Vh>^<ddlmZmZmZeZdZdZdZddl Z ddl m Z m Z ddl mZmZmZmZmZddlmZdd lmZmZ ddlZd ZdZgd Zd dgZdZ dZ!ddZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)e*dk(re)yy#e$rZe j:Zd ZYdZ[RdZ[wwxYw))absolute_importdivisionprint_functiona module: firewall short_description: Manage Hetzner's dedicated server firewall author: - Felix Fontein (@felixfontein) description: - Manage Hetzner's dedicated server firewall. - Note that idempotency check for TCP flags simply compares strings and does not try to interpret the rules. This might change in the future. requirements: - ipaddress seealso: - name: Firewall documentation description: Hetzner's documentation on the stateless firewall for dedicated servers. link: https://docs.hetzner.com/robot/dedicated-server/firewall/ - module: community.hrobot.firewall_info description: Retrieve information on firewall configuration. extends_documentation_fragment: - community.hrobot.robot - community.hrobot.attributes - community.hrobot.attributes.actiongroup_robot attributes: action_group: version_added: 1.6.0 check_mode: support: full diff_mode: support: full idempotent: support: full options: server_ip: description: - The server's main IP address. - Exactly one of O(server_ip) and O(server_number) must be specified. - Note that Hetzner deprecated identifying the server's firewall by the server's main IP. Using this option can thus stop working at any time in the future. Use O(server_number) instead. type: str server_number: description: - The server's number. - Exactly one of O(server_ip) and O(server_number) must be specified. type: int version_added: 1.8.0 filter_ipv6: description: - Whether to filter IPv6 traffic as well. - IPv4 traffic is always filtered, IPv6 traffic filtering needs to be explicitly enabled. type: bool version_added: 1.8.0 port: description: - Switch port of firewall. type: str choices: [main, kvm] default: main state: description: - Status of the firewall. - Firewall is active if state is V(present), and disabled if state is V(absent). type: str default: present choices: [present, absent] allowlist_hos: description: - Whether Hetzner services have access. type: bool aliases: - whitelist_hos rules: description: - Firewall rules. type: dict suboptions: input: description: - Input firewall rules. type: list elements: dict suboptions: name: description: - Name of the firewall rule. - Note that Hetzner restricts the characters that can be used for rule names. At the moment, only letters C(a-z), C(A-Z), space, and the symbols C(.), C(-), C(+), C(_), and C(@) are allowed. type: str ip_version: description: - Internet protocol version. - Leave away to filter both protocols. Note that in that case, none of O(rules.input[].dst_ip), O(rules.input[].src_ip), or O(rules.input[].protocol) can be specified. type: str dst_ip: description: - Destination IP address or subnet address. - CIDR notation. type: str dst_port: description: - Destination port or port range. type: str src_ip: description: - Source IP address or subnet address. - CIDR notation. type: str src_port: description: - Source port or port range. type: str protocol: description: - Protocol above IP layer. type: str tcp_flags: description: - TCP flags or logical combination of flags. - Flags supported by Hetzner are V(syn), V(fin), V(rst), V(psh) and V(urg). - They can be combined with V(|) (logical or) and V(&) (logical and). - See L(the documentation,https://wiki.hetzner.de/index.php/Robot_Firewall/en#Parameter) for more