This introduces a "purge_zones" toggle which, if enabled, ensures
zones not managed using the firewalld pillar get deleted.
Useful to enforce that only Salt managed zones exist and to clean
up pre-Salt data.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
```
[213] SaltStack recommends using cmd.run together with onchanges, rather than cmd.wait
firewalld/init.sls:53
cmd.wait:
```
Usually fix:
* `cmd.wait` + `watch`
To:
* `cmd.run` + `onchanges`
But this code doesn't use that construction, so leaving as-is.
The current rich_rule macro is supporting to set if the connection
should be accepted or rejected or dropped but doesn't support setting
rate limiting in the 'accept' case. Add code for that.
Signed-off-by: Arnaud Patard <apatard@hupstream.com>
While the default maps are mostly empty this sets the groundwork for
distribution specific defaults. The layout is based on the formula
template.
BREAKING CHANGE: `map.jinja` has been upgraded from using `pillar.get`
to `config.get`.
If the formula was ran on a system that reported an os_family that
wasn't one of "Debian", "RedHat", "Arch", "Suse" then the map.jinja
template would fail to render with "'NoneType' is not iterable.
This occurs because grains.filter_by will return None when it fails
match the grain to the input dictionary. The value is then blindly
passed into a dict.update() which causes the failure.
In this patch we ensure that the default values, as defined in
defaults.yaml, are always applied when grain matching fails.
When specifying rich rules as a dictionary ipsets and services can be
specified as lists. They will be expanded out by the jinja template into
individual rich rules for the parent zone.
Now multiple sections ending with `services` can be defined for each in pillar
and all of them will get merged into one service block in the zone. The goal is
to keep backward compatibility while allowing different services to be defined
in different pillars. So basically have various parts of the pillar affecting
the firewall without need to define everything centrally. Helpful for the
exceptions to the rules.
```bash
firewalld-formula$ yamllint -s .
./pillar.example
2:1 warning missing document start "---" (document-start)
3:12 warning truthy value should be one of [false, true] (truthy)
12:13 warning truthy value should be one of [false, true] (truthy)
15:89 error line too long (108 > 88 characters) (line-length)
19:13 warning truthy value should be one of [false, true] (truthy)
30:89 error line too long (363 > 88 characters) (line-length)
96:89 error line too long (170 > 88 characters) (line-length)
108:15 error wrong indentation: expected 12 but found 14 (indentation)
115:13 error empty value in block mapping (empty-values)
116:2 error syntax error: found character '%' that cannot start any token
152:89 error line too long (112 > 88 characters) (line-length)
./firewalld/defaults.yaml
3:1 warning missing document start "---" (document-start)
```
```bash
Examining firewalld/map.jinja of type state
[209] Jinja comment should have spaces before and after: {# comment #}
firewalld/map.jinja:4
{## Start with defaults from defaults.yaml ##}
[209] Jinja comment should have spaces before and after: {# comment #}
firewalld/map.jinja:7
{##
[201] Trailing whitespace
firewalld/map.jinja:16
}, grain='os_family', merge=salt['pillar.get']('firewalld:lookup'))
[209] Jinja comment should have spaces before and after: {# comment #}
firewalld/map.jinja:19
{## Merge the flavor_map to the default settings ##}
[209] Jinja comment should have spaces before and after: {# comment #}
firewalld/map.jinja:22
{## Merge in salt:lookup pillar ##}
```
Firewalld does not parse the name attribute.
Log message:
firewalld[1999]: ERROR: Failed to load zone file 'public.xml':
PARSE_ERROR: icmp-block-inversion: Unexpected attribute name
I wanted to be able to add an ipset as a source in the zone without using a rich rule. I believe this change accomplishes that. Tested and working on CentOS 7 (salt master and minion).