add ipset support for firewalld

VERSION

@@ -1 +1 @@
-0.1.0
+0.2.0

firewalld/defaults.yaml

@@ -2,5 +2,6 @@
 # vim: ft=yaml
 firewalld:
   package: firewalld
+  ipsetpackage: ipset
   service: firewalld
   config: /etc/firewalld.conf

firewalld/files/ipset.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ipset{%- if 'type' in ipset %} type="{{ ipset.type }}" {%- endif %}>
+{%- if 'short' in ipset %}
+  <short>{{ ipset.short }}</short>
+{%- endif %}
+{%- if 'description' in ipset %}
+  <description>{{ ipset.description }}</description>
+{%- endif %}
+{%- if 'options' in ipset %}
+{%- if 'maxelem' in ipset.options %}
+{%- for v in ipset.options.maxelem %}
+  <option name="maxelem" value="{{ v }}"/>
+    {%- endfor %}
+{%- endif %}
+{%- if 'timeout' in ipset.options %}
+{%- for v in ipset.options.timeout %}
+  <option name="timeout" value="{{ v }}"/>
+{%- endfor %}
+{%- endif %}
+{%- if 'hashsize' in ipset.options %}
+{%- for v in ipset.options.hashsize %}
+  <option name="hashsize" value="{{ v }}"/>
+{%- endfor %}
+{%- endif %}
+{%- endif %}
+{%- if 'entries' in ipset %}
+{%- for v in ipset.entries %}
+  <entry>{{ v }}</entry>
+{%- endfor %}
+{%- endif %}
+</ipset>

firewalld/files/zone.xml

@@ -52,6 +52,9 @@
   {%- else %}
   <rule>
   {%- endif %}    
+  {%- if 'ipset' in rule %}
+    <source ipset="{{ rule.ipset.name }}"/>
+  {%- endif %}
   {%- if 'source' in rule %}
     <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
   {%- endif %}    

firewalld/init.sls

@@ -8,6 +8,7 @@
 {% if salt['pillar.get']('firewalld:enabled') %}
 include:
   - firewalld.config
+  - firewalld.ipsets
   - firewalld.services
   - firewalld.zones
 

firewalld/ipsets.sls

@@ -0,0 +1,48 @@
+# == State: firewalld.ipsets
+#
+# This state ensures that /etc/firewalld/ipsets/ exists.
+#
+{% from "firewalld/map.jinja" import firewalld with context %}
+
+{%- if salt['pillar.get']('firewalld:ipset') %}
+package_ipset:
+  pkg.installed:
+    - name: {{ firewalld.ipsetpackage }}
+
+directory_firewalld_ipsets:
+  file.directory:            # make sure this is a directory
+    - name: /etc/firewalld/ipsets
+    - user: root
+    - group: root
+    - mode: 750
+    - require:
+      - pkg: package_firewalld # make sure package is installed
+    - listen_in:
+      - module: service_firewalld # restart service
+
+# == Define: firewalld.ipsets
+#
+# This defines a ipset configuration, see firewalld.ipset (5) man page.
+#
+{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %}
+{% set z_name = v.name|default(k) %}
+
+/etc/firewalld/ipsets/{{ z_name }}.xml:
+  file.managed:
+    - name: /etc/firewalld/ipsets/{{ z_name }}.xml
+    - user: root
+    - group: root
+    - mode: 644
+    - source: salt://firewalld/files/ipset.xml
+    - template: jinja
+    - require:
+      - pkg: package_firewalld # make sure package is installed
+      - file: directory_firewalld_ipsets
+    - listen_in: 
+      - module: service_firewalld   # restart service
+    - context:
+        name: {{ z_name }}
+        ipset: {{ v }}
+
+{% endfor %}
+{%- endif %}

pillar.example.sls

@@ -1,31 +1,91 @@
-# CentOS7 FirewallD firewall
+# FirewallD pillar examples:
 firewalld:
   enabled: True
+  ipset: True
   default_zone: public
+
   services:
     sshcustom:
       short: sshcustom
       description: SSH on port 3232 and 5252. Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
       ports:
-        tcp: 
+        tcp:
           - 3232
           - 5252
-      modules: 
+      modules:
         - some_module_to_load
       destinations:
-        ipv4: 
+        ipv4:
           - 224.0.0.251
           - 224.0.0.252
-        ipv6: 
+        ipv6:
           - ff02::fb
           - ff02::fc
+
+    zabbixcustom:
+      short: Zabbixcustom
+      description: "zabbix custom rule"
+      ports:
+        tcp:
+          - "10051"
+    salt-minion:
+      short: salt-minion
+      description: "salt-minion"
+      ports:
+        tcp:
+          - "8000"
+
+  ipsets:
+    fail2ban-ssh:
+      short: fail2ban-ssh
+      description: fail2ban-ssh ipset
+      type: 'hash:ip'
+      options:
+        maxelem:
+          - 65536
+        timeout:
+          - 300
+        hashsize:
+          - 1024
+      entries:
+        - 10.0.0.1
+
+
   zones:
     public:
       short: Public
       description: "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
       services:
         - http
+        - zabbixcustom
         - https
         - ssh
-        - dhcpv6-client
-
+        - salt-minion
+      rich_rules:
+        - family: ipv4
+          source:
+              address: 8.8.8.8/24
+          accept: true
+        - family: ipv4
+          ipset:
+            name: fail2ban-ssh
+          reject:
+            type: icmp-port-unreachable
+      ports:
+{% if grains['id'] == 'salt.example.com' %}
+        - comment: salt-master
+          port: 4505
+          protocol: tcp
+        - comment: salt-python
+          port: 4506
+          protocol: tcp
+{% endif %}
+        - comment: zabbix-agent
+          port: 10050
+          protocol: tcp
+        - comment: bacula-client
+          port: 9102
+          protocol: tcp
+        - comment: vsftpd
+          port: 21
+          protocol: tcp