. – Michael Hampton Feb 02 '21 at 19:07

score 0 · Accepted Answer · answered Feb 03 '21 at 19:25

After taking some time reviewing the template file and playing around a bit, found a spacing/indent issue in the template file and a structure issue with my vars file.

Ill be updating my question, with the corrected versions so a diff can be seen.

Modified template file:

<?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
  <short>{{ item.short|default(item.name)|upper }}</short>
{% if item.description is defined %}
  <description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
  <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
  <{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
  <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
  {% for name,value in subtag.items() %}
{% if name in ['action'] %}
  <{{ value }}/>
{% else %}
  <{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
  </rule>
{% endfor %}
</zone>

modified vars structure:

firewalld_zones: 
  - name: public
    short: "Public"
    description: "Public Zone"
    service:
      - { name: ssh }
      - { name: dhcpv6-client }
    port:
      - { protocol: tcp, port: 8000 }
      - { protocol: tcp, port: 8089 }
      - { protocol: udp, port: 52311 }
      - { protocol: udp, port: 514 }
      - { protocol: tcp, port: 8191 }
      - { protocol: tcp, port: 8888 }
    masquerade: true
    forward-port:
      - { to-port: 8000, protocol: tcp, port: 443 }
    rule:
      - family: ipv4
        source:
          - address: "172.18.0.0/16"
          - action: accept
      - family: ipv4
        source:
          - address: "172.17.0.0/16"
          - action: accept

output of compiled file:

# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>PUBLIC</short>
  <description>Public Zone</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="8000"/>
  <port protocol="tcp" port="8089"/>
  <port protocol="udp" port="52311"/>
  <port protocol="udp" port="514"/>
  <port protocol="tcp" port="8191"/>
  <port protocol="tcp" port="8888"/>
  <masquerade/>
  <forward-port to-port="8000" protocol="tcp" port="443"/>
  <rule family="ipv4">
    <source address="172.18.0.0/16"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="172.17.0.0/16"/>
    <accept/>
  </rule>
</zone>

Templating firewalld zones with ansible - issue with xml or vars

2 Answers2