feat: add IPv6 ipset support

Feature: Add support for IPv6 addresses to ipsets.  You can now specify IPv6 addresses
when using `ipset` in the `ipset_entries` list when using `hash:ip` or `hash:net`.

Reason: Users need to be able to specify IPv6 addresses in `ipset` definitions.

Result: Users can specify IPv6 addresses in `ipset` definitions.

NOTE: You cannot mix IPv4, IPv6, and MAC addresses in the same `ipset_entries` list.
This is a limitation of the underlying firewalld implementation.

Signed-off-by: Rich Megginson <[email protected]>

Author: richm

.sanity-ansible-ignore-2.18.txt

@@ -0,0 +1,2 @@
+plugins/modules/firewall_lib.py validate-modules:missing-gplv3-license
+plugins/modules/firewall_lib_facts.py validate-modules:missing-gplv3-license

.sanity-ansible-ignore-2.19.txt

@@ -0,0 +1,2 @@
+plugins/modules/firewall_lib.py validate-modules:missing-gplv3-license
+plugins/modules/firewall_lib_facts.py validate-modules:missing-gplv3-license

README.md

@@ -384,6 +384,10 @@ Use `source` to add and remove ipsets from a zone
 When creating an ipset, you must also specify `ipset_type`,
 and optionally `short`, `description`, `ipset_entries`
 
+**NOTE**: You cannot mix IPv4, IPv6, and MAC addresses in the same
+`ipset_entries` list. All addresses must be the same IP type.  This is a
+limitation of the underlying firewalld implementation.
+
 Defining an ipset with all optional fields:
 
 ```yaml
@@ -478,6 +482,10 @@ Used with `ipset`
 Entries must be compatible with the ipset type of the `ipset`
 being created or modified.
 
+**NOTE**: You cannot mix IPv4, IPv6, and MAC addresses in the same
+`ipset_entries` list. All addresses must be the same IP type.  This is a
+limitation of the underlying firewalld implementation.
+
 ```yaml
 ipset: customipset
 ipset_entries:

library/firewall_lib.py

@@ -20,7 +20,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from __future__ import absolute_import, division, print_function
+from __future__ import absolute_import, division, print_function, unicode_literals
 
 __metaclass__ = type
 
@@ -283,6 +283,24 @@
 import re
 import os
 
+try:
+    import ipaddress
+
+    HAS_IPADDRESS = True
+except ImportError:
+    HAS_IPADDRESS = False
+
+try:
+    from firewall.functions import check_mac
+
+    HAS_CHECK_MAC = True
+except ImportError:
+    HAS_CHECK_MAC = False
+
+    def check_mac(mac):
+        return False
+
+
 try:
     import firewall.config
 
@@ -343,6 +361,42 @@ def try_set_zone_of_interface(module, _zone, interface):
     return (False, False)
 
 
+# Check that all of the ipset entries are ipv4, ipv6, or mac addresses
+# if not, fail the module
+# if they are, return "ipv4", "ipv6", or "mac"
+def validate_ipset_entries(ipset_entries, module):
+    addr_type = None
+    is_mixed_addr_types = False
+    for entry in ipset_entries:
+        if check_mac(entry):
+            if addr_type is None:
+                addr_type = "mac"
+            elif addr_type != "mac":
+                is_mixed_addr_types = True
+        else:
+            if HAS_IPADDRESS:
+                addr = ipaddress.ip_interface(entry)
+            else:
+                module.fail_json(msg="No IP address library found")
+            if addr.version == 4:
+                if addr_type is None:
+                    addr_type = "ipv4"
+                elif addr_type != "ipv4":
+                    is_mixed_addr_types = True
+            elif addr.version == 6:
+                if addr_type is None:
+                    addr_type = "ipv6"
+                elif addr_type != "ipv6":
+                    is_mixed_addr_types = True
+            else:
+                module.fail_json(msg="Invalid IP address - " + entry)
+    if is_mixed_addr_types:
+        module.fail_json(
+            msg="Address types cannot be mixed in ipset entries - " + str(ipset_entries)
+        )
+    return addr_type
+
+
 # Above: adapted from firewall-cmd source code
 
 
@@ -613,13 +667,14 @@ def set_service(
                     else:
                         self.module.fail_json(msg="INVALID SERVICE - " + item)
 
-    def _create_ipset(self, ipset, ipset_type):
+    def _create_ipset(self, ipset, ipset_type, ipset_options):
         if not ipset_type:
             self.module.fail_json(msg="ipset_type needed when creating a new ipset")
 
         fw_ipset = None
         fw_ipset_settings = FirewallClientIPSetSettings()
         fw_ipset_settings.setType(ipset_type)
+        fw_ipset_settings.setOptions(ipset_options)
         if not self.module.check_mode:
             self.fw.config().addIPSet(ipset, fw_ipset_settings)
             fw_ipset = self.fw.config().getIPSetByName(ipset)
@@ -628,6 +683,14 @@ def _create_ipset(self, ipset, ipset_type):
         return fw_ipset, fw_ipset_settings
 
     def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
+        addr_type = validate_ipset_entries(ipset_entries, self.module)
+        if addr_type is None and ipset_entries:
+            self.module.fail_json(msg="Invalid IP address - " + str(ipset_entries))
+        ipset_options = {}
+        if addr_type == "ipv6":
+            ipset_options = {
+                "family": "inet6",
+            }
         ipset_exists = ipset in self.fw.config().getIPSetNames()
         fw_ipset = None
         fw_ipset_settings = None
@@ -641,7 +704,9 @@ def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
                     % (ipset, fw_ipset_settings.getType())
                 )
         elif self.state == "present":
-            fw_ipset, fw_ipset_settings = self._create_ipset(ipset, ipset_type)
+            fw_ipset, fw_ipset_settings = self._create_ipset(
+                ipset, ipset_type, ipset_options
+            )
             self.changed = True
             ipset_exists = True
         if self.state == "present":
@@ -1256,6 +1321,12 @@ def set_service(
                     self.change("--zone", self.zone, op + item)
 
     def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
+        addr_type = validate_ipset_entries(ipset_entries, self.module)
+        if addr_type is None and ipset_entries:
+            self.module.fail_json(msg="Invalid IP address - " + str(ipset_entries))
+        ipset_options = []
+        if addr_type == "ipv6":
+            ipset_options = ["--option", "family=inet6"]
         present = self.check_state(["present", "absent"], "ipset")
         known_ipsets = self.cmd("--get-ipsets").split()
         ipset_exists = ipset in known_ipsets
@@ -1280,7 +1351,9 @@ def set_ipset(self, ipset, description, short, ipset_type, ipset_entries):
                     self.module.fail_json(
                         msg="ipset_type needed when creating a new ipset"
                     )
-                self.change("--new-ipset", ipset, "--type=%s" % ipset_type)
+                self.change(
+                    "--new-ipset", ipset, "--type=%s" % ipset_type, *ipset_options
+                )
 
             existing_description = self.cmd("--ipset", ipset, "--get-description")
             if description is not None and description != existing_description:
@@ -1635,6 +1708,10 @@ def get_forward_port(module):
 def parse_forward_port(module, item):
     type_string = "forward_port"
 
+    _port = None
+    _protocol = None
+    _to_port = None
+    _to_addr = None
     if isinstance(item, dict):
         if "port" not in item:
             module.fail_json(

pytest_extra_requirements.txt

@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: MIT
 
 # Write extra requirements for running pytest here:
+firewall
 # If you need ansible then uncomment the following line:
 -ransible_pytest_extra_requirements.txt
 # If you need mock then uncomment the following line: