Templating firewalld zones with ansible - issue with xml manipulation
With ansible 2.9 on RHEL7.6 I'm trying to configure individual firewalld zones which also includes configuration of rich rules. It all works fine, except when I'm trying to template adding a rich rule in. In the example below, I'm attempting to add a rich rule allowing VRRP traffic.
Ansible task:
- name: Configure firewalld zones
template:
src: zone_template.xml.j2
dest: /etc/firewalld/zones/{{ item.name }}.xml
with_items: "{{ firewalld_zones }}"
notify: reload firewalld
loop_control:
label: "{{ item.name }}"
The variable firewalld_zones
is defined in my defaults/main.yml as the following:
firewalld_zones:
- name: public
short: "Public"
description: "Public Zone"
port:
- { port: 300, protocol: tcp }
- { port: 300, protocol: udp }
rule:
- protocol:
- value: "vrrp"
- action: accept
Snippet of my template zone_template.xml.j2
:
<?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
<short>{{ item.short|default(item.name)|upper }}</short>
{% if item.description is defined %}
<description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
<{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
<{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
<rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
{% if subtag in ['action'] %}
<{% for name,value in subtag.items() %}{{ name }}{% endfor %}/>
{% endif %}
<{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{% endif %}
</rule>
{% endfor %}
{% endfor %}
</zone>
With this I get :
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>PUBLIC</short>
<description>Public Zone</description>
<port protocol="tcp" port="300"/>
<port protocol="udp" port="300"/>
<rule>
<protocol value="vrrp"/>
<protocol action="accept"/>
</rule>
</zone>
What I'm trying to get is this:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>PUBLIC</short>
<description>Public Zone</description>
<port protocol="tcp" port="300"/>
<port protocol="udp" port="300"/>
<rule>
<protocol value="vrrp"/>
<accept/>
</rule>
</zone>
What do I need to change (template and/or variables) to achieve this?
Thanks! J
Change the part of the template
...
{% for subtag in rule[tag] %}
{% for name,value in subtag.items() %}
{% if name in ['action'] %}
<{{ value }}/>
{% else %}
<{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
</rule>
{% endfor %}
</zone>