Options for applying rules to firewalld zones?

[dguertin]

🗣️ Foreword

Thank for taking the time to fill this feature request fully. Without it we may not be able to , and the issue may be closed without resolution.

:person_frowning: Problem Statement

I've recently begun trying to apply this cookbook after coming from the now-defunct firewalld cookbook, and am getting confounded by the application of rules to firewalld zones. I have a rather complicated zone that encompasses a collection of IP ranges and netmasks, for which I want to apply most of my rules. Any standard rule or rich rule I apply using the firewalld_zone resource overwrites any existing rules. And if I use the simpler approach of using the firewall_rule resource, I need to specify the source for each rule, and with many rules and many sources for each one, that gets unwieldy.

❔ Possible Solution

It would be nice to be able to either:

1. In the firewall_rule resource, specify a firewalld zone instead of an array of IP addresses/ranges; or
2. In the firewalld_zone resource, specify a rule or rich rule that does not overwrite any existing rules for that zone.

Or is there a completely different and better approach to this that I'm missing?

[a7b81a9086]

Note that I am not responsible for the firewall_rule-implementation for firewalld, I just added all the firewalld_* resources.

Your assumptions however, are correct. There is currently no way of adding rules in the firewalld_zone-resource, without deleting all the other rules in it. Since the dbus-interface of firewalld has a method called addRichRule, that allows adding a rich rule to a zone, it should not be that much work to add this functionality.

I currently do not have that much spare time, so it may take some time for me to do it.

As a workaround, I can only suggest to specify an array of rich rules as argument to the rules_str-property of the firewalld_zone-resource.