Model is loosely based on the firewalld API, but altered to provide similar look-and-feel as other OpenLMI models.
Basic concept are shared between the firewalld service and OpenLMI firewalld provider. See firewalld(1) manual page for detailed information about them.
Zone, represented by LMI_FirewalldZone, defines the trust level of the interface used for a connection. There are several pre-defined zones provided by firewalld.
Rule is represented by subclasses of LMI_FirewalldRule. Collection of rules associated to LMI_FirewalldZone via LMI_FirewalldZoneComponent represents the zone setting.
Service, represented by LMI_FirewalldService, can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. The service can be used in multiple zones and its instance is shared - modifying LMI_FirewalldService instance will affect all zones where is the service used.
ICMP Types, represented by LMIFirewalldICMPType. The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages.
Runtime configuration is the actual active configuration and is not permanent. After reload/restart of the firewalld service or a system reboot, runtime settings will be gone if they haven’t been also in permanent configuration.
Permanent configuration is stored in config files and will be loaded and become new runtime configuration with every machine boot or service reload/restart.
Direct interface is mainly used by services or applications to add specific firewall rules. The rules are not permanent and need to get applied after receiving the start, restart or reload message from firewalld.
This diagram shows sample configuration where SSH and DHCPv6 services are allowed to pass the firewall.
All the use cases are described using a pseudo language very similar to what the actual LMIShell looks like.
ns.LMI_FirewalldZone.instances()
ns.LMI_HostedFirewalldZone.first_instance({'IsDefault': True}).SettingData
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
service = ns.LMI_FirewalldConfigurationService.first_instance()
service.SetDefaultZone(zone)
ns.LMI_FirewalldService.instances()
service = ns.LMI_FirewalldService.first_instance({'Name': 'Service X'})
for port in service.associators(AssocClass='LMI_FirewalldServicePort', ResultClass='LMI_FirewalldPort'):
protocol = ns.LMI_FirewalldPort.ProtocolValues.ValueName(port.Protocol)
if "-" in port.Port:
print "Port range: %s/%s" % (port.Port, protocol)
else:
print "Port: %s/%s" % (port.Port, protocol)
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
print ns.LMI_FirewalldZone.TargetValues.ValueName(zone.Target) # One of: default, accept, drop, reject
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
result = zone.AddPort(Port="5989", Protocol=zone.AddPort.Protocol.TCP, Mode=zone.AddPort.Mode.Both)
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
for component in zone.references(ResultClass='LMI_FirewalldZoneComponent')
if component.Rule.classname != "LMI_FirewalldPort":
continue
# component.IsPermanent and component.IsCurrent can be used to close
# port immediately or permanently
if component.Rule.Port == "5989":
component.delete()
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
result = zone.AddPort(Port="5988-5989", Protocol=zone.AddPort.Protocol.TCP, Mode=zone.AddPort.Mode.Both)
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
result = zone.AddForwardPort(Port="1234", ToPort="1235", ToAddress="1.2.3.4", Protocol=zone.AddForwardPort.Protocol.TCP, Mode=zone.AddPort.Mode.Both)
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
service = ns.LMI_FirewalldService.first_instance({'Name': 'ssh'})
result = zone.AddService(Service=service, Mode=zone.AddPort.Mode.Both)
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
for component in zone.references(ResultClass='LMI_FirewalldZoneComponent')
if component.Rule.classname != "LMI_FirewalldService":
continue
if component.Rule.Name == "ssh":
component.delete()
service = ns.LMI_FirewalldConfigurationService.first_instance()
result, zone, err = service.CreateZone('Zone X')
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
zone.delete()
zone = ns.LMI_FirewalldZone.first_instance({'Name': 'Zone X'})
device = ns.LMI_IPNetworkConnection({'ElementName', 'eth0'})
service = ns.LMI_FirewalldConfigurationService.first_instance()
service.ApplySettingToIPNetworkConnection(device, zone)
If there are any, they will be documented here.
Important questions and design decisions will be recorded here, together with a timestamp and version of this document, in which they were made.
This decision has been approved on openlmi-devel mailing list <2014-01-30>.