MKFILT Overview
MKFILT Overview
The MKFILT
module is used to manage filter rules on AIX systems. It allows administrators to activate or deactivate filter rules, control filter logging, and monitor network traffic. The module supports actions such as adding, checking, changing, importing, and exporting filter rules.
The module requires AIX version 7.1
TL3
3.6
ipsec_v4
ipsec_v6
Main Functions
The MKFILT
module includes several main functions: list_rules
add_change_rules
import_rules
export_rules
check_rules
make_devices
main
list_rules
list_rules
The list_rules
IPv4
IPv6
lsfilt
def list_rules(module, version):
"""
Sample lsfilt output:
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all
packets|0|all|0|||Default Rule
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|5989|both|inbound|no|all
packets|0|all|0|||allow port 5989
3|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|5988|both|inbound|no|all
packets|0|all|0|||allow port 5988
4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|5987|both|inbound|no|all
packets|0|all|0|||allow port 5987
5|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|eq|657|any|0|both|inbound|no|all
packets|0|all|0|||allow port 657
6|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|657|both|inbound|no|all
packets|0|all|0|||allow port 657
"""
vopt = '-v4' if version != 'ipv6' else '-v6'
cmd = ['lsfilt', vopt, '-O']
add_change_rules
add_change_rules
The add_change_rules
genfilt
chfilt
def add_change_rules(module, params, version):
"""
Adds a new filter rule or changes an existing one.
"""
vopt = '-v4' if version == 'ipv4' else '-v6'
if not params[version]:
return True
if 'rules' not in params[version]:
return True
# Add or change rules
for rule in params[version]['rules']:
if params['action'] == 'change':
cmd = ['chfilt']
if not rule['id']:
results['msg'] = 'Could not change rule without rule id'
module.fail_json(**results)
else:
cmd = ['genfilt']
import_rules
import_rules
The import_rules
impfilt
def import_rules(module, params):
"""
Imports filter rules from an export file.
"""
cmd = ['impfilt', '-f', params['directory']]
module.run_command(cmd, check_rc=True)
results['msg'] = "Rules imported successfully."
results['changed'] = True
export_rules
export_rules
The export_rules
expfilt
def export_rules(module, params):
"""
Exports filter rules to an export file.
"""
cmd = ['expfilt', '-f', params['directory']]
if params['rawexport']:
cmd += ['-r']
module.run_command(cmd, check_rc=True)
results['msg'] = "Rules exported successfully."
results['changed'] = True
check_rules
check_rules
The check_rules
ckfilt
def check_rules(module):
"""
Checks the syntax of filter rules.
"""
cmd = ['ckfilt']
ret, stdout, stderr = module.run_command(cmd, check_rc=True)
results['stdout'] = stdout
results['stderr'] = stderr
make_devices
make_devices
The make_devices
ipsec_v4
ipsec_v6
mkdev
def make_devices(module):
"""
Make sure ipsec_v4 and ipsec_v6 devices are Available.
"""
for version in ['4', '6']:
cmd = ['mkdev', '-l', 'ipsec', '-t', version]
module.run_command(cmd, check_rc=True)
main
The main
def main():
global results
operations = ['lt', 'le', 'gt', 'ge', 'eq', 'neq']
ipcommon = dict(
type='dict',
options=dict(
default=dict(type='str', choices=['permit', 'deny']),
log=dict(type='bool'),
force=dict(type='bool', default=False),
rules=dict(
type='list', elements='dict',
options=dict(
action=dict(type='str', choices=['permit', 'deny', 'shun_host',
'shun_port', 'if', 'else', 'endif', 'remove', 'move']),
id=dict(type='str'),
new_id=dict(type='str'),
direction=dict(type='str', choices=['inbound', 'outbound', 'both'], default='both'),
s_addr=dict(type='str'),
s_mask=dict(type='str'),
Example Usage
This example demonstrates how to allow SSH activity through interface en0
mkfilt
IPv4
Example usage of the mkfilt
en0
EXAMPLES = r'''
- name: Allow SSH activity through interface en0
mkfilt:
ipv4:
log: true
default: deny
rules:
- action: permit
direction: inbound
d_opr: eq
d_port: 22
interface: en0
description: permit SSH requests from any clients
- action: permit
direction: outbound
s_opr: eq
s_port: 22
interface: en0
description: permit SSH answers to any clients
- name: Remove all user-defined and auto-generated filter rules
This is an auto-generated