2140880 – missing module in linux-system-roles.firewall to create an ipset

Bug 2140880 - missing module in linux-system-roles.firewall to create an ipset [NEEDINFO]

Summary: missing module in linux-system-roles.firewall to create an ipset

Keywords:
Status:	ON_QA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	rhel-system-roles
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.9
Assignee:	Rich Megginson
QA Contact:	CS System Management SST QE
Docs Contact:	Jaroslav Klech
URL:
Whiteboard:	role:firewall
Depends On:
Blocks:	2229802
TreeView+	depends on / blocked

Reported:	2022-11-08 02:36 UTC by Takashi Sugimura
Modified:	2023-08-10 14:04 UTC (History)
CC List:	10 users (show)
Fixed In Version:	rhel-system-roles-1.22.0-0.20.el8
Doc Type:	Enhancement
Doc Text:	User can specify `state: present` or `state: absent` and `permanent: true` with new ipset arguments to configure ipsets for use in zones using the `source` argument - firewall_lib.py - new argument: ipset - name of ipset - new argument: ipset_type - type of ipset - new argument: ipset_entry - contents of ipset - protections against failure in check mode when enabling and disabling ipsets for zones - new file: tests/tests_ipsets.yml - tests user defined ipsets (create, modify, delete, use) - tests: unit: new test cases for triggering ipset warnings and errors - docs: README, firewall_lib DOCUMENTATION for ipset feature Enhancement: Users can define, modify, and delete ipsets using the system role, which can be added to and removed from zones or be used when defining rich rules. Reason: IPSets make firewalld configuration much easier to maintain: - Rich rules defining rules for many IP addresses can be made much smaller - Allows for semantic grouping of IP addresses Also, brings the srole closer to being a full solution for managing firewalld configuration. Result: Users should be able to manage ipsets using the firewall system role using the following arguments: - `ipset` - `ipset_type` - `ipset_entries` - `short` - `description` - `state: present` or `state: absent` - `permanent: true` Issue Tracker Tickets (Jira or BZ if any): GitHub Issue #106 BZ 2140880 - https://bugzilla.redhat.com/show_bug.cgi?id=2140880
Clone Of:
Clones:	2229802 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	rmeggins: needinfo? (djez) rmeggins: needinfo? (vdanek)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	linux-system-roles firewall issues 106	None	open	creating ipset	2022-11-08 02:58:55 UTC
Github	linux-system-roles firewall pull 166	None	open	feat: define, modify, and remove ipsets	2023-08-01 18:30:21 UTC
Red Hat Issue Tracker	RHELPLAN-138628	None	None	None	2022-11-08 03:13:50 UTC

Description Takashi Sugimura 2022-11-08 02:36:56 UTC

Description of problem:

I would like to run the command like "firewall-cmd --new-ipset=foobar --permanent --type=hash:ip" in a playbook rather than using a command module.


Version-Release number of selected component (if applicable):

I believe it doesn't depend on the RHEL version actually, but I set RHEL 8.6 as the latest version.


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

I searched the ansible.posix.firewalld module as well but it doesn't have a feature to create the ipset.

Comment 7 Jeremy Harris 2023-07-14 09:04:29 UTC

Also requested for RHEL 9

Comment 8 Rich Megginson 2023-08-01 18:30:21 UTC

Can someone check out and try the proposed PR https://github.com/linux-system-roles/firewall/pull/166 ?

Note You need to log in before you can comment on or make changes to this bug.