Bug 2140880

Summary: missing module in linux-system-roles.firewall to create an ipset
Product: Red Hat Enterprise Linux 8 Reporter: Takashi Sugimura <tsugimur>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: ON_QA --- QA Contact: CS System Management SST QE <rhel-cs-system-management-subsystem-qe>
Severity: medium Docs Contact: Jaroslav Klech <jklech>
Priority: unspecified    
Version: 8.6CC: briasmit, bsmit, djez, jeharris, jharuda, jklech, myllynen, spetrosi, vdanek, vpunj
Target Milestone: rcKeywords: Triaged
Target Release: 8.9Flags: rmeggins: needinfo? (djez)
rmeggins: needinfo? (vdanek)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:firewall
Fixed In Version: rhel-system-roles-1.22.0-0.20.el8 Doc Type: Enhancement
Doc Text:
User can specify `state: present` or `state: absent` and `permanent: true` with new ipset arguments to configure ipsets for use in zones using the `source` argument - firewall_lib.py - new argument: ipset - name of ipset - new argument: ipset_type - type of ipset - new argument: ipset_entry - contents of ipset - protections against failure in check mode when enabling and disabling ipsets for zones - new file: tests/tests_ipsets.yml - tests user defined ipsets (create, modify, delete, use) - tests: unit: new test cases for triggering ipset warnings and errors - docs: README, firewall_lib DOCUMENTATION for ipset feature Enhancement: Users can define, modify, and delete ipsets using the system role, which can be added to and removed from zones or be used when defining rich rules. Reason: IPSets make firewalld configuration much easier to maintain: - Rich rules defining rules for many IP addresses can be made much smaller - Allows for semantic grouping of IP addresses Also, brings the srole closer to being a full solution for managing firewalld configuration. Result: Users should be able to manage ipsets using the firewall system role using the following arguments: - `ipset` - `ipset_type` - `ipset_entries` - `short` - `description` - `state: present` or `state: absent` - `permanent: true` Issue Tracker Tickets (Jira or BZ if any): GitHub Issue #106 BZ 2140880 - https://bugzilla.redhat.com/show_bug.cgi?id=2140880
 Story Points: ---
Clone Of:
: 2229802 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2229802    

Description Takashi Sugimura 2022-11-08 02:36:56 UTC 
Description of problem:

I would like to run the command like "firewall-cmd --new-ipset=foobar --permanent --type=hash:ip" in a playbook rather than using a command module.


Version-Release number of selected component (if applicable):

I believe it doesn't depend on the RHEL version actually, but I set RHEL 8.6 as the latest version.


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

I searched the ansible.posix.firewalld module as well but it doesn't have a feature to create the ipset.
Comment 7 Jeremy Harris 2023-07-14 09:04:29 UTC 
Also requested for RHEL 9
Comment 8 Rich Megginson 2023-08-01 18:30:21 UTC 
Can someone check out and try the proposed PR https://github.com/linux-system-roles/firewall/pull/166 ?