Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

151 lines
4.5KB

  1. {% from "iptables/map.jinja" import service with context %}
  2. {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
  3. {%- if 'iptables-restore' in service.providers and service.get('provider') == "iptables-restore" %}
  4. {%- set meta_rules = [] %}
  5. {%- for service_name, meta_service in pillar.items() %}
  6. {%- if meta_service is mapping %}
  7. {%- if meta_service.get('_support', {}).get('iptables', {}).get('enabled', False) %}
  8. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
  9. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
  10. {%- set grains_yaml = load_grains_file()|load_yaml %}
  11. {%- set meta_rules = meta_rules + grains_yaml.iptables.rules %}
  12. {%- endif %}
  13. {%- endif %}
  14. {%- endfor %}
  15. /etc/iptables/rules.v4.tmp:
  16. file.managed:
  17. - source: salt://iptables/files/rules.v4
  18. - template: jinja
  19. - makedirs: True
  20. - defaults:
  21. chains: {{ service.get('chain', {}) }}
  22. meta_rules: {{ meta_rules }}
  23. - require:
  24. - pkg: iptables_packages
  25. - file: /usr/share/netfilter-persistent/plugins.d/15-ip4tables
  26. iptables-restore --test /etc/iptables/rules.v4.tmp:
  27. cmd.run:
  28. - onchanges:
  29. - file: /etc/iptables/rules.v4.tmp
  30. cp -a /etc/iptables/rules.v4.tmp /etc/iptables/rules.v4:
  31. cmd.run:
  32. - onchanges:
  33. - cmd: "iptables-restore --test /etc/iptables/rules.v4.tmp"
  34. - watch_in:
  35. - service: iptables_services
  36. cp -a /etc/iptables/rules.v4 /etc/iptables/rules.v4.tmp:
  37. cmd.run:
  38. - onfail:
  39. - cmd: "iptables-restore --test /etc/iptables/rules.v4.tmp"
  40. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  41. /etc/iptables/rules.v6.tmp:
  42. file.managed:
  43. - source: salt://iptables/files/rules.v6
  44. - template: jinja
  45. - makedirs: True
  46. - defaults:
  47. chains: {{ service.get('chain', {}) }}
  48. meta_rules: {{ meta_rules }}
  49. - require:
  50. - pkg: iptables_packages
  51. - file: /usr/share/netfilter-persistent/plugins.d/25-ip6tables
  52. - watch_in:
  53. - service: iptables_services
  54. ip6tables-restore --test /etc/iptables/rules.v6.tmp:
  55. cmd.run:
  56. - onchanges:
  57. - file: /etc/iptables/rules.v6.tmp
  58. cp -a /etc/iptables/rules.v6.tmp /etc/iptables/rules.v6:
  59. cmd.run:
  60. - onchanges:
  61. - cmd: "ip6tables-restore --test /etc/iptables/rules.v6.tmp"
  62. - watch_in:
  63. - service: iptables_services
  64. cp -a /etc/iptables/rules.v6 /etc/iptables/rules.v6.tmp:
  65. cmd.run:
  66. - onfail:
  67. - cmd: "ip6tables-restore --test /etc/iptables/rules.v6.tmp"
  68. {%- endif %}
  69. {%- else %}
  70. {%- for chain_name, chain in service.get('chain', {}).iteritems() %}
  71. iptables_{{ chain_name }}:
  72. iptables.chain_present:
  73. - family: ipv4
  74. - name: {{ chain_name }}
  75. - table: filter
  76. - require:
  77. - pkg: iptables_packages
  78. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  79. iptables_{{ chain_name }}_ipv6:
  80. iptables.chain_present:
  81. - family: ipv6
  82. - name: {{ chain_name }}
  83. - table: filter
  84. - require:
  85. - pkg: iptables_packages
  86. {%- if chain.policy is defined %}
  87. - require_in:
  88. - iptables: iptables_{{ chain_name }}_ipv6_policy
  89. {%- endif %}
  90. {%- endif %}
  91. {%- if chain.policy is defined %}
  92. iptables_{{ chain_name }}_policy:
  93. iptables.set_policy:
  94. - family: ipv4
  95. - chain: {{ chain_name }}
  96. - policy: {{ chain.policy }}
  97. - table: filter
  98. - require:
  99. - iptables: iptables_{{ chain_name }}
  100. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  101. iptables_{{ chain_name }}_ipv6_policy:
  102. iptables.set_policy:
  103. - family: ipv6
  104. - chain: {{ chain_name }}
  105. - policy: {{ chain.policy }}
  106. - table: filter
  107. - require:
  108. - iptables: iptables_{{ chain_name }}_ipv6
  109. {%- endif %}
  110. {%- endif %}
  111. {%- for service_name, service in pillar.items() %}
  112. {%- if service is mapping %}
  113. {%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}
  114. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
  115. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
  116. {%- set grains_yaml = load_grains_file()|load_yaml %}
  117. {%- if grains_yaml is iterable %}
  118. {%- if grains_yaml.get('iptables',{}).rules is defined %}
  119. {%- for rule in grains_yaml.iptables.rules %}
  120. {%- set rule_name = service_name+'_'+loop.index|string %}
  121. {% include "iptables/_rule.sls" %}
  122. {%- endfor %}
  123. {%- endif %}
  124. {%- endif %}
  125. {%- endif %}
  126. {%- endif %}
  127. {%- endfor %}
  128. {%- for rule in chain.get('rules', []) %}
  129. {%- set rule_name = loop.index %}
  130. {% include "iptables/_rule.sls" %}
  131. {%- endfor %}
  132. {%- endfor %}
  133. {%- endif %}
  134. {%- endif %}