When specifying rich rules as a dictionary ipsets and services can be specified as lists. They will be expanded out by the jinja template into individual rich rules for the parent zone.

4 years ago · cd4cec0089
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@@ -83,8 +83,7 @@
  {%- endfor %}
 {%- endif %}

 {%- if 'rich_rules' in zone %}
  {%- for rule in zone.rich_rules %}
 {%- macro rich_rule(rule) -%}
  {%- if 'family' in rule %}
  <rule family="{{ rule.family }}">
  {%- else %}
@@ -149,6 +148,42 @@
    <drop/>
  {%- endif %}    
  </rule>
 {%- endmacro %}

 {%- if 'rich_rules' in zone %}
  {%- if zone.rich_rules is list %}
    {%- set rich_rules = zone.rich_rules %}
  {%- else %}
    {%- set expanded_ipset_rules = [] %}
    {%- for name,rule in zone.rich_rules|dictsort %}
      {%- if 'ipsets' in rule %}
        {%- for ipset in rule.ipsets %}
          {%- set tmp_rule = {} %}
          {%- set _dummy = tmp_rule.update(rule) %}
          {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
          {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
        {%- endfor %}
      {%- else %}
        {%- set _dummy = expanded_ipset_rules.append(rule) %}
      {%- endif %}
    {%- endfor %}
    {%- set rich_rules = [] %}
    {%- for rule in expanded_ipset_rules %}
      {%- if 'services' in rule %}
        {%- for service in rule.services %}
          {%- set tmp_rule = {} %}
          {%- set _dummy = tmp_rule.update(rule) %}
          {%- set _dummy = tmp_rule.update({'service':service}) %}
          {%- set _dummy = rich_rules.append(tmp_rule) %}
        {%- endfor %}
      {%- else %}
        {%- set _dummy = rich_rules.append(rule) %}
      {%- endif %}
    {%- endfor %}
  {%- endif %}
  {%- for rule in rich_rules %}
 {{ rich_rule(rule) }}
  {%- endfor %}
 {%- endif %}

 </zone>
--- a/pillar.example
+++ b/pillar.example
@@ -151,6 +151,21 @@ firewalld:
          port: 4444
          protocol: tcp

    rich_public:
      short: rich_public
      description: "Example"
      # Rich rules can be specified as a dictionary. All keys from standard rich rules
      # can be used. Special keys "ipsets" and "services", if defined, take precedence.
      # They will be auto-expanded into separate rich rules per value in the list.
      rich_rules:
        ssh-csg:
          accept: true
          ipsets:
            - fail2ban-ssh
            - other-ipset
          services:
            - ssh

  direct:
    chain:
      MYCHAIN: