Skip to main content

MKFILT Overview

MKFILT Overview

The MKFILT module is used to manage filter rules on AIX systems. It allows administrators to activate or deactivate filter rules, control filter logging, and monitor network traffic. The module supports actions such as adding, checking, changing, importing, and exporting filter rules.

The module requires AIX version 7.1 TL3 or higher and Python 3.6 or higher. It ensures that the necessary devices, ipsec_v4 and ipsec_v6, are available before performing any actions.

Main Functions

The MKFILT module includes several main functions: list_rules, add_change_rules, import_rules, export_rules, check_rules, make_devices, and main. Each function plays a specific role in managing filter rules.


list_rules

The list_rules function retrieves the current filter rules for either IPv4 or IPv6. It runs the lsfilt command and parses its output to create a list of filter rules.

def list_rules(module, version):
"""
Sample lsfilt output:

1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all
packets|0|all|0|||Default Rule
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|5989|both|inbound|no|all
packets|0|all|0|||allow port 5989
3|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|5988|both|inbound|no|all
packets|0|all|0|||allow port 5988
4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|5987|both|inbound|no|all
packets|0|all|0|||allow port 5987
5|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|eq|657|any|0|both|inbound|no|all
packets|0|all|0|||allow port 657
6|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|657|both|inbound|no|all
packets|0|all|0|||allow port 657
"""

vopt = '-v4' if version != 'ipv6' else '-v6'

cmd = ['lsfilt', vopt, '-O']


add_change_rules

The add_change_rules function adds new filter rules or changes existing ones. It uses the genfilt command to add rules and the chfilt command to change rules.

def add_change_rules(module, params, version):
"""
Adds a new filter rule or changes an existing one.
"""

vopt = '-v4' if version == 'ipv4' else '-v6'

if not params[version]:
return True
if 'rules' not in params[version]:
return True

# Add or change rules
for rule in params[version]['rules']:
if params['action'] == 'change':
cmd = ['chfilt']
if not rule['id']:
results['msg'] = 'Could not change rule without rule id'
module.fail_json(**results)
else:
cmd = ['genfilt']


import_rules

The import_rules function imports filter rules from an export file using the impfilt command.

def import_rules(module, params):
"""
Imports filter rules from an export file.
"""

cmd = ['impfilt', '-f', params['directory']]
module.run_command(cmd, check_rc=True)
results['msg'] = "Rules imported successfully."
results['changed'] = True


export_rules

The export_rules function exports filter rules to an export file using the expfilt command.

def export_rules(module, params):
"""
Exports filter rules to an export file.
"""
cmd = ['expfilt', '-f', params['directory']]
if params['rawexport']:
cmd += ['-r']
module.run_command(cmd, check_rc=True)
results['msg'] = "Rules exported successfully."
results['changed'] = True


check_rules

The check_rules function checks the syntax of filter rules using the ckfilt command.

def check_rules(module):
"""
Checks the syntax of filter rules.
"""

cmd = ['ckfilt']
ret, stdout, stderr = module.run_command(cmd, check_rc=True)
results['stdout'] = stdout
results['stderr'] = stderr


make_devices

The make_devices function ensures that the ipsec_v4 and ipsec_v6 devices are available by running the mkdev command.

def make_devices(module):
"""
Make sure ipsec_v4 and ipsec_v6 devices are Available.
"""
for version in ['4', '6']:
cmd = ['mkdev', '-l', 'ipsec', '-t', version]
module.run_command(cmd, check_rc=True)


main

The main function is the entry point of the module. It sets up the module parameters, ensures necessary devices are available, and calls the appropriate function based on the specified action (add, change, import, export, check).

def main():
global results

operations = ['lt', 'le', 'gt', 'ge', 'eq', 'neq']

ipcommon = dict(
type='dict',
options=dict(
default=dict(type='str', choices=['permit', 'deny']),
log=dict(type='bool'),
force=dict(type='bool', default=False),
rules=dict(
type='list', elements='dict',
options=dict(
action=dict(type='str', choices=['permit', 'deny', 'shun_host',
'shun_port', 'if', 'else', 'endif', 'remove', 'move']),
id=dict(type='str'),
new_id=dict(type='str'),
direction=dict(type='str', choices=['inbound', 'outbound', 'both'], default='both'),
s_addr=dict(type='str'),
s_mask=dict(type='str'),

Example Usage

This example demonstrates how to allow SSH activity through interface en0 using the mkfilt module. It specifies the IPv4 filter module state and rules, enabling logging, setting the default action to deny, and defining rules to permit inbound and outbound SSH traffic.


Example usage of the mkfilt module to allow SSH activity through interface en0.

EXAMPLES = r'''
- name: Allow SSH activity through interface en0
mkfilt:
ipv4:
log: true
default: deny
rules:
- action: permit
direction: inbound
d_opr: eq
d_port: 22
interface: en0
description: permit SSH requests from any clients
- action: permit
direction: outbound
s_opr: eq
s_port: 22
interface: en0
description: permit SSH answers to any clients

- name: Remove all user-defined and auto-generated filter rules

 

This is an auto-generated document by Swimm 🌊 and has not yet been verified by a human