Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

rules.sls 1.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869
  1. {% from "iptables/map.jinja" import service with context %}
  2. {%- for chain_name, chain in service.get('chain', {}).iteritems() %}
  3. iptables_{{ chain_name }}:
  4. iptables.chain_present:
  5. - family: ipv4
  6. - name: {{ chain_name }}
  7. - table: filter
  8. - require:
  9. - pkg: iptables_packages
  10. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  11. iptables_{{ chain_name }}_ipv6:
  12. iptables.chain_present:
  13. - family: ipv6
  14. - name: {{ chain_name }}
  15. - table: filter
  16. - require:
  17. - pkg: iptables_packages
  18. {%- if chain.policy is defined %}
  19. - require_in:
  20. - iptables: iptables_{{ chain_name }}_ipv6_policy
  21. {%- endif %}
  22. {%- endif %}
  23. {%- if chain.policy is defined %}
  24. iptables_{{ chain_name }}_policy:
  25. iptables.set_policy:
  26. - family: ipv4
  27. - chain: {{ chain_name }}
  28. - policy: {{ chain.policy }}
  29. - table: filter
  30. - require:
  31. - iptables: iptables_{{ chain_name }}
  32. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  33. iptables_{{ chain_name }}_ipv6_policy:
  34. iptables.set_policy:
  35. - family: ipv6
  36. - chain: {{ chain_name }}
  37. - policy: {{ chain.policy }}
  38. - table: filter
  39. - require:
  40. - iptables: iptables_{{ chain_name }}_ipv6
  41. {%- endif %}
  42. {%- endif %}
  43. {%- for service_name, service in pillar.items() %}
  44. {%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}
  45. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
  46. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
  47. {%- set grains_yaml = load_grains_file()|load_yaml %}
  48. {%- for rule in grains_yaml.iptables.rules %}
  49. {%- set rule_name = service_name+'_'+loop.index|string %}
  50. {% include "iptables/_rule.sls" %}
  51. {%- endfor %}
  52. {%- endif %}
  53. {%- endfor %}
  54. {%- for rule in chain.get('rules', []) %}
  55. {%- set rule_name = loop.index %}
  56. {% include "iptables/_rule.sls" %}
  57. {%- endfor %}
  58. {%- endfor %}