update firewalld formula for firewalld > 0.6

firewalld/backend.sls

@@ -0,0 +1,11 @@
+# == State: firewalld.backends
+#
+# This state ensures that /etc/firewalld/backends/ exists.
+#
+{% from "firewalld/map.jinja" import firewalld with context %}
+
+{%- if salt['pillar.get']('firewalld:installbackend') %}
+package_backend:
+  pkg.installed:
+    - name: {{ firewalld.backendpackage }}
+{%- endif %}

firewalld/defaults.yaml

@@ -3,5 +3,6 @@
 firewalld:
   package: firewalld
   ipsetpackage: ipset
+  backendpackage: nftables
   service: firewalld
   config: /etc/firewalld.conf

firewalld/files/firewalld.conf

@@ -55,3 +55,24 @@ IndividualCalls={{ firewalld.IndividualCalls|default('no') }}
 # Default: off
 LogDenied={{ firewalld.LogDenied|default('off') }}
 {%- endif %}
+
+{%- if firewalld.get('AutomaticHelpers', False) %}
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
+{%- endif %}
+
+{%- if firewalld.get('FirewallBackend', False) %}
+# FirewallBackend
+# Selects the firewall backend implementation.
+# Choices are:
+#	- nftables (default)
+#	- iptables (iptables, ip6tables, ebtables and ipset)
+FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
+{%- endif %}

firewalld/init.sls

@@ -18,6 +18,7 @@ firewalld-unsupported:
 include:
   - firewalld.config
   - firewalld.ipsets
+  - firewalld.backend
   - firewalld.services
   - firewalld.zones
   - firewalld.direct

pillar.example

@@ -2,6 +2,7 @@
 firewalld:
   enabled: True
   ipset: True
+  installbackend: False
   default_zone: public
 
   services: