ExternalMirrors
/
iptables-formula
mirror of https://github.com/salt-formulas/salt-formula-iptables
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 6 Wiki Activity
Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 Commits
2 Branches
Tree: 3c703cd9af
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3c703cd9af'
${ noResults }
iptables-formula/iptables/rules.sls

129 lines
3.7KB
Raw Blame History 

  1. {% from "iptables/map.jinja" import service with context %}

  2. {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}

  3. 

  4. {%- if grains.os_family == 'Debian' and service.get('provider') == "iptables-restore" %}

  5. /etc/iptables/rules.v4.tmp:

  6.   file.managed:

  7.     - source: salt://iptables/files/rules.v4

  8.     - template: jinja

  9.     - makedirs: True

  10.     - defaults:

  11.         chains: {{ service.get('chain', {}) }}

  12.     - require:

  13.       - pkg: iptables_packages

  14.       - file: /usr/share/netfilter-persistent/plugins.d/15-ip4tables

  15. iptables-restore --test /etc/iptables/rules.v4.tmp:

  16.   cmd.run:

  17.     - onchanges:

  18.       - file: /etc/iptables/rules.v4.tmp

  19. cp -a /etc/iptables/rules.v4.tmp /etc/iptables/rules.v4:

  20.   cmd.run:

  21.     - onchanges:

  22.       - cmd: "iptables-restore --test /etc/iptables/rules.v4.tmp"

  23.     - watch_in:

  24.       - service: iptables_services

  25. cp -a /etc/iptables/rules.v4 /etc/iptables/rules.v4.tmp:

  26.   cmd.run:

  27.     - onfail:

  28.       - cmd: "iptables-restore --test /etc/iptables/rules.v4.tmp"

  29. 

  30. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}

  31. /etc/iptables/rules.v6.tmp:

  32.   file.managed:

  33.     - source: salt://iptables/files/rules.v6

  34.     - template: jinja

  35.     - makedirs: True

  36.     - defaults:

  37.         chains: {{ service.get('chain', {}) }}

  38.     - require:

  39.       - pkg: iptables_packages

  40.       - file: /usr/share/netfilter-persistent/plugins.d/25-ip6tables

  41.     - watch_in:

  42.       - service: iptables_services

  43. ip6tables-restore --test /etc/iptables/rules.v6.tmp:

  44.   cmd.run:

  45.     - onchanges:

  46.       - file: /etc/iptables/rules.v6.tmp

  47. cp -a /etc/iptables/rules.v6.tmp /etc/iptables/rules.v6:

  48.   cmd.run:

  49.     - onchanges:

  50.       - cmd: "ip6tables-restore --test /etc/iptables/rules.v6.tmp"

  51.     - watch_in:

  52.       - service: iptables_services

  53. cp -a /etc/iptables/rules.v6 /etc/iptables/rules.v6.tmp:

  54.   cmd.run:

  55.     - onfail:

  56.       - cmd: "ip6tables-restore --test /etc/iptables/rules.v6.tmp"

  57. {%- endif %}

  58. {%- else %}

  59. 

  60. {%- for chain_name, chain in service.get('chain', {}).iteritems() %}

  61. 

  62. iptables_{{ chain_name }}:

  63.   iptables.chain_present:

  64.     - family: ipv4

  65.     - name: {{ chain_name }}

  66.     - table: filter

  67.     - require:

  68.       - pkg: iptables_packages

  69. 

  70. {%-   if grains.ipv6|default(False) and service.ipv6|default(True) %}

  71. iptables_{{ chain_name }}_ipv6:

  72.   iptables.chain_present:

  73.     - family: ipv6

  74.     - name: {{ chain_name }}

  75.     - table: filter

  76.     - require:

  77.       - pkg: iptables_packages

  78. {%-     if chain.policy is defined %}

  79.     - require_in:

  80.       - iptables: iptables_{{ chain_name }}_ipv6_policy

  81. {%-     endif  %}

  82. {%-   endif %}

  83. 

  84. {%- if chain.policy is defined %}

  85. iptables_{{ chain_name }}_policy:

  86.   iptables.set_policy:

  87.     - family: ipv4

  88.     - chain: {{ chain_name }}

  89.     - policy: {{ chain.policy }}

  90.     - table: filter

  91.     - require:

  92.       - iptables: iptables_{{ chain_name }}

  93. 

  94. {%-   if grains.ipv6|default(False) and service.ipv6|default(True) %}

  95. iptables_{{ chain_name }}_ipv6_policy:

  96.   iptables.set_policy:

  97.     - family: ipv6

  98.     - chain: {{ chain_name }}

  99.     - policy: {{ chain.policy }}

  100.     - table: filter

  101.     - require:

  102.       - iptables: iptables_{{ chain_name }}_ipv6

  103. {%-   endif %}

  104. {%- endif %}

  105. 

  106. {%- for service_name, service in pillar.items() %}

  107. {%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}

  108. 

  109. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}

  110. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}

  111. {%- set grains_yaml = load_grains_file()|load_yaml %}

  112. 

  113. {%- for rule in grains_yaml.iptables.rules %}

  114. {%- set rule_name = service_name+'_'+loop.index|string %}

  115. {% include "iptables/_rule.sls" %}

  116. {%- endfor %}

  117. 

  118. {%- endif %}

  119. {%- endfor %}

  120. 

  121. {%- for rule in chain.get('rules', []) %}

  122. {%- set rule_name = loop.index %}

  123. {% include "iptables/_rule.sls" %}

  124. {%- endfor %}

  125. 

  126. {%- endfor %}

  127. {%- endif %}

  128. {%- endif %}