1年前 · d542d63c40
--- a/firewalld/files/policy.xml
+++ b/firewalld/files/policy.xml
@@ -0,0 +1,179 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
  This file is managed/generated by salt.
  Do not edit this file manually, it will be overwritten!
  Modify the salt pillar for firewalld instead
 -->
 {%- macro rich_rule(rule) %}
  <rule{% if 'family' in rule %} family="{{ rule.family }}"{% endif %}{% if 'priority' in rule %} priority="{{ rule.priority }}"{% endif %}>
  {%- if 'ipset' in rule %}
    <source ipset="{{ rule.ipset.name }}" />
  {%- endif %}
  {%- if 'source' in rule %}
    <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %} invert="{{ rule.source.invert }}"{%- endif %} />
  {%- endif %}
  {%- if 'destination' in rule %}
    <destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %} invert="{{ rule.destination.invert }}"{%- endif %} />
  {%- endif %}
  {%- if 'service' in rule %}
    <service name="{{ rule.service }}" />
  {%- endif %}
  {%- if 'port' in rule %}
    <port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
  {%- endif %}
  {%- if 'protocol' in rule %}
    <protocol value="{{ rule.protocol }}" />
  {%- endif %}
  {%- if 'icmp_block' in rule %}
    <icmp-block name="{{ rule.icmp_block }}" />
  {%- endif %}
  {%- if 'icmp_type' in rule %}
    <icmp-type name="{{ rule.icmp_type }}" />
  {%- endif %}
  {%- if 'masquerade' in rule %}
    {%- if rule.masquerade %}<masquerade/>{%- endif %}
  {%- endif %}
  {%- if 'forward_port' in rule %}
    {%- if 'comment' in rule.forward_port %}
      <!-- {{ rule.forward_port.comment }} -->
    {%- endif %}
    <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
  {%- endif %}
  {%- if 'source_port' in rule %}
    {%- if 'comment' in rule.source_port %}
      <!-- {{ rule.source_port.comment }} -->
    {%- endif %}
    <source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
  {%- endif %}
  {%- if 'log' in rule %}
    <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
    {%- if 'limit' in rule.log %}
      <limit value="{{ rule.log.limit }}"/>
    {%- endif %}
    </log>
  {%- endif %}
  {%- if 'audit' in rule %}
    <audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
  {%- endif %}
  {%- if 'accept' in rule %}
    <accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
  {%- endif %}
  {%- if 'reject' in rule %}
    <reject{%- if rule.reject is mapping and 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
  {%- endif %}
  {%- if 'drop' in rule %}
    <drop/>
  {%- endif %}
  </rule>
 {%- endmacro %}
 <policy{%- if 'target' in policy %} target="{{ policy.target }}"{%- endif %}{%- if 'priority' in policy %} priority="{{ policy.priority }}"{%- endif %}>
  {% if 'short' in policy %}<short>{{ policy.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
  {% if 'description' in policy %}<description>{{ policy.description }}</description>{% endif %}
  {% if 'ingress_zone' in policy %}<ingress-zone name="{{ policy.ingress_zone }}" />{% endif %}
  {% if 'egress_zone' in policy %}<egress-zone name="{{ policy.egress_zone }}" />{% endif %}
  
 {%- if 'sources' in policy %}
  {%- for v in policy.sources %}
    {%- if 'comment' in v %}
  <!-- {{ v.comment }} -->
  <source address="{{ v.source }}" />
    {%- else %}
  <source address="{{ v }}" />
    {%- endif %}
  {%- endfor %}
 {%- endif %}
 {%- if 'ipsets' in policy %}
  {%- for v in policy.ipsets %}
    {%- if 'comment' in v %}
  <!-- {{ v.comment }} -->
  <source ipset="{{ v.ipset }}" />
    {%- else %}
  <source ipset="{{ v }}" />
    {%- endif %}
  {%- endfor %}
 {%- endif %}
 {%- for k,val in policy.items() %}
  {%- if k.endswith("services") %}
    {%- for v in val %}
  <service name="{{ v }}" />
    {%- endfor %}
  {%- endif %}
 {%- endfor %}
 {%- if 'ports' in policy %}
  {%- for v in policy.ports %}
    {%- if 'comment' in v %}
  <!-- {{ v.comment }} -->
    {%- endif %}
  <port port="{{ v.port }}" protocol="{{ v.protocol }}" />
  {%- endfor %}
 {%- endif %}
 {%- if 'protocols' in policy %}
  {%- for v in policy.protocols %}
  <protocol value="{{ v }}" />
  {%- endfor %}
 {%- endif %}
 {%- if 'icmp_blocks' in policy %}
  {%- for v in policy.icmp_blocks %}
  <icmp-block name="{{ v }}" />
  {%- endfor %}
 {%- endif %}
 {%- if 'icmp_block_inversion' in policy and policy.icmp_block_inversion %}
  <icmp-block-inversion />
 {%- endif %}
 {%- if 'masquerade' in policy %}
  {%- if policy.masquerade %}
  <masquerade/>
  {%- endif %}
 {%- endif %}
 {%- if 'forward_ports' in policy %}
  {%- for v in policy.forward_ports %}
    {%- if 'comment' in v %}
  <!-- {{ v.comment }} -->
    {%- endif %}
  <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
  {%- endfor %}
 {%- endif %}
 {%- if 'source_ports' in policy %}
  {%- for v in policy.source_ports %}
    {%- if 'comment' in v %}
  <!-- {{ v.comment }} -->
    {%- endif %}
  <source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
  {%- endfor %}
 {%- endif %}
 {%- if 'rich_rules' in policy %}
  {%- if policy.rich_rules is list %}
    {%- set rich_rules = policy.rich_rules %}
  {%- else %}
    {%- set expanded_ipset_rules = [] %}
    {%- for name,rule in policy.rich_rules|dictsort %}
      {%- if 'ipsets' in rule %}
        {%- for ipset in rule.ipsets %}
          {%- set tmp_rule = {} %}
          {%- set _dummy = tmp_rule.update(rule) %}
          {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
          {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
        {%- endfor %}
      {%- else %}
        {%- set _dummy = expanded_ipset_rules.append(rule) %}
      {%- endif %}
    {%- endfor %}
    {%- set rich_rules = [] %}
    {%- for rule in expanded_ipset_rules %}
      {%- if 'services' in rule %}
        {%- for service in rule.services %}
          {%- set tmp_rule = {} %}
          {%- set _dummy = tmp_rule.update(rule) %}
          {%- set _dummy = tmp_rule.update({'service':service}) %}
          {%- set _dummy = rich_rules.append(tmp_rule) %}
        {%- endfor %}
      {%- else %}
        {%- set _dummy = rich_rules.append(rule) %}
      {%- endif %}
    {%- endfor %}
  {%- endif %}
  {%- for rule in rich_rules %}
 {{- rich_rule(rule) }}
  {%- endfor %}
 {%- endif %}
 </policy>
--- a/firewalld/init.sls
+++ b/firewalld/init.sls
@@ -24,6 +24,7 @@ include:
  - firewalld.backend
  - firewalld.services
  - firewalld.zones
  - firewalld.policies
  - firewalld.direct

 # iptables service that comes with rhel/centos
--- a/firewalld/policies.sls
+++ b/firewalld/policies.sls
@@ -0,0 +1,46 @@
 # == State: firewalld.policies
 #
 # This state ensures that /etc/firewalld/policies/ exists.
 #
 {% from "firewalld/map.jinja" import firewalld with context %}

 directory_firewalld_policies:
  file.directory:            # make sure this is a directory
    - name: /etc/firewalld/policies
    - user: root
    - group: root
    - mode: 750
    - require:
      - pkg: package_firewalld # make sure package is installed
    - require_in:
      - service: service_firewalld
    - watch_in:
      - cmd: reload_firewalld # reload firewalld config

 # == Define: firewalld.policies
 #
 # This defines a policy configuration, see firewalld.policy (5) man page.
 #
 {% for k, v in salt['pillar.get']('firewalld:policies', {}).items() %}
 {% set z_name = v.name|default(k) %}

 /etc/firewalld/policies/{{ z_name }}.xml:
  file.managed:
    - name: /etc/firewalld/policies/{{ z_name }}.xml
    - user: root
    - group: root
    - mode: 644
    - source: salt://firewalld/files/policy.xml
    - template: jinja
    - require:
      - pkg: package_firewalld # make sure package is installed
      - file: directory_firewalld_policies
    - require_in:
      - service: service_firewalld
    - watch_in:
      - cmd: reload_firewalld # reload firewalld config
    - context:
        name: {{ z_name }}
        policy: {{ v|json }}

 {% endfor %}
--- a/pillar.example
+++ b/pillar.example
@@ -182,6 +182,36 @@ firewalld:
          services:
            - ssh

  policies:
    myOutputPolicy:
      short: myOutputPolicy
      target: DROP
      ingress-zones: ANY
      egress-zones: HOST
      description: >-
        This example, creates a policy that applies to traffic originating from the host
        running firewalld and is destined to any zone. Or said differently traffic
        in the OUTPUT chain.
      services:
        - http
        - https
        - ssh
      rich_rules:
        - family: ipv4
          destination:
            address: 8.8.8.8
          port:
            portid: 53
            protocol: udp
          accept: true
      ports:
        - comment: salt-master
          port: 4505
          protocol: tcp
        - comment: salt-master
          port: 4506
          protocol: tcp

  direct:
    chain:
      MYCHAIN: