diff --git a/.README.html b/.README.html index 0ac8a4e4..0fcfc865 100644 --- a/.README.html +++ b/.README.html @@ -187,6 +187,11 @@

Contents

  • ipset_type
  • ipset_entries
  • +
  • ipset_options +
  • source_port
  • forward_port
  • masquerade
  • @@ -311,7 +316,7 @@

    default

    installation.

    default without detailed parameter set to true

    "default": {
    +class="sourceCode json">"default": {
       "zones": ["public",...],
       "services": ["amanda_client",...],
       "icmptypes": [...],
    @@ -321,7 +326,7 @@ 

    default

    }

    default when parameter set to true

    "default": {
    +class="sourceCode json">"default": {
       "zones": {
         "public": {
           ...
    @@ -362,7 +367,7 @@ 

    custom

    Below is the state of the custom subdictionary where at least one permanent change was made to each setting:

    "custom": {
    +class="sourceCode json">"custom": {
       "zones": {
         "custom_zone": {
           ...
    @@ -542,7 +547,12 @@ 

    ipset

    source to add and remove ipsets from a zone

    When creating an ipset, you must also specify ipset_type, and optionally short, -description, ipset_entries

    +description, ipset_entries and +ipset_options.

    +

    NOTE: You cannot mix IPv4, IPv6, and MAC addresses +in the same ipset_entries list. All addresses must be the +same IP type. This is a limitation of the underlying firewalld +implementation.

    Defining an ipset with all optional fields:

    firewall:
    @@ -556,72 +566,119 @@ 

    ipset

    - 3.3.3.3 - 8.8.8.8 - 127.0.0.1 - state: present - permanent: true
    -

    Adding an entry to an existing ipset

    + ipset_options: + maxelem: 1000 + state: present + permanent: true
    +

    Defining an ipset with IPv6 addresses:

    firewall:
       - ipset: customipset
    -    ipset_entries:
    -      - 127.0.0.2
    -    state: present
    -    permanent: true
    -

    Changing the short and description of an ipset

    + ipset_type: "hash:ip" + short: Custom IPSet + description: set of ip addresses specified in entries + ipset_entries: + - 2001:db8::/32 + ipset_options: + maxelem: 1000 + state: present + permanent: true
    +

    Adding an entry to an existing ipset

    firewall:
       - ipset: customipset
    -    short: Custom
    -    description: Set of IPv4 addresses
    +    ipset_entries:
    +      - 127.0.0.2
         state: present
         permanent: true
    -

    Removing entries from an ipset

    +

    Changing the short and description of an ipset

    firewall:
       - ipset: customipset
    -    ipset_entries:
    -      - 127.0.0.1
    -      - 127.0.0.2
    -    state: absent
    -    permanent: true
    -

    Removing an ipset

    + short: Custom + description: Set of IPv4 addresses + state: present + permanent: true
    +

    Removing entries from an ipset

    firewall:
       - ipset: customipset
    -    state: absent
    -    permanent: true
    + ipset_entries: + - 127.0.0.1 + - 127.0.0.2 + state: absent + permanent: true
    +

    Removing an ipset

    +
    firewall:
    +  - ipset: customipset
    +    state: absent
    +    permanent: true

    port

    Port or port range or a list of them to add or remove inbound access to. It needs to be in the format <port>[-<port>]/<protocol>.

    -
    port: '443/tcp'
    -port: ['443/tcp','443/udp']
    +
    port: '443/tcp'
    +port: ['443/tcp','443/udp']

    ipset_type

    Type of ipset being defined. Used with ipset.

    For a list of available ipset types, run firewall-cmd --get-ipset-types, there is no method to get supported types from this role.

    -
    ipset: customipset
    -ipset_type: hash:mac
    +
    ipset: customipset
    +ipset_type: hash:mac

    See ipset for more usage information

    ipset_entries

    List of addresses to add or remove from an ipset Used with ipset

    Entries must be compatible with the ipset type of the ipset being created or modified.

    -
    ipset: customipset
    -ipset_entries:
    -  - 127.0.0.1
    +

    NOTE: You cannot mix IPv4, IPv6, and MAC addresses +in the same ipset_entries list. All addresses must be the +same IP type. This is a limitation of the underlying firewalld +implementation.

    +
    ipset: customipset
    +ipset_entries:
    +  - 127.0.0.1

    See ipset for more usage information

    +

    ipset_options

    +

    A dict of key/value pairs of ipset options for the given +ipset. See firewalld +ipset options for more information.

    +

    You usually do not have to specify the family. The role will default +to family: inet if ipset_entries contains IPv4 +addresses, and will default to family: inet6 if +ipset_entries contains IPv6 addresses

    +
    ipset_options:
    +  maxelem: 1000
    +  hashsize: 512
    +

    Removing options

    +

    NOTE: Options cannot be modified or removed if +running the role during a container or image build (e.g. in a +bootc Containerfile).

    +

    If you want to remove an option, set state: absent, and +set the option value to null:

    +
    state: absent
    +ipset_options:
    +  maxelem: null
    +

    This will remove the maxelem option. If you specify a +value, then the role will only remove that option if it matches the +value. This is useful if you want to ensure that the value you are +removing is the expected value, and has not be changed outside of the +role.

    source_port

    Port or port range or a list of them to add or remove source port access to. It needs to be in the format <port>[-<port>]/<protocol>.

    -
    source_port: '443/tcp'
    -source_port: ['443/tcp','443/udp']
    +
    source_port: '443/tcp'
    +source_port: ['443/tcp','443/udp']

    forward_port

    Add or remove port forwarding for ports or port ranges for a zone. It takes two different formats:

    @@ -632,53 +689,53 @@

    forward_port

  • dict or list of dicts in the format like ansible.posix.firewalld:
  • -
    forward_port:
    -  port: <port>
    -  proto: <protocol>
    -  [toport: <to-port>]
    -  [toaddr: <to-addr>]
    +
    forward_port:
    +  port: <port>
    +  proto: <protocol>
    +  [toport: <to-port>]
    +  [toaddr: <to-addr>]

    examples

    -
    forward_port: '447/tcp;;1.2.3.4'
    -forward_port: ['447/tcp;;1.2.3.4','448/tcp;;1.2.3.5']
    -forward_port:
    -  - 447/tcp;;1.2.3.4
    -  - 448/tcp;;1.2.3.5
    -forward_port:
    -  - port: 447
    -    proto: tcp
    -    toaddr: 1.2.3.4
    -  - port: 448
    -    proto: tcp
    -    toaddr: 1.2.3.5
    +
    forward_port: '447/tcp;;1.2.3.4'
    +forward_port: ['447/tcp;;1.2.3.4','448/tcp;;1.2.3.5']
    +forward_port:
    +  - 447/tcp;;1.2.3.4
    +  - 448/tcp;;1.2.3.5
    +forward_port:
    +  - port: 447
    +    proto: tcp
    +    toaddr: 1.2.3.4
    +  - port: 448
    +    proto: tcp
    +    toaddr: 1.2.3.5

    port_forward is an alias for forward_port. Its use is deprecated and will be removed in an upcoming release.

    masquerade

    Enable or disable masquerade on the given zone.

    -
    masquerade: false
    +
    masquerade: false

    rich_rule

    String or list of rich rule strings. For the format see (Syntax for firewalld rich language rules)[https://firewalld.org/documentation/man-pages/firewalld.richlanguage.html]

    -
    rich_rule: rule service name="ftp" audit limit value="1/m" accept
    +
    rich_rule: rule service name="ftp" audit limit value="1/m" accept

    source

    List of source address address range strings, or ipsets. A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number.

    -
    source: 192.0.2.0/24
    +
    source: 192.0.2.0/24

    Ipsets are used with this option by prefixing "ipset:" to the name of the ipset

    -
    source: ipset:ipsetname
    +
    source: ipset:ipsetname

    interface

    String or list of interface name strings.

    -
    interface: eth2
    +
    interface: eth2

    This role handles interface arguments similar to how firewalld's cli, firewall-cmd does, i.e. manages the interface through NetworkManager if possible, and handles the interface binding purely @@ -707,9 +764,9 @@

    interface_pci_id

  • XXXX: Hexadecimal, corresponds to Vendor ID
  • YYYY: Hexadecimal, corresponds to Device ID
  • -
    # PCI id for Intel Corporation Ethernet Connection
    -interface_pci_id: 8086:15d7
    +
    # PCI id for Intel Corporation Ethernet Connection
    +interface_pci_id: 8086:15d7

    Only accepts PCI devices IDs that correspond to a named network interface, and converts all PCI device IDs to their respective logical interface names.

    @@ -724,31 +781,31 @@

    interface_pci_id

    icmp_block

    String or list of ICMP type strings to block. The ICMP type names needs to be defined in firewalld configuration.

    -
    icmp_block: echo-request
    +
    icmp_block: echo-request

    icmp_block_inversion

    ICMP block inversion bool setting. It enables or disables inversion of ICMP blocks for a zone in firewalld.

    -
    icmp_block_inversion: true
    +
    icmp_block_inversion: true

    target

    The firewalld zone target. If the state is set to absent,this will reset the target to default. Valid values are "default", "ACCEPT", "DROP", "%%REJECT%%".

    -
    target: ACCEPT
    +
    target: ACCEPT

    short

    Short description, only usable when defining or modifying a service or ipset. See service or ipset for more usage information.

    -
    short: Short Description
    +
    short: Short Description

    description

    Description for a service, only usable when adding a new service or modifying an existing service. See service or ipset for more information

    -
    description: Your description goes here
    +
    description: Your description goes here

    destination

    list of destination addresses, option only implemented for user-defined services. Takes 0-2 addresses, allowing for one IPv4 @@ -759,16 +816,16 @@

    destination

    works when abbreviating one or more subsequent IPv6 segments where x = 0) -
    destination:
    -  - 1.1.1.0/24
    -  - AAAA::AAAA:AAAA
    +
    destination:
    +  - 1.1.1.0/24
    +  - AAAA::AAAA:AAAA

    helper_module

    Name of a connection tracking helper supported by firewalld.

    -
    # Both properly specify nf_conntrack_ftp
    -helper_module: ftp
    -helper_module: nf_conntrack_ftp
    +
    # Both properly specify nf_conntrack_ftp
    +helper_module: ftp
    +helper_module: nf_conntrack_ftp

    includes

    Name of one or more services to specify in an includes in a service definition. The includes directive is @@ -777,10 +834,10 @@

    includes

    manpage This can only be used when managing service definitions. NOTE: includes support is only available in EL8 and higher.

    -
    includes:
    -  - https
    -  - ldaps
    +
    includes:
    +  - https
    +  - ldaps

    timeout

    The amount of time in seconds a setting is in effect. The timeout is usable if

    @@ -790,24 +847,24 @@

    timeout

  • setting is used with services, ports, source ports, forward ports, masquerade, rich rules or icmp blocks
  • -
    timeout: 60
    -state: enabled
    -service: https
    +
    timeout: 60
    +state: enabled
    +service: https

    state

    Enable or disable the entry.

    -
    state: 'enabled' | 'disabled' | 'present' | 'absent'
    +
    state: 'enabled' | 'disabled' | 'present' | 'absent'

    NOTE: present and absent are only used for zone, target, and service operations, and cannot be used for any other operation.

    NOTE: zone - use state: present to add a zone, and state: absent to remove a zone, when zone is the only variable e.g.

    -
    firewall:
    -  - zone: my-new-zone
    -    state: present
    +
    firewall:
    +  - zone: my-new-zone
    +    state: present

    NOTE: target - you can also use state: present to add a target - state: absent will reset the target to the default.

    @@ -817,14 +874,14 @@

    runtime

    Enable changes in runtime configuration. If runtime parameter is not provided, the default will be set to True.

    -
    runtime: true
    +
    runtime: true

    permanent

    Enable changes in permanent configuration. If permanent parameter is not provided, the default will be set to True.

    -
    permanent: true
    +
    permanent: true

    The permanent and runtime settings are independent, so you can set only the runtime, or only the permanent. You cannot set both permanent and runtime to false.

    @@ -850,8 +907,8 @@

    previous

    reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked.

    -
    firewall_transactional_update_reboot_ok: true
    +
    firewall_transactional_update_reboot_ok: true

    Examples of Options

    By default, any changes will be applied immediately, and to the permanent settings. If you want the changes to apply immediately but not @@ -859,126 +916,126 @@

    Examples of Options

    runtime: false.

    Permit TCP traffic for port 80 in default zone, in addition to any existing configuration:

    -
    firewall:
    -  - port: 80/tcp
    -    state: enabled
    -

    Remove all existing firewall configuration, and permit TCP traffic -for port 80 in default zone:

    -
    firewall:
    -  - previous: replaced
    -  - port: 80/tcp
    -    state: enabled
    -

    Do not permit TCP traffic for port 80 in default zone:

    -
    firewall:
    -  - port: 80/tcp
    -    state: disabled
    -

    Add masquerading to dmz zone:

    firewall:
    -  - masquerade: true
    -    zone: dmz
    -    state: enabled
    -

    Remove masquerading to dmz zone:

    + - port: 80/tcp + state: enabled +

    Remove all existing firewall configuration, and permit TCP traffic +for port 80 in default zone:

    firewall:
    -  - masquerade: false
    -    zone: dmz
    +  - previous: replaced
    +  - port: 80/tcp
         state: enabled
    -

    Allow interface eth2 in trusted zone:

    +

    Do not permit TCP traffic for port 80 in default zone:

    firewall:
    -  - interface: eth2
    -    zone: trusted
    -    state: enabled
    -

    Don't allow interface eth2 in trusted zone:

    + - port: 80/tcp + state: disabled +

    Add masquerading to dmz zone:

    firewall:
    -  - interface: eth2
    -    zone: trusted
    -    state: disabled
    -

    Permit traffic in default zone for https service:

    + - masquerade: true + zone: dmz + state: enabled +

    Remove masquerading to dmz zone:

    firewall:
    -  - service: https
    -    state: enabled
    -

    Do not permit traffic in default zone for https service:

    + - masquerade: false + zone: dmz + state: enabled +

    Allow interface eth2 in trusted zone:

    firewall:
    -  - service: https
    -    state: disabled
    -

    Allow interface with PCI device ID '8086:15d7' in dmz zone

    + - interface: eth2 + zone: trusted + state: enabled +

    Don't allow interface eth2 in trusted zone:

    firewall:
    -  - zone: dmz
    -    interface_pci_id: 8086:15d7
    -    state: enabled
    -

    Example Playbooks

    -

    Erase all existing configuration, and enable ssh service:

    + - interface: eth2 + zone: trusted + state: disabled +

    Permit traffic in default zone for https service:

    ---
    -- name: Erase existing config and enable ssh service
    -  hosts: myhost
    -
    -  vars:
    -    firewall:
    -      - previous: replaced
    -      - service: ssh
    -        state: enabled
    -  roles:
    -    - linux-system-roles.firewall
    -

    With this playbook you can make sure that the tftp service is -disabled in the firewall:

    +class="sourceCode yaml">firewall: + - service: https + state: enabled +

    Do not permit traffic in default zone for https service:

    ---
    -- name: Make sure tftp service is disabled
    -  hosts: myhost
    -
    -  vars:
    -    firewall:
    -      - service: tftp
    -        state: disabled
    -  roles:
    -    - linux-system-roles.firewall
    -

    It is also possible to combine several settings into blocks:

    +class="sourceCode yaml">firewall: + - service: https + state: disabled +

    Allow interface with PCI device ID '8086:15d7' in dmz zone

    ---
    -- name: Configure firewall
    -  hosts: myhost
    -
    -  vars:
    -    firewall:
    -      - {service: [tftp,ftp],
    -         port: ['443/tcp','443/udp'],
    -         state: enabled}
    -      - {forward_port: [eth2;447/tcp;;1.2.3.4,
    -                        eth2;448/tcp;;1.2.3.5],
    -          state: enabled}
    -      - {zone: internal, service: tftp, state: enabled}
    -      - {service: tftp, state: enabled}
    -      - {port: '443/tcp', state: enabled}
    -      - {forward_port: 'eth0;445/tcp;;1.2.3.4', state: enabled}
    -  roles:
    -    - linux-system-roles.firewall
    -

    The block with several services, ports, etc. will be applied at once. -If there is something wrong in the block it will fail as a whole.

    +class="sourceCode yaml">firewall: + - zone: dmz + interface_pci_id: 8086:15d7 + state: enabled +

    Example Playbooks

    +

    Erase all existing configuration, and enable ssh service:

    ---
    -- name: Configure external zone in firewall
    +- name: Erase existing config and enable ssh service
       hosts: myhost
     
       vars:
         firewall:
    -      - {zone: external,
    -         service: [tftp,ftp],
    -         port: ['443/tcp','443/udp'],
    -         forward_port: ['447/tcp;;1.2.3.4',
    -                        '448/tcp;;1.2.3.5'],
    -         state: enabled}
    -  roles:
    -    - linux-system-roles.firewall
    + - previous: replaced + - service: ssh + state: enabled + roles: + - linux-system-roles.firewall +

    With this playbook you can make sure that the tftp service is +disabled in the firewall:

    +
    ---
    +- name: Make sure tftp service is disabled
    +  hosts: myhost
    +
    +  vars:
    +    firewall:
    +      - service: tftp
    +        state: disabled
    +  roles:
    +    - linux-system-roles.firewall
    +

    It is also possible to combine several settings into blocks:

    +
    ---
    +- name: Configure firewall
    +  hosts: myhost
    +
    +  vars:
    +    firewall:
    +      - {service: [tftp,ftp],
    +         port: ['443/tcp','443/udp'],
    +         state: enabled}
    +      - {forward_port: [eth2;447/tcp;;1.2.3.4,
    +                        eth2;448/tcp;;1.2.3.5],
    +          state: enabled}
    +      - {zone: internal, service: tftp, state: enabled}
    +      - {service: tftp, state: enabled}
    +      - {port: '443/tcp', state: enabled}
    +      - {forward_port: 'eth0;445/tcp;;1.2.3.4', state: enabled}
    +  roles:
    +    - linux-system-roles.firewall
    +

    The block with several services, ports, etc. will be applied at once. +If there is something wrong in the block it will fail as a whole.

    +
    ---
    +- name: Configure external zone in firewall
    +  hosts: myhost
    +
    +  vars:
    +    firewall:
    +      - {zone: external,
    +         service: [tftp,ftp],
    +         port: ['443/tcp','443/udp'],
    +         forward_port: ['447/tcp;;1.2.3.4',
    +                        '448/tcp;;1.2.3.5'],
    +         state: enabled}
    +  roles:
    +    - linux-system-roles.firewall

    rpm-ostree

    See README-ostree.md

    Authors

    diff --git a/CHANGELOG.md b/CHANGELOG.md index 4215d823..60ce2984 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,23 @@ Changelog ========= +[1.11.0] - 2025-10-21 +-------------------- + +### New Features + +- feat: add IPv6 ipset support, add support for ipset_options (#296) + +### Other Changes + +- ci: rollout several recent changes to CI testing (#288) +- ci: support openSUSE Leap in qemu/kvm test matrix (#289) +- ci: use the new epel feature to enable EPEL for testing farm (#290) +- ci: use tox-lsr 3.12.0 for osbuild_config.yml feature (#292) +- ci: use JSON format for __bootc_validation (#293) +- ci: Bump actions/setup-python from 5 to 6 (#294) +- ci: Bump actions/github-script from 7 to 8 (#295) + [1.10.2] - 2025-08-01 --------------------