VhXWddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlmZddlmZmZedd Zed d Zed d ZgdZdZdZdZdZdZdZedk(reyy))absolute_importdivisionprint_functiona module: iptables_state short_description: Save iptables state into a file or restore it from a file version_added: '1.1.0' author: quidame (@quidame) extends_documentation_fragment: - community.general.attributes - community.general.attributes.flow description: - C(iptables) is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. - This module handles the saving and/or loading of rules. This is the same as the behaviour of the C(iptables-save) and C(iptables-restore) (or C(ip6tables-save) and C(ip6tables-restore) for IPv6) commands which this module uses internally. - Modifying the state of the firewall remotely may lead to loose access to the host in case of mistake in new ruleset. This module embeds a rollback feature to avoid this, by telling the host to restore previous rules if a cookie is still there after a given delay, and all this time telling the controller to try to remove this cookie on the host through a new connection. notes: - The rollback feature is not a module option and depends on task's attributes. To enable it, the module must be played asynchronously, in other words by setting task attributes C(poll) to V(0), and C(async) to a value less or equal to C(ANSIBLE_TIMEOUT). If C(async) is greater, the rollback will still happen if it shall happen, but you will experience a connection timeout instead of more relevant info returned by the module after its failure. attributes: check_mode: support: full diff_mode: support: none action: support: full async: support: full options: counters: description: - Save or restore the values of all packet and byte counters. - When V(true), the module is not idempotent. type: bool default: false ip_version: description: - Which version of the IP protocol this module should apply to. type: str choices: [ipv4, ipv6] default: ipv4 modprobe: description: - Specify the path to the C(modprobe) program internally used by iptables related commands to load kernel modules. - By default, V(/proc/sys/kernel/modprobe) is inspected to determine the executable's path. type: path noflush: description: - For O(state=restored), ignored otherwise. - If V(false), restoring iptables rules from a file flushes (deletes) all previous contents of the respective table(s). If V(true), the previous rules are left untouched (but policies are updated anyway, for all built-in chains). type: bool default: false path: description: - The file the iptables state should be saved to. - The file the iptables state should be restored from. type: path required: true state: description: - Whether the firewall state should be saved (into a file) or restored (from a file). type: str choices: [saved, restored] required: true table: description: - When O(state=restored), restore only the named table even if the input file contains other tables. Fail if the named table is not declared in the file. - When O(state=saved), restrict output to the specified table. If not specified, output includes all active tables. type: str choices: [filter, nat, mangle, raw, security] wait: description: - Wait N seconds for the xtables lock to prevent instant failure in case multiple instances of the program are running concurrently. type: int requirements: [iptables, ip6tables] a # This will apply to all loaded/active IPv4 tables. - name: Save current state of the firewall in system file community.general.iptables_state: state: saved path: /etc/sysconfig/iptables # This will apply only to IPv6 filter table. - name: save current state of the firewall in system file community.general.iptables_state: ip_version: ipv6 table: filter state: saved path: /etc/iptables/rules.v6 # This will load a state from a file, with a rollback in case of access loss - name: restore firewall state from a file community.general.iptables_state: state: restored path: /run/iptables.apply async: "{{ ansible_timeout }}" poll: 0 # This will load new rules by appending them to the current ones - name: restore firewall state from a file community.general.iptables_state: state: restored path: /run/iptables.apply noflush: true async: "{{ ansible_timeout }}" poll: 0 # This will only retrieve information - name: get current state of the firewall community.general.iptables_state: state: saved path: /tmp/iptables check_mode: true changed_when: false register: iptables_state - name: show current state of the firewall ansible.builtin.debug: var: iptables_state.initial_state a applied: description: Whether or not the wanted state has been successfully restored. type: bool returned: always sample: true initial_state: description: The current state of the firewall when module starts. type: list elements: str returned: always sample: [ "# Generated by xtables-save v1.8.2", "*filter", ":INPUT ACCEPT [0:0]", ":FORWARD ACCEPT [0:0]", ":OUTPUT ACCEPT [0:0]", "COMMIT", "# Completed" ] restored: description: The state the module restored, whenever it is finally applied or not. type: list elements: str returned: always sample: [ "# Generated by xtables-save v1.8.2", "*filter", ":INPUT DROP [0:0]", ":FORWARD DROP [0:0]", ":OUTPUT ACCEPT [0:0]", "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", "-A INPUT -m conntrack --ctstate INVALID -j DROP", "-A INPUT -i lo -j ACCEPT", "-A INPUT -p icmp -j ACCEPT", "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT", "COMMIT", "# Completed" ] saved: description: The iptables state the module saved. type: list elements: str returned: always sample: [ "# Generated by xtables-save v1.8.2", "*filter", ":INPUT ACCEPT [0:0]", ":FORWARD DROP [0:0]", ":OUTPUT ACCEPT [0:0]", "COMMIT", "# Completed" ] tables: description: - The iptables on the system before the module has run, separated by table. - If the option O(table) is used, only this table is included. type: dict contains: table: description: Policies and rules for all chains of the named table. type: list elements: str sample: |- { "filter": [ ":INPUT ACCEPT", ":FORWARD ACCEPT", ":OUTPUT ACCEPT", "-A INPUT -i lo -j ACCEPT", "-A INPUT -p icmp -j ACCEPT", "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT", "-A INPUT -j REJECT --reject-with icmp-host-prohibited" ], "nat": [ ":PREROUTING ACCEPT", ":INPUT ACCEPT", ":OUTPUT ACCEPT", ":POSTROUTING ACCEPT" ] } returned: always N) AnsibleModule)to_bytes to_nativeiptables ip6tables)ipv4ipv6z iptables-savezip6tables-saveziptables-restorezip6tables-restore)filtermanglenatrawsecurityct|d5}|j}dddjDcgc] }|dk7s | c}S#1swY-xYwcc}w)zD Read a file and store its content in a variable as a list. rN)openread splitlines)b_pathftextts t/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/modules/iptables_state.py read_statersP fc avvx( 4!AGA 44 4sA  AA Ac tj\}}tj|d5}|j dj dj |dddtjj|svtjj|}t|d}|rEtjj|s&tjs tj|d }nt!j"||sd }|r)tjs t%j&|||S|S#1swYxYw#t$r0}tjd|dt|| Yd}~d}~wwxYw#t$r>}t|d} tjd | dt|| Yd}~|Sd}~wwxYw) zL Write given contents to the given path, and return changed status. w{0}  Nsurrogate_or_stricterrorszError creating z: )msg initial_stateTzError saving state into )tempfilemkstemposfdopenwriteformatjoinpathexistsdirnamermodule check_modemakedirs Exception fail_jsonfilecmpcmpshutilcopyfile) rlineschangedtmpfdtmpfiler b_destdirdestdirerrr.s r write_staterA s~ %%'NE7 5# 2! tyy/012 77>>& !GGOOF+ I.CD RWW^^I6v?P?P ) I&  [[& )v(( % OOGV , N7N;22 )  3:IcNK"'!)) ) %V,ABD   8tjjE| }#|D]t}t+|}$|$jd$|gtj3|$\}}}d?|vr|}#|d/k7sFd3j1|$}tj!|#||||||d @ vtjFrtIjJ\}%}&tjL|%dA5}'|'jOdBjQdCj1|dddtSjT|&|r|}(n}(n| \tdD| zd'(}) tjj|)rtjV|)ntYjZdEKtj3|\}}}d?|vrtj!|||||||d @ tj3|d4\}}}t=|}(t?dCj1|(}*|(||fvr,|*j]D]\}+},|+|vrd} n||+|,k7sd} n| tjFrtjC| ||||(dFt_|D]R}!tjj rtYjZd<8tjC| ||||(dFTtj3"d4\}}}tjV tj3|d4\}}}t?|}-dG|dH|dI}.tj!||-k7|.||||(d Jy#1swY=xYw)KNr.T)typerequiredstrsavedrestored)richoicesrj)r rrrr)rirnboolF)ridefault)rir r )rirnrpint) r.staterLnoflushrUmodprobe ip_versionwait_timeout_backrwrx) argument_specrequired_togethersupports_check_modeC)LANG LC_MESSAGESrrrLrsrUrtrurv?z-Lz-nz--testz --countersz--tablez--waitz%sr"r#zmodprobe %s not found)r%zmodprobe %s not a filezmodprobe %s not readablezmodprobe %s not executablez --modproberzSource %s not foundzSource %s not a filezSource %s not readable rCrEr zTable z to restore not defined in z.Unable to initialize firewall from NULL state.)r;cmdrdr&rlz --noflushr]zSource z is not suitable for input to z1Another app is currently holding the xtables lock) r%rrOstdoutstderrrdr&rmappliedrr r!z %s.starterg{Gz?)r;rrdr&rmrz&Failed to confirm state restored from z after z6s. Firewall has been rolled back to its initial state.)r;r%rrdr&rmr)0rr_r1run_command_environ_updaterX get_bin_pathIPTABLESSAVERESTOREr)umaskrbextendrr.r/r5isfileaccessR_OKX_OKrGinsertrr-rHTABLESlenrrRr[rgrA exit_jsonbasenamer2r'r(r*r+r,r6r7removetimesleepitemsrange)/r.rrrLrsrUrtrurvrwrx bin_iptablesbin_iptables_savebin_iptables_restorer; COMMANDARGS INITCOMMAND INITIALIZER TESTCOMMAND FALLBACKCMD b_modprobe SAVECOMMANDrstate_to_restorerrOrrrr& tables_before initref_state MAINCOMMANDb_backrN BACKCOMMAND error_msg testcommandr<r=rrestored_state b_starter tables_after table_name table_contenttables_rollbackr%s/ rmainris 6D1EGZ+@4PE+YZfe4vu5v&0@&Q5!u%F#   ! !!F()-#3(GF% == D MM' "E MM' "EmmI&G}}Z(H}}Z(H|,J == D}}Z(H MM' "E&&x ';TBL++D,ww~~f%   !7$!>  ?yy)   !9D!@  A%f-hh{#!--kD-IR } J  t19 006{a'519FFM7;;' 5!;'t ((; C{#Kq(#?CRWWEUEUVjEklI;' Iq>*%11+>VV >& HI 7((;'C   $+)  *!))+w YYuc " >a GGGNN499]#;< = > ;;w '*N-N   !5>STI77>>),IIi( 4  &11+>VV >& H   $+)   &11+1MVV08(>)BCLm];;)5););)=  %J .Z(M9  })) '#  *x  77>>& ! JJqM  '#   "--kD-IRIIf!--kD-IR+F3OBFx Q  /1  #} > >s 0g..g8__main__) __future__rrrri __metaclass__ DOCUMENTATIONEXAMPLESRETURNrVr)rr'r6r8ansible.module_utils.basicr+ansible.module_utils.common.text.convertersrrr_rrrrrrArRr[rgr__name__rSrrsA@ O b, \U p  4K            85#L, 0`F  zFrS