|
- # == State: firewalld.ipsets
- #
- # This state ensures that /etc/firewalld/ipsets/ exists.
- #
- {% from "./map.jinja" import firewalld with context %}
-
- # Backward compatibility setting and deprecation notices
- {% set ipset_manage = false %}
- {% set ipset_pkg = 'ipset' %}
- {% set ipset_sets = firewalld.ipsets %}
-
- {% if firewalld.ipset is mapping %}
- {% set ipset_manage = firewalld.ipset.manage %}
- {% set ipset_pkg = firewalld.ipset.pkg %}
- {% else %}
- ### Manage setting (old firewalld:ipset)
- firewalld-ipset-deprecated:
- test.show_notification:
- - text: |
- 'firewalld:ipset' format has changed and setting it as boolean is deprecated.
- Set 'firewalld:ipset:manage' instead.
- See firewalld/pillar.example for more information
-
- {% set ipset_manage = firewalld.ipset %}
- {% endif %}
-
- ### Package setting (old firewalld:ipsetpackage)
- {% if firewalld.ipsetpackage is defined %}
- firewalld-ipsetpackage-deprecated:
- test.show_notification:
- - text: |
- 'firewalld:ipsetpackage' is deprecated. Use 'firewalld:ipset:pkg' instead
- See firewalld/pillar.example for more information
-
- {% set ipset_pkg = firewalld.ipsetpackage %}
- {% endif %}
-
- {%- if ipset_manage %}
- package_ipset:
- pkg.installed:
- - name: {{ ipset_pkg }}
-
- directory_firewalld_ipsets:
- file.directory: # make sure this is a directory
- - name: /etc/firewalld/ipsets
- - user: root
- - group: root
- - mode: 750
- - require:
- - pkg: package_firewalld # make sure package is installed
- - require_in:
- - service: service_firewalld
- - watch_in:
- - cmd: reload_firewalld # reload firewalld config
-
- # == Define: firewalld.ipsets
- #
- # This defines a ipset configuration, see firewalld.ipset (5) man page.
- #
- {% for k, v in ipset_sets.items() %}
- {% set z_name = v.name|default(k) %}
-
- /etc/firewalld/ipsets/{{ z_name }}.xml:
- file.managed:
- - name: /etc/firewalld/ipsets/{{ z_name }}.xml
- - user: root
- - group: root
- - mode: 644
- - source: salt://firewalld/files/ipset.xml
- - template: jinja
- - require:
- - pkg: package_firewalld # make sure package is installed
- - file: directory_firewalld_ipsets
- - require_in:
- - service: service_firewalld
- - watch_in:
- - cmd: reload_firewalld # reload firewalld config
- - context:
- name: {{ z_name }}
- ipset: {{ v|json }}
-
- {% endfor %}
- {%- endif %}
|