Templating firewalld zones with ansible - issue with xml manipulation

xml redhat ansible firewalld

With ansible 2.9 on RHEL7.6 I'm trying to configure individual firewalld zones which also includes configuration of rich rules. It all works fine, except when I'm trying to template adding a rich rule in. In the example below, I'm attempting to add a rich rule allowing VRRP traffic.

Ansible task:

    - name: Configure firewalld zones
      template:
        src: zone_template.xml.j2
        dest: /etc/firewalld/zones/{{ item.name }}.xml
      with_items: "{{ firewalld_zones }}"
      notify: reload firewalld
      loop_control:
        label: "{{ item.name }}"

The variable firewalld_zones is defined in my defaults/main.yml as the following:

firewalld_zones:
  - name: public
    short: "Public"
    description: "Public Zone"
    port:
      - { port: 300, protocol: tcp }
      - { port: 300, protocol: udp }
    rule:
      - protocol:
          - value: "vrrp"
          - action: accept

Snippet of my template zone_template.xml.j2:

<?xml version="1.0" encoding="utf-8"?>
<zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}>
  <short>{{ item.short|default(item.name)|upper  }}</short>
{% if item.description is defined %}
  <description>{{ item.description }}</description>
{% endif %}
{% for tag in item %}
{# Settings which can be used several times #}
{% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %}
{% for subtag in item[tag] %}
  <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{# Settings which can be used once #}
{% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %}
  <{{ tag }}/>
{% endif %}
{% endfor %}
{% for rule in item.rule|default([]) %}
  <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}>
{% for tag in rule %}
{% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %}
{% for subtag in rule[tag] %}
{% if subtag in ['action'] %}
    <{% for name,value in subtag.items() %}{{ name }}{% endfor %}/>
{% endif %}
    <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/>
{% endfor %}
{% endif %}
  </rule>
{% endfor %}
{% endfor %}
</zone>

With this I get :

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>PUBLIC</short>
  <description>Public Zone</description>
  <port protocol="tcp" port="300"/>
  <port protocol="udp" port="300"/>
  <rule>
    <protocol value="vrrp"/>
    <protocol action="accept"/>
  </rule>
</zone>

What I'm trying to get is this:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>PUBLIC</short>
  <description>Public Zone</description>
  <port protocol="tcp" port="300"/>
  <port protocol="udp" port="300"/>
  <rule>
    <protocol value="vrrp"/>
    <accept/>
  </rule>
</zone>

What do I need to change (template and/or variables) to achieve this?

Thanks! J


Change the part of the template

...
{% for subtag in rule[tag] %}
{% for name,value in subtag.items() %}
{% if name in ['action'] %}
    <{{ value }}/>
{% else %}
    <{{ tag }} {{ name }}="{{ value }}"/>
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% endfor %}
  </rule>
{% endfor %}
</zone>

Related

upgrade CentOS from 6.5 to 7 in an EC2 Instance
Reporting SCEP update and scan
Cannot get interface speed with standard MIB, use highperf mib (-g)
Configuration Management tools failover behaviour
apache 2.4.6 not recognizing header type for css or js with php-fpm
Identify data loss due to logging failure on Exchange 2013 database(s)
Fix Windows Server 2012 R2 system time?
Should I use HW Raid or ZFS as filesystem for Citrix XenServer?
WARNING: pool www seems busy (you may need to increase pm.start_servers, or pm.min/max_spare_servers)
502 Bad Gateway on Nginx
Windows Update showing "Some settings are managed by your organization" on Azure Windows Server 2019 VM
Asterisk ghost calls