information. type: str action: description: - Action if rule matches. required: true type: str choices: [accept, discard] output: description: - Output firewall rules. type: list elements: dict version_added: 1.8.0 suboptions: name: description: - Name of the firewall rule. - Note that Hetzner restricts the characters that can be used for rule names. At the moment, only letters C(a-z), C(A-Z), space, and the symbols C(.), C(-), C(+), C(_), and C(@) are allowed. type: str ip_version: description: - Internet protocol version. - Leave away to filter both protocols. Note that in that case, none of O(rules.output[].dst_ip), O(rules.output[].src_ip), or O(rules.output[].protocol) can be specified. type: str dst_ip: description: - Destination IP address or subnet address. - CIDR notation. type: str dst_port: description: - Destination port or port range. type: str src_ip: description: - Source IP address or subnet address. - CIDR notation. type: str src_port: description: - Source port or port range. type: str protocol: description: - Protocol above IP layer. type: str tcp_flags: description: - TCP flags or logical combination of flags. - Flags supported by Hetzner are V(syn), V(fin), V(rst), V(psh) and V(urg). - They can be combined with V(|) (logical or) and V(&) (logical and). - See L(the documentation,https://wiki.hetzner.de/index.php/Robot_Firewall/en#Parameter) for more information. type: str action: description: - Action if rule matches. required: true type: str choices: [accept, discard] update_timeout: description: - Timeout to use when configuring the firewall. - Note that the API call returns before the firewall has been successfully set up. type: int default: 30 wait_for_configured: description: - Whether to wait until the firewall has been successfully configured before determining what to do, and before returning from the module. - The API returns status C(in progress) when the firewall is currently being configured. If this happens, the module will try again until the status changes to C(active) or C(disabled). - Please note that there is a request limit. If you have to do multiple updates, it can be better to disable waiting, and regularly use M(community.hrobot.firewall_info) to query status. type: bool default: true wait_delay: description: - Delay to wait (in seconds) before checking again whether the firewall has been configured. type: int default: 10 timeout: description: - Timeout (in seconds) for waiting for firewall to be configured. type: int default: 180 a --- - name: Configure firewall for server with main IP 1.2.3.4 community.hrobot.firewall: hetzner_user: foo hetzner_password: bar server_ip: 1.2.3.4 state: present filter_ipv6: true allowlist_hos: true rules: input: - name: Allow ICMP protocol # This is needed so you can ping your server ip_version: ipv4 protocol: icmp action: accept # Note that it is not possible to disable ICMP for IPv6 # (https://robot.hetzner.com/doc/webservice/en.html#post-firewall-server-id) - name: Allow responses to incoming TCP connections protocol: tcp dst_port: '32768-65535' tcp_flags: ack action: accept - name: Allow restricted access from some known IPv4 addresses # Allow everything to ports 20-23 from 4.3.2.1/24 (IPv4 only) ip_version: ipv4 src_ip: 4.3.2.1/24 dst_port: '20-23' action: accept - name: Allow everything to port 443 dst_port: '443' action: accept - name: Drop everything else action: discard output: - name: Accept everything action: accept register: result - ansible.builtin.debug: msg: "{{ result }}" a[ firewall: description: - The firewall configuration. type: dict returned: success contains: port: description: - Switch port of firewall. - V(main) or V(kvm). type: str sample: main server_ip: description: - Server's main IP address. type: str sample: 1.2.3.4 server_number: description: - Hetzner's internal server number. type: int sample: 12345 status: description: - Status of the firewall. - V(active) or V(disabled). - Will be V(in process) if the firewall is currently updated, and O(wait_for_configured) is set to V(false) or O(timeout) to a too small value. type: str sample: active allowlist_hos: description: - Whether Hetzner services have access. type: bool sample: true version_added: 1.2.0 whitelist_hos: description: - Whether Hetzner services have access. - Old name of return value V(allowlist_hos), will be removed eventually. type: bool sample: true rules: description: - Firewall rules. type: dict contains: input: description: - Input firewall rules. type: list elements: dict contains: name: description: - Name of the firewall rule. type: str sample: Allow HTTP access to server ip_version: description: - Internet protocol version. - No value means the rule applies both to IPv4 and IPv6. type: str sample: ipv4 dst_ip: description: - Destination IP address or subnet address. - CIDR notation. type: str sample: 1.2.3.4/32 dst_port: description: - Destination port or port range. type: str sample: "443" src_ip: description: - Source IP address or subnet address. - CIDR notation. type: str sample: src_port: description: - Source port or port range. type: str sample: protocol: description: - Protocol above IP layer. type: str sample: tcp tcp_flags: description: - TCP flags or logical combination of flags. type: str sample: action: description: - Action if rule matches. - V(accept) or V(discard). type: str sample: accept choices: - accept - discard output: description: - Output firewall rules. type: list elements: dict contains: name: description: - Name of the firewall rule. type: str sample: Allow HTTP access to server ip_version: description: - Internet protocol version. - No value means the rule applies both to IPv4 and IPv6. type: str sample: dst_ip: description: - Destination IP address or subnet address. - CIDR notation. type: str sample: 1.2.3.4/32 dst_port: description: - Destination port or port range. type: str sample: "443" src_ip: description: - Source IP address or subnet address. - CIDR notation. type: str sample: src_port: description: - Source port or port range. type: str sample: protocol: description: - Protocol above IP layer. type: str sample: tcp tcp_flags: description: - TCP flags or logical combination of flags. type: str sample: action: description: - Action if rule matches. - V(accept) or V(discard). type: str sample: accept choices: - accept - discard N) AnsibleModulemissing_required_lib)ROBOT_DEFAULT_ARGUMENT_SPECBASE_URLfetch_url_jsonfetch_url_json_with_retriesCheckDoneTimeoutException) urlencode) to_nativeto_textTF name ip_versiondst_ipdst_portsrc_ipsrc_portprotocol tcp_flagsactioninputoutputc^t}|jD]\}}||vs |||<|SN)dictitems) dictionaryfieldsresultkvs m/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/hrobot/plugins/modules/firewall.py restrict_dictr&s< VF  "1 ;F1I Mct|gd}t|d<tD]<}|dj|xsgDcgc]}t|tc}|d|<>|Scc}w)N)portstatus filter_ipv6 whitelist_hosrules)r&rRULESgetRULE_OPTION_NAMES)configr"rulesetrules r%restrict_firewall_configr4st 6#U VFfF7O w++G4:$  $ 1 2$ w  M $ sA#cd|j|}|||<d}||xs|}| ||k7}|r|||<|S)NF)r/)beforeafterparamsr param_namebvchangedpvs r%updater=sL D BE$KG  "d #B ~( E$K Nr'c|||Sd|vr|jd\}}n|d}}ttjt |j }|dk(r|j dk(rdnd}|dz|zS)N/ipv432128)splitr ipaddress ip_addressr compressedlower)iprrangeip_addrs r% normalize_iprLs~ zZ'  byHHSM EE ,,WR[9DDEG {"((*f4% S=5  r'c|d|}|d|}|d|}t|t|k7}t|D]\}} t| d| d| d<t| d| d| d<|t|kr6||} t| d| d| d<t| d| d| d<| | k7rd}|j| |S)Nr-rrrT)len enumeraterLappend) r6r7r8r2 before_rules after_rules params_rulesr;nor3 before_rules r% update_rulesrVs'?7+L.)K'?7+L,3|#44Gl+ !D%d8nd<6HIX%d8nd<6HIX L! !&r*K$0X1F T`Ha$bK !$0X1F T`Ha$bK !d"4  ! Nr'c t|d|D]6\}}|jD]\}}| ||dj|||< 8y)Nr-zrules[{0}][{1}][{2}])rOrformat)rrulenamerir3r#r$s r% encode_ruler[ s_U7^H56J4JJL JDAq}HI-44Xq!DE JJr'c:t}tD]}g||< |Sr)rr.)r-r2s r%create_default_rules_objectr]s& FEg Lr'cP|j}|jdd|d<|S)Nr,F allowlist_hos)copyr/)firewall_results r% fix_namingrbs-%**,O'6':':?E'ROO$ r'c|dddk7S)Nfirewallr* in process)r"errors r%firewall_configuredrh!s * h '< 77r'c" ttdtdtddddgtdtdddd gtdd g td ttd d ttdtdtdtdtdtdtdtdtddddg tdgdgdgtd d ttdtdtdtdtdtdtdtdtddddg tdgdgdgtddtddtddtdd }|jtt|d}ts |j t dt|jd dk(rd!nd"|jd#<|jd$i|jd$<tD]3}|jd$j|"g|jd$|<5|jd%xs|jd&}d'jt|}|jd(r3 t||t|jd)|jd*+\}}n-t!||\}}t||s|j d.-d/}|jd$s t#|d$<t%|} t| } d0} | t| | |jd1z} | t| | |jd2z} | t| | |jd#z} | t| | |jd d3z} t#| d$<|jd#d!k(r&tD]} | t'| | |j| z} d} d}| r=|j(s0d'jt|}d4d5i}t| }t+|d1j-|d1<t+|d j-|d <|d$=tD]} t/|| | t!||d6|jd7t1||8\}}|jd(r?t||s3 t||t|jd)|jd*d9\}}|d/}|jd$s t#|d$<|d#}|d:k7r t%|} d0} | r^t|}| j9D]\}}|d$k7s | |||<|||d#<t|d$<tD]} | d$| |d$| <|j;| tt=| t=| ;t=<y#t$r}|j d,-Yd}~d}~wwxYw#t$r4}|j2|j4}}|j7d,Yd}~6d}~wwxYw)=Nstr)typeintmainkvm)rkdefaultchoicesboolpresentabsentr,)rkaliasesrlistTacceptdiscard)rkrequiredrprr)rrr)rkelementsoptions required_by)rr)rkrz)rkro ) server_ip server_numberr)r+stater_r-update_timeoutwait_for_configured wait_delaytimeout) argument_specsupports_check_moderE)msg exceptionractivedisabledr*r-rrz{0}/firewall/{1}rrr)check_done_callbackcheck_done_delaycheck_done_timeoutz4Timeout while waiting for firewall to be configured.)rz>Firewall configuration cannot be read as it is not configured.rdFr+r)r_z Content-typez!application/x-www-form-urlencodedPOSTr)methodrdataheaders)rrr skip_firstre)r6r7)r;diffrd)rr=rr HAS_IPADDRESS fail_jsonrIPADDRESS_IMP_ERRr8r.r/rXr r rhr r r]r4rV check_moderjrHr[r r"rgwarnr exit_jsonrb)rmodulechain server_idurlr"rgdummy full_beforer6r7r;r2construct_resultconstruct_statusrre full_afterr#r$s r%rmrm%sLE"& ufvuo Ff%y9h:OP0ABFVTu%U+'5)'5)5)E*)?TU > ~|nXdWef hVfdu%U+'5)'5)5)E*)?TU ? ~|nXdWef h)  03 fd;UB/%-E#MH45 # F 1+>J[\,2==+AY+NhU_FMM( }}W%!# g/ == ! % %e , 4,.FMM' "5 )/ k*LfmmO.LI  # #Hi 8C }}*+ Y7$7!'|!<#)==#; MFE'vs3 "651   !a  b$K ??7 #:< G %k 2F LEG vfeV]]MBBG vfeV]]F;;G vfeV]]H==G vfeV]]O_UUG02E'N }}X(* KG |FE6=='J JG Kv(( '')<!#FGE{!$}"56<<>] #D$9 : @ @ B_ M .G gu - .&  MM"234   ==. /8KFTY8Z T ;(;%+]]<%@'-}}Y'?# ! J' ~~g&"="?Jw %h/ | +,Z8E$ +& KKM )DAqG| %a 1  )  '#3Jx "f 7 CG+0>'+BJw  ( C  f%U# J' c) Y   !W  X X Yn- T !!'' RSS Ts01W-&2X- X6XX Y)YY__main__r)+ __future__rrrrk __metaclass__ DOCUMENTATIONEXAMPLESRETURN tracebackansible.module_utils.basicrr?ansible_collections.community.hrobot.plugins.module_utils.robotrr r r r +ansible.module_utils.six.moves.urllib.parser +ansible.module_utils.common.text.convertersrrrErr ImportErrorexc format_excr0r.r&r4r=rLrVr[r]rbrhrm__name__rfr'r%rsA@ Q f* Xd LJBJM  (  !$J 8[| zFC, ,,.MsA99B>BB