|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 |
- <?xml version="1.0" encoding="utf-8"?>
- <!--
- This file is managed/generated by salt.
- Do not edit this file manually, it will be overwritten!
- Modify the salt pillar for firewalld instead
- -->
- {%- macro rich_rule(rule) %}
- <rule{% if 'family' in rule %} family="{{ rule.family }}"{% endif %}{% if 'priority' in rule %} priority="{{ rule.priority }}"{% endif %}>
- {%- if 'ipset' in rule %}
- <source ipset="{{ rule.ipset.name }}" />
- {%- endif %}
- {%- if 'source' in rule %}
- <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %} invert="{{ rule.source.invert }}"{%- endif %} />
- {%- endif %}
- {%- if 'destination' in rule %}
- <destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %} invert="{{ rule.destination.invert }}"{%- endif %} />
- {%- endif %}
- {%- if 'service' in rule %}
- <service name="{{ rule.service }}" />
- {%- endif %}
- {%- if 'port' in rule %}
- <port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
- {%- endif %}
- {%- if 'protocol' in rule %}
- <protocol value="{{ rule.protocol }}" />
- {%- endif %}
- {%- if 'icmp_block' in rule %}
- <icmp-block name="{{ rule.icmp_block }}" />
- {%- endif %}
- {%- if 'icmp_type' in rule %}
- <icmp-type name="{{ rule.icmp_type }}" />
- {%- endif %}
- {%- if 'masquerade' in rule %}
- {%- if rule.masquerade %}<masquerade/>{%- endif %}
- {%- endif %}
- {%- if 'forward_port' in rule %}
- {%- if 'comment' in rule.forward_port %}
- <!-- {{ rule.forward_port.comment }} -->
- {%- endif %}
- <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
- {%- endif %}
- {%- if 'source_port' in rule %}
- {%- if 'comment' in rule.source_port %}
- <!-- {{ rule.source_port.comment }} -->
- {%- endif %}
- <source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
- {%- endif %}
- {%- if 'log' in rule %}
- <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
- {%- if 'limit' in rule.log %}
- <limit value="{{ rule.log.limit }}"/>
- {%- endif %}
- </log>
- {%- endif %}
- {%- if 'audit' in rule %}
- <audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
- {%- endif %}
- {%- if 'accept' in rule %}
- <accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
- {%- endif %}
- {%- if 'reject' in rule %}
- <reject{%- if rule.reject is mapping and 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
- {%- endif %}
- {%- if 'drop' in rule %}
- <drop/>
- {%- endif %}
- </rule>
- {%- endmacro %}
- <policy{%- if 'target' in policy %} target="{{ policy.target }}"{%- endif %}{%- if 'priority' in policy %} priority="{{ policy.priority }}"{%- endif %}>
- {% if 'short' in policy %}<short>{{ policy.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
- {% if 'description' in policy %}<description>{{ policy.description }}</description>{% endif %}
- {% if 'ingress_zone' in policy %}<ingress-zone name="{{ policy.ingress_zone }}" />{% endif %}
- {% if 'egress_zone' in policy %}<egress-zone name="{{ policy.egress_zone }}" />{% endif %}
-
- {%- if 'sources' in policy %}
- {%- for v in policy.sources %}
- {%- if 'comment' in v %}
- <!-- {{ v.comment }} -->
- <source address="{{ v.source }}" />
- {%- else %}
- <source address="{{ v }}" />
- {%- endif %}
- {%- endfor %}
- {%- endif %}
- {%- if 'ipsets' in policy %}
- {%- for v in policy.ipsets %}
- {%- if 'comment' in v %}
- <!-- {{ v.comment }} -->
- <source ipset="{{ v.ipset }}" />
- {%- else %}
- <source ipset="{{ v }}" />
- {%- endif %}
- {%- endfor %}
- {%- endif %}
- {%- for k,val in policy.items() %}
- {%- if k.endswith("services") %}
- {%- for v in val %}
- <service name="{{ v }}" />
- {%- endfor %}
- {%- endif %}
- {%- endfor %}
- {%- if 'ports' in policy %}
- {%- for v in policy.ports %}
- {%- if 'comment' in v %}
- <!-- {{ v.comment }} -->
- {%- endif %}
- <port port="{{ v.port }}" protocol="{{ v.protocol }}" />
- {%- endfor %}
- {%- endif %}
- {%- if 'protocols' in policy %}
- {%- for v in policy.protocols %}
- <protocol value="{{ v }}" />
- {%- endfor %}
- {%- endif %}
- {%- if 'icmp_blocks' in policy %}
- {%- for v in policy.icmp_blocks %}
- <icmp-block name="{{ v }}" />
- {%- endfor %}
- {%- endif %}
- {%- if 'icmp_block_inversion' in policy and policy.icmp_block_inversion %}
- <icmp-block-inversion />
- {%- endif %}
- {%- if 'masquerade' in policy %}
- {%- if policy.masquerade %}
- <masquerade/>
- {%- endif %}
- {%- endif %}
- {%- if 'forward_ports' in policy %}
- {%- for v in policy.forward_ports %}
- {%- if 'comment' in v %}
- <!-- {{ v.comment }} -->
- {%- endif %}
- <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
- {%- endfor %}
- {%- endif %}
- {%- if 'source_ports' in policy %}
- {%- for v in policy.source_ports %}
- {%- if 'comment' in v %}
- <!-- {{ v.comment }} -->
- {%- endif %}
- <source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
- {%- endfor %}
- {%- endif %}
- {%- if 'rich_rules' in policy %}
- {%- if policy.rich_rules is list %}
- {%- set rich_rules = policy.rich_rules %}
- {%- else %}
- {%- set expanded_ipset_rules = [] %}
- {%- for name,rule in policy.rich_rules|dictsort %}
- {%- if 'ipsets' in rule %}
- {%- for ipset in rule.ipsets %}
- {%- set tmp_rule = {} %}
- {%- set _dummy = tmp_rule.update(rule) %}
- {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
- {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
- {%- endfor %}
- {%- else %}
- {%- set _dummy = expanded_ipset_rules.append(rule) %}
- {%- endif %}
- {%- endfor %}
- {%- set rich_rules = [] %}
- {%- for rule in expanded_ipset_rules %}
- {%- if 'services' in rule %}
- {%- for service in rule.services %}
- {%- set tmp_rule = {} %}
- {%- set _dummy = tmp_rule.update(rule) %}
- {%- set _dummy = tmp_rule.update({'service':service}) %}
- {%- set _dummy = rich_rules.append(tmp_rule) %}
- {%- endfor %}
- {%- else %}
- {%- set _dummy = rich_rules.append(rule) %}
- {%- endif %}
- {%- endfor %}
- {%- endif %}
- {%- for rule in rich_rules %}
- {{- rich_rule(rule) }}
- {%- endfor %}
- {%- endif %}
- </policy>
|