linux-system-roles
diff --git a/‎README.md‎
Lines changed: 8 additions & 0 deletions b/‎README.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎library/firewall_lib.py‎
Lines changed: 56 additions & 3 deletions b/‎library/firewall_lib.py‎
Lines changed: 56 additions & 3 deletions
@@ -384,6 +384,10 @@ Use `source` to add and remove ipsets from a zone
 When creating an ipset, you must also specify `ipset_type`,
 and optionally `short`, `description`, `ipset_entries`
 
+**NOTE**: You cannot mix IPv4, IPv6, and MAC addresses in the same
+`ipset_entries` list. All addresses must be the same IP type.  This is a
+limitation of the underlying firewalld implementation.
+
 Defining an ipset with all optional fields:
 
 ```yaml
@@ -478,6 +482,10 @@ Used with `ipset`
 Entries must be compatible with the ipset type of the `ipset`
 being created or modified.
 
+**NOTE**: You cannot mix IPv4, IPv6, and MAC addresses in the same
+`ipset_entries` list. All addresses must be the same IP type.  This is a
+limitation of the underlying firewalld implementation.
+
 ```yaml
 ipset: customipset
 ipset_entries:
 
@@ -21,6 +21,9 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from __future__ import absolute_import, division, print_function
+import ipaddress
+
+from firewall.functions import check_mac
 
 __metaclass__ = type
 
@@ -343,6 +346,39 @@ def try_set_zone_of_interface(module, _zone, interface):
     return (False, False)
 
 
+# Check that all of the ipset entries are ipv4, ipv6, or mac addresses
+# if not, fail the module
+# if they are, return "ipv4", "ipv6", or "mac"
+def validate_ipset_entries(ipset_entries, module):
+    addr_type = None
+    is_mixed_addr_types = False
+    for entry in ipset_entries:
+        if check_mac(entry):
+            if addr_type is None:
+                addr_type = "mac"
+            elif addr_type != "mac":
+                is_mixed_addr_types = True
+        else:
+            addr = ipaddress.ip_interface(entry)
+            if addr.version == 4:
+                if addr_type is None:
+                    addr_type = "ipv4"
+                elif addr_type != "ipv4":
+                    is_mixed_addr_types = True
+            elif addr.version == 6:
+                if addr_type is None:
+                    addr_type = "ipv6"
+                elif addr_type != "ipv6":
+                    is_mixed_addr_types = True
+            else:
+                module.fail_json(msg="Invalid IP address - " + entry)
+    if is_mixed_addr_types:
+        module.fail_json(
+            msg="Address types cannot be mixed in ipset entries - " + str(ipset_entries)
+        )
+    return addr_type
+
+
 # Above: adapted from firewall-cmd source code
 
 
@@ -613,13 +649,14 @@ def set_service(
                     else:
                         self.module.fail_json(msg="INVALID SERVICE - " + item)
 
-    def _create_ipset(self, ipset, ipset_type):
+    def _create_ipset(self, ipset, ipset_type, ipset_options):
         if not ipset_type:
             self.module.fail_json(msg="ipset_type needed when creating a new ipset")
 
         fw_ipset = None
         fw_ipset_settings = FirewallClientIPSetSettings()
         fw_ipset_settings.setType(ipset_type)
+        fw_ipset_settings.setOptions(ipset_options)
         if not self.module.check_mode:
             self.fw.config().addIPSet(ipset, fw_ipset_settings)
             fw_ipset = self.fw.config().getIPSetByName(ipset)
@@ -628,6 +665,14 @@ def _create_ipset(self, ipset, ipset_type):
         return fw_ipset, fw_ipset_settings
 
     def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
+        addr_type = validate_ipset_entries(ipset_entries, self.module)
+        if addr_type is None and ipset_entries:
+            self.module.fail_json(msg="Invalid IP address - " + str(ipset_entries))
+        ipset_options = {}
+        if addr_type == "ipv6":
+            ipset_options = {
+                "family": "inet6",
+            }
         ipset_exists = ipset in self.fw.config().getIPSetNames()
         fw_ipset = None
         fw_ipset_settings = None
@@ -641,7 +686,9 @@ def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
                     % (ipset, fw_ipset_settings.getType())
                 )
         elif self.state == "present":
-            fw_ipset, fw_ipset_settings = self._create_ipset(ipset, ipset_type)
+            fw_ipset, fw_ipset_settings = self._create_ipset(
+                ipset, ipset_type, ipset_options
+            )
             self.changed = True
             ipset_exists = True
         if self.state == "present":
@@ -1256,6 +1303,12 @@ def set_service(
                     self.change("--zone", self.zone, op + item)
 
     def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
+        addr_type = validate_ipset_entries(ipset_entries, self.module)
+        if addr_type is None and ipset_entries:
+            self.module.fail_json(msg="Invalid IP address - " + str(ipset_entries))
+        ipset_options = []
+        if addr_type == "ipv6":
+            ipset_options = ["--option", "family=inet6"]
         present = self.check_state(["present", "absent"], "ipset")
         known_ipsets = self.cmd("--get-ipsets").split()
         ipset_exists = ipset in known_ipsets
@@ -1280,7 +1333,7 @@ def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
                     self.module.fail_json(
                         msg="ipset_type needed when creating a new ipset"
                     )
-                self.change("--new-ipset", ipset, "--type=%s" % ipset_type)
+                self.change("--new-ipset", ipset, "--type=%s" % ipset_type, *ipset_options)
 
             existing_description = self.cmd("--ipset", ipset, "--get-description")
             if description is not None and description != existing_description: