Browse Source

Merge d542d63c40 into 0cbeada0ab

pull/56/merge
kartnico 4 months ago
parent
commit
d6bf64f6c4
No account linked to committer's email address
4 changed files with 256 additions and 0 deletions
  1. +179
    -0
      firewalld/files/policy.xml
  2. +1
    -0
      firewalld/init.sls
  3. +46
    -0
      firewalld/policies.sls
  4. +30
    -0
      pillar.example

+ 179
- 0
firewalld/files/policy.xml View File

@@ -0,0 +1,179 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
This file is managed/generated by salt.
Do not edit this file manually, it will be overwritten!
Modify the salt pillar for firewalld instead
-->
{%- macro rich_rule(rule) %}
<rule{% if 'family' in rule %} family="{{ rule.family }}"{% endif %}{% if 'priority' in rule %} priority="{{ rule.priority }}"{% endif %}>
{%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}" />
{%- endif %}
{%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %} invert="{{ rule.source.invert }}"{%- endif %} />
{%- endif %}
{%- if 'destination' in rule %}
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %} invert="{{ rule.destination.invert }}"{%- endif %} />
{%- endif %}
{%- if 'service' in rule %}
<service name="{{ rule.service }}" />
{%- endif %}
{%- if 'port' in rule %}
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
{%- endif %}
{%- if 'protocol' in rule %}
<protocol value="{{ rule.protocol }}" />
{%- endif %}
{%- if 'icmp_block' in rule %}
<icmp-block name="{{ rule.icmp_block }}" />
{%- endif %}
{%- if 'icmp_type' in rule %}
<icmp-type name="{{ rule.icmp_type }}" />
{%- endif %}
{%- if 'masquerade' in rule %}
{%- if rule.masquerade %}<masquerade/>{%- endif %}
{%- endif %}
{%- if 'forward_port' in rule %}
{%- if 'comment' in rule.forward_port %}
<!-- {{ rule.forward_port.comment }} -->
{%- endif %}
<forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'source_port' in rule %}
{%- if 'comment' in rule.source_port %}
<!-- {{ rule.source_port.comment }} -->
{%- endif %}
<source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'log' in rule %}
<log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
{%- if 'limit' in rule.log %}
<limit value="{{ rule.log.limit }}"/>
{%- endif %}
</log>
{%- endif %}
{%- if 'audit' in rule %}
<audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
{%- endif %}
{%- if 'accept' in rule %}
<accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
{%- endif %}
{%- if 'reject' in rule %}
<reject{%- if rule.reject is mapping and 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
{%- endif %}
{%- if 'drop' in rule %}
<drop/>
{%- endif %}
</rule>
{%- endmacro %}
<policy{%- if 'target' in policy %} target="{{ policy.target }}"{%- endif %}{%- if 'priority' in policy %} priority="{{ policy.priority }}"{%- endif %}>
{% if 'short' in policy %}<short>{{ policy.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
{% if 'description' in policy %}<description>{{ policy.description }}</description>{% endif %}
{% if 'ingress_zone' in policy %}<ingress-zone name="{{ policy.ingress_zone }}" />{% endif %}
{% if 'egress_zone' in policy %}<egress-zone name="{{ policy.egress_zone }}" />{% endif %}
{%- if 'sources' in policy %}
{%- for v in policy.sources %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
<source address="{{ v.source }}" />
{%- else %}
<source address="{{ v }}" />
{%- endif %}
{%- endfor %}
{%- endif %}
{%- if 'ipsets' in policy %}
{%- for v in policy.ipsets %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
<source ipset="{{ v.ipset }}" />
{%- else %}
<source ipset="{{ v }}" />
{%- endif %}
{%- endfor %}
{%- endif %}
{%- for k,val in policy.items() %}
{%- if k.endswith("services") %}
{%- for v in val %}
<service name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- if 'ports' in policy %}
{%- for v in policy.ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'protocols' in policy %}
{%- for v in policy.protocols %}
<protocol value="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_blocks' in policy %}
{%- for v in policy.icmp_blocks %}
<icmp-block name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_block_inversion' in policy and policy.icmp_block_inversion %}
<icmp-block-inversion />
{%- endif %}
{%- if 'masquerade' in policy %}
{%- if policy.masquerade %}
<masquerade/>
{%- endif %}
{%- endif %}
{%- if 'forward_ports' in policy %}
{%- for v in policy.forward_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
{%- endfor %}
{%- endif %}
{%- if 'source_ports' in policy %}
{%- for v in policy.source_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'rich_rules' in policy %}
{%- if policy.rich_rules is list %}
{%- set rich_rules = policy.rich_rules %}
{%- else %}
{%- set expanded_ipset_rules = [] %}
{%- for name,rule in policy.rich_rules|dictsort %}
{%- if 'ipsets' in rule %}
{%- for ipset in rule.ipsets %}
{%- set tmp_rule = {} %}
{%- set _dummy = tmp_rule.update(rule) %}
{%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
{%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
{%- endfor %}
{%- else %}
{%- set _dummy = expanded_ipset_rules.append(rule) %}
{%- endif %}
{%- endfor %}
{%- set rich_rules = [] %}
{%- for rule in expanded_ipset_rules %}
{%- if 'services' in rule %}
{%- for service in rule.services %}
{%- set tmp_rule = {} %}
{%- set _dummy = tmp_rule.update(rule) %}
{%- set _dummy = tmp_rule.update({'service':service}) %}
{%- set _dummy = rich_rules.append(tmp_rule) %}
{%- endfor %}
{%- else %}
{%- set _dummy = rich_rules.append(rule) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- for rule in rich_rules %}
{{- rich_rule(rule) }}
{%- endfor %}
{%- endif %}
</policy>

+ 1
- 0
firewalld/init.sls View File

@@ -24,6 +24,7 @@ include:
- firewalld.backend
- firewalld.services
- firewalld.zones
- firewalld.policies
- firewalld.direct

# iptables service that comes with rhel/centos

+ 46
- 0
firewalld/policies.sls View File

@@ -0,0 +1,46 @@
# == State: firewalld.policies
#
# This state ensures that /etc/firewalld/policies/ exists.
#
{% from "firewalld/map.jinja" import firewalld with context %}

directory_firewalld_policies:
file.directory: # make sure this is a directory
- name: /etc/firewalld/policies
- user: root
- group: root
- mode: 750
- require:
- pkg: package_firewalld # make sure package is installed
- require_in:
- service: service_firewalld
- watch_in:
- cmd: reload_firewalld # reload firewalld config

# == Define: firewalld.policies
#
# This defines a policy configuration, see firewalld.policy (5) man page.
#
{% for k, v in salt['pillar.get']('firewalld:policies', {}).items() %}
{% set z_name = v.name|default(k) %}

/etc/firewalld/policies/{{ z_name }}.xml:
file.managed:
- name: /etc/firewalld/policies/{{ z_name }}.xml
- user: root
- group: root
- mode: 644
- source: salt://firewalld/files/policy.xml
- template: jinja
- require:
- pkg: package_firewalld # make sure package is installed
- file: directory_firewalld_policies
- require_in:
- service: service_firewalld
- watch_in:
- cmd: reload_firewalld # reload firewalld config
- context:
name: {{ z_name }}
policy: {{ v|json }}

{% endfor %}

+ 30
- 0
pillar.example View File

@@ -182,6 +182,36 @@ firewalld:
services:
- ssh

policies:
myOutputPolicy:
short: myOutputPolicy
target: DROP
ingress-zones: ANY
egress-zones: HOST
description: >-
This example, creates a policy that applies to traffic originating from the host
running firewalld and is destined to any zone. Or said differently traffic
in the OUTPUT chain.
services:
- http
- https
- ssh
rich_rules:
- family: ipv4
destination:
address: 8.8.8.8
port:
portid: 53
protocol: udp
accept: true
ports:
- comment: salt-master
port: 4505
protocol: tcp
- comment: salt-master
port: 4506
protocol: tcp

direct:
chain:
MYCHAIN:

Loading…
Cancel
Save