Saltstack Official FirewallD Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

180 lines
6.8KB

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <!--
  3. This file is managed/generated by salt.
  4. Do not edit this file manually, it will be overwritten!
  5. Modify the salt pillar for firewalld instead
  6. -->
  7. {%- macro rich_rule(rule) %}
  8. <rule{% if 'family' in rule %} family="{{ rule.family }}"{% endif %}{% if 'priority' in rule %} priority="{{ rule.priority }}"{% endif %}>
  9. {%- if 'ipset' in rule %}
  10. <source ipset="{{ rule.ipset.name }}" />
  11. {%- endif %}
  12. {%- if 'source' in rule %}
  13. <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %} invert="{{ rule.source.invert }}"{%- endif %} />
  14. {%- endif %}
  15. {%- if 'destination' in rule %}
  16. <destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %} invert="{{ rule.destination.invert }}"{%- endif %} />
  17. {%- endif %}
  18. {%- if 'service' in rule %}
  19. <service name="{{ rule.service }}" />
  20. {%- endif %}
  21. {%- if 'port' in rule %}
  22. <port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
  23. {%- endif %}
  24. {%- if 'protocol' in rule %}
  25. <protocol value="{{ rule.protocol }}" />
  26. {%- endif %}
  27. {%- if 'icmp_block' in rule %}
  28. <icmp-block name="{{ rule.icmp_block }}" />
  29. {%- endif %}
  30. {%- if 'icmp_type' in rule %}
  31. <icmp-type name="{{ rule.icmp_type }}" />
  32. {%- endif %}
  33. {%- if 'masquerade' in rule %}
  34. {%- if rule.masquerade %}<masquerade/>{%- endif %}
  35. {%- endif %}
  36. {%- if 'forward_port' in rule %}
  37. {%- if 'comment' in rule.forward_port %}
  38. <!-- {{ rule.forward_port.comment }} -->
  39. {%- endif %}
  40. <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
  41. {%- endif %}
  42. {%- if 'source_port' in rule %}
  43. {%- if 'comment' in rule.source_port %}
  44. <!-- {{ rule.source_port.comment }} -->
  45. {%- endif %}
  46. <source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
  47. {%- endif %}
  48. {%- if 'log' in rule %}
  49. <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
  50. {%- if 'limit' in rule.log %}
  51. <limit value="{{ rule.log.limit }}"/>
  52. {%- endif %}
  53. </log>
  54. {%- endif %}
  55. {%- if 'audit' in rule %}
  56. <audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
  57. {%- endif %}
  58. {%- if 'accept' in rule %}
  59. <accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
  60. {%- endif %}
  61. {%- if 'reject' in rule %}
  62. <reject{%- if rule.reject is mapping and 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
  63. {%- endif %}
  64. {%- if 'drop' in rule %}
  65. <drop/>
  66. {%- endif %}
  67. </rule>
  68. {%- endmacro %}
  69. <policy{%- if 'target' in policy %} target="{{ policy.target }}"{%- endif %}{%- if 'priority' in policy %} priority="{{ policy.priority }}"{%- endif %}>
  70. {% if 'short' in policy %}<short>{{ policy.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
  71. {% if 'description' in policy %}<description>{{ policy.description }}</description>{% endif %}
  72. {% if 'ingress_zone' in policy %}<ingress-zone name="{{ policy.ingress_zone }}" />{% endif %}
  73. {% if 'egress_zone' in policy %}<egress-zone name="{{ policy.egress_zone }}" />{% endif %}
  74. {%- if 'sources' in policy %}
  75. {%- for v in policy.sources %}
