主页 / server / 问题 / 1052145
Accepted
Wipiid
Asked: 2021-02-03 09:51:34 +0800 CST

使用 ansible 模板化 firewalld 区域 - xml 或 vars 问题

  • 772

使用 ansible 模板化 firewalld 区域 - xml 操作问题 我对规则系列有点困惑。

我的CORRECTED vars 文件中有什么内容:

firewalld_zones: 
  - name: public
    short: "Public"
    description: "Public Zone"
    service:
      - { name: ssh }
      - { name: dhcpv6-client }
    port:
      - { protocol: tcp, port: 8000 }
      - { protocol: tcp, port: 8089 }
      - { protocol: udp, port: 52311 }
      - { protocol: udp, port: 514 }
      - { protocol: tcp, port: 8191 }
      - { protocol: tcp, port: 8888 }
    masquerade: true
    forward-port:
      - { to-port: 8000, protocol: tcp, port: 443 }
    rule:
      - family: ipv4
        source:
          - address: "172.18.0.0/16"
          - action: accept
      - family: ipv4
        source:
          - address: "172.17.0.0/16"
          - action: accept

我得到更正的变量和模板:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>PUBLIC</short>
  <description>Public Zone</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="8000"/>
  <port protocol="tcp" port="8089"/>
  <port protocol="udp" port="52311"/>
  <port protocol="udp" port="514"/>
  <port protocol="tcp" port="8191"/>
  <port protocol="tcp" port="8888"/>
  <masquerade/>
  <forward-port to-port="8000" protocol="tcp" port="443"/>
  <rule family="ipv4">
    <source address="172.18.0.0/16"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="172.17.0.0/16"/>
    <accept/>
  </rule>
</zone>

您能否提供一个示例变量来将规则与规则族混合?我尝试了无数次迭代,但没有运气。:(

我的更正模板文件的内容:

<?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
  <short>{{ item.short|default(item.name)|upper }}</short>
{% if item.description is defined %}
  <description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
  <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
  <{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
  <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
  {% for name,value in subtag.items() %}
{% if name in ['action'] %}
  <{{ value }}/>
{% else %}
  <{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
  </rule>
{% endfor %}
</zone>
firewalld ansible template firewalld-zone jinja2

2 个回答

  1. 该模板是预期的source,但您键入了source address. 我有点惊讶 Ansible 没有抱怨这一点,因为这显然是一个错误。

    它应该看起来像这样:

        rule:
      - {family: ipv4, source: {address: 172.18.0.0/16}, action: accept}
      - {family: ipv4, source: {address: 172.17.0.0/16}, action: accept}
    • 0
  2. Best Answer

    在花了一些时间查看模板文件并玩了一下之后,发现模板文件中存在间距/缩进问题以及我的 vars 文件的结构问题。

    我将使用更正的版本更新我的问题,以便可以看到差异。

    修改后的模板文件:

    <?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
  <short>{{ item.short|default(item.name)|upper }}</short>
{% if item.description is defined %}
  <description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
  <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
  <{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
  <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
  {% for name,value in subtag.items() %}
{% if name in ['action'] %}
  <{{ value }}/>
{% else %}
  <{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
  </rule>
{% endfor %}
</zone>

    修改后的 vars 结构:

    firewalld_zones: 
  - name: public
    short: "Public"
    description: "Public Zone"
    service:
      - { name: ssh }
      - { name: dhcpv6-client }
    port:
      - { protocol: tcp, port: 8000 }
      - { protocol: tcp, port: 8089 }
      - { protocol: udp, port: 52311 }
      - { protocol: udp, port: 514 }
      - { protocol: tcp, port: 8191 }
      - { protocol: tcp, port: 8888 }
    masquerade: true
    forward-port:
      - { to-port: 8000, protocol: tcp, port: 443 }
    rule:
      - family: ipv4
        source:
          - address: "172.18.0.0/16"
          - action: accept
      - family: ipv4
        source:
          - address: "172.17.0.0/16"
          - action: accept

    编译文件的输出:

    # cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>PUBLIC</short>
  <description>Public Zone</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="8000"/>
  <port protocol="tcp" port="8089"/>
  <port protocol="udp" port="52311"/>
  <port protocol="udp" port="514"/>
  <port protocol="tcp" port="8191"/>
  <port protocol="tcp" port="8888"/>
  <masquerade/>
  <forward-port to-port="8000" protocol="tcp" port="443"/>
  <rule family="ipv4">
    <source address="172.18.0.0/16"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="172.17.0.0/16"/>
    <accept/>
  </rule>
</zone>
    • 0

相关问题