Ansible

使用 ansible 模板化 firewalld 區域 - xml 或 vars 問題

  • February 3, 2021

使用 ansible 模板化 firewalld 區域 - xml 操作問題 我對規則係列有點困惑。

我的CORRECTED vars 文件中有什麼內容:

firewalld_zones: 
 - name: public
   short: "Public"
   description: "Public Zone"
   service:
     - { name: ssh }
     - { name: dhcpv6-client }
   port:
     - { protocol: tcp, port: 8000 }
     - { protocol: tcp, port: 8089 }
     - { protocol: udp, port: 52311 }
     - { protocol: udp, port: 514 }
     - { protocol: tcp, port: 8191 }
     - { protocol: tcp, port: 8888 }
   masquerade: true
   forward-port:
     - { to-port: 8000, protocol: tcp, port: 443 }
   rule:
     - family: ipv4
       source:
         - address: "172.18.0.0/16"
         - action: accept
     - family: ipv4
       source:
         - address: "172.17.0.0/16"
         - action: accept

我得到更正的變數和模板:

<?xml version="1.0" encoding="utf-8"?>
<zone>
 <short>PUBLIC</short>
 <description>Public Zone</description>
 <service name="ssh"/>
 <service name="dhcpv6-client"/>
 <port protocol="tcp" port="8000"/>
 <port protocol="tcp" port="8089"/>
 <port protocol="udp" port="52311"/>
 <port protocol="udp" port="514"/>
 <port protocol="tcp" port="8191"/>
 <port protocol="tcp" port="8888"/>
 <masquerade/>
 <forward-port to-port="8000" protocol="tcp" port="443"/>
 <rule family="ipv4">
   <source address="172.18.0.0/16"/>
   <accept/>
 </rule>
 <rule family="ipv4">
   <source address="172.17.0.0/16"/>
   <accept/>
 </rule>
</zone>

您能否提供一個範例變數來將規則與規則族混合?我嘗試了無數次迭代,但沒有運氣。:(

我的更正模板文件的內容:

<?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
 <short>{{ item.short|default(item.name)|upper }}</short>
{% if item.description is defined %}
 <description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
 <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
 <{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
 <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
 {% for name,value in subtag.items() %}
{% if name in ['action'] %}
 <{{ value }}/>
{% else %}
 <{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
 </rule>
{% endfor %}
</zone>

在花了一些時間查看模板文件並玩了一下之後,發現模板文件中存在間距/縮進問題以及我的 vars 文件存在結構問題。

我將使用更正的版本更新我的問題,以便可以看到差異。

修改後的模板文件:

<?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
 <short>{{ item.short|default(item.name)|upper }}</short>
{% if item.description is defined %}
 <description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
 <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
 <{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
 <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
 {% for name,value in subtag.items() %}
{% if name in ['action'] %}
 <{{ value }}/>
{% else %}
 <{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
 </rule>
{% endfor %}
</zone>

修改後的 vars 結構:

firewalld_zones: 
 - name: public
   short: "Public"
   description: "Public Zone"
   service:
     - { name: ssh }
     - { name: dhcpv6-client }
   port:
     - { protocol: tcp, port: 8000 }
     - { protocol: tcp, port: 8089 }
     - { protocol: udp, port: 52311 }
     - { protocol: udp, port: 514 }
     - { protocol: tcp, port: 8191 }
     - { protocol: tcp, port: 8888 }
   masquerade: true
   forward-port:
     - { to-port: 8000, protocol: tcp, port: 443 }
   rule:
     - family: ipv4
       source:
         - address: "172.18.0.0/16"
         - action: accept
     - family: ipv4
       source:
         - address: "172.17.0.0/16"
         - action: accept

編譯文件的輸出:

# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
 <short>PUBLIC</short>
 <description>Public Zone</description>
 <service name="ssh"/>
 <service name="dhcpv6-client"/>
 <port protocol="tcp" port="8000"/>
 <port protocol="tcp" port="8089"/>
 <port protocol="udp" port="52311"/>
 <port protocol="udp" port="514"/>
 <port protocol="tcp" port="8191"/>
 <port protocol="tcp" port="8888"/>
 <masquerade/>
 <forward-port to-port="8000" protocol="tcp" port="443"/>
 <rule family="ipv4">
   <source address="172.18.0.0/16"/>
   <accept/>
 </rule>
 <rule family="ipv4">
   <source address="172.17.0.0/16"/>
   <accept/>
 </rule>
</zone>

該模板是預期的source,但您鍵入了source address. 我有點驚訝 Ansible 沒有抱怨這一點,因為這顯然是一個錯誤。

它應該看起來像這樣:

   rule:
     - {family: ipv4, source: {address: 172.18.0.0/16}, action: accept}
     - {family: ipv4, source: {address: 172.17.0.0/16}, action: accept}

引用自:https://serverfault.com/questions/1052145