  76. {%- if 'comment' in v %}
  77. <!-- {{ v.comment }} -->
  78. <source address="{{ v.source }}" />
  79. {%- else %}
  80. <source address="{{ v }}" />
  81. {%- endif %}
  82. {%- endfor %}
  83. {%- endif %}
  84. {%- if 'ipsets' in policy %}
  85. {%- for v in policy.ipsets %}
  86. {%- if 'comment' in v %}
  87. <!-- {{ v.comment }} -->
  88. <source ipset="{{ v.ipset }}" />
  89. {%- else %}
  90. <source ipset="{{ v }}" />
  91. {%- endif %}
  92. {%- endfor %}
  93. {%- endif %}
  94. {%- for k,val in policy.items() %}
  95. {%- if k.endswith("services") %}
  96. {%- for v in val %}
  97. <service name="{{ v }}" />
  98. {%- endfor %}
  99. {%- endif %}
  100. {%- endfor %}
  101. {%- if 'ports' in policy %}
  102. {%- for v in policy.ports %}
  103. {%- if 'comment' in v %}
  104. <!-- {{ v.comment }} -->
  105. {%- endif %}
  106. <port port="{{ v.port }}" protocol="{{ v.protocol }}" />
  107. {%- endfor %}
  108. {%- endif %}
  109. {%- if 'protocols' in policy %}
  110. {%- for v in policy.protocols %}
  111. <protocol value="{{ v }}" />
  112. {%- endfor %}
  113. {%- endif %}
  114. {%- if 'icmp_blocks' in policy %}
  115. {%- for v in policy.icmp_blocks %}
  116. <icmp-block name="{{ v }}" />
  117. {%- endfor %}
  118. {%- endif %}
  119. {%- if 'icmp_block_inversion' in policy and policy.icmp_block_inversion %}
  120. <icmp-block-inversion />
  121. {%- endif %}
  122. {%- if 'masquerade' in policy %}
  123. {%- if policy.masquerade %}
  124. <masquerade/>
  125. {%- endif %}
  126. {%- endif %}
  127. {%- if 'forward_ports' in policy %}
  128. {%- for v in policy.forward_ports %}
  129. {%- if 'comment' in v %}
  130. <!-- {{ v.comment }} -->
  131. {%- endif %}
  132. <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
  133. {%- endfor %}
  134. {%- endif %}
  135. {%- if 'source_ports' in policy %}
  136. {%- for v in policy.source_ports %}
  137. {%- if 'comment' in v %}
  138. <!-- {{ v.comment }} -->
  139. {%- endif %}
  140. <source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
  141. {%- endfor %}
  142. {%- endif %}
  143. {%- if 'rich_rules' in policy %}
  144. {%- if policy.rich_rules is list %}
  145. {%- set rich_rules = policy.rich_rules %}
  146. {%- else %}
  147. {%- set expanded_ipset_rules = [] %}
  148. {%- for name,rule in policy.rich_rules|dictsort %}
  149. {%- if 'ipsets' in rule %}
  150. {%- for ipset in rule.ipsets %}
  151. {%- set tmp_rule = {} %}
  152. {%- set _dummy = tmp_rule.update(rule) %}
  153. {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
  154. {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
  155. {%- endfor %}
  156. {%- else %}
  157. {%- set _dummy = expanded_ipset_rules.append(rule) %}
  158. {%- endif %}
  159. {%- endfor %}
  160. {%- set rich_rules = [] %}
  161. {%- for rule in expanded_ipset_rules %}
  162. {%- if 'services' in rule %}
  163. {%- for service in rule.services %}
  164. {%- set tmp_rule = {} %}
  165. {%- set _dummy = tmp_rule.update(rule) %}
  166. {%- set _dummy = tmp_rule.update({'service':service}) %}
  167. {%- set _dummy = rich_rules.append(tmp_rule) %}
  168. {%- endfor %}
  169. {%- else %}
  170. {%- set _dummy = rich_rules.append(rule) %}
  171. {%- endif %}
  172. {%- endfor %}
  173. {%- endif %}
  174. {%- for rule in rich_rules %}
  175. {{- rich_rule(rule) }}
  176. {%- endfor %}
  177. {%- endif %}
  178. </policy>