Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

143 line
4.2KB

  1. {% from "iptables/map.jinja" import service with context %}
  2. {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
  3. {%- if grains.os_family == 'Debian' and service.get('provider') == "iptables-restore" %}
  4. {%- set meta_rules = [] %}
  5. {%- for service_name, service in pillar.items() %}
  6. {%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}
  7. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
  8. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
  9. {%- set grains_yaml = load_grains_file()|load_yaml %}
  10. {%- set meta_rules = meta_rules + grains_yaml.iptables.rules %}
  11. {%- endif %}
  12. {%- endfor %}
  13. /etc/iptables/rules.v4.tmp:
  14. file.managed:
  15. - source: salt://iptables/files/rules.v4
  16. - template: jinja
  17. - makedirs: True
  18. - defaults:
  19. chains: {{ service.get('chain', {}) }}
  20. meta_rules: {{ meta_rules }}
  21. - require:
  22. - pkg: iptables_packages
  23. - file: /usr/share/netfilter-persistent/plugins.d/15-ip4tables
  24. iptables-restore --test /etc/iptables/rules.v4.tmp:
  25. cmd.run:
  26. - onchanges:
  27. - file: /etc/iptables/rules.v4.tmp
  28. cp -a /etc/iptables/rules.v4.tmp /etc/iptables/rules.v4:
  29. cmd.run:
  30. - onchanges:
  31. - cmd: "iptables-restore --test /etc/iptables/rules.v4.tmp"
  32. - watch_in:
  33. - service: iptables_services
  34. cp -a /etc/iptables/rules.v4 /etc/iptables/rules.v4.tmp:
  35. cmd.run:
  36. - onfail:
  37. - cmd: "iptables-restore --test /etc/iptables/rules.v4.tmp"
  38. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  39. /etc/iptables/rules.v6.tmp:
  40. file.managed:
  41. - source: salt://iptables/files/rules.v6
  42. - template: jinja
  43. - makedirs: True
  44. - defaults:
  45. chains: {{ service.get('chain', {}) }}
  46. meta_rules: {{ meta_rules }}
  47. - require:
  48. - pkg: iptables_packages
  49. - file: /usr/share/netfilter-persistent/plugins.d/25-ip6tables
  50. - watch_in:
  51. - service: iptables_services
  52. ip6tables-restore --test /etc/iptables/rules.v6.tmp:
  53. cmd.run:
  54. - onchanges:
  55. - file: /etc/iptables/rules.v6.tmp
  56. cp -a /etc/iptables/rules.v6.tmp /etc/iptables/rules.v6:
  57. cmd.run:
  58. - onchanges:
  59. - cmd: "ip6tables-restore --test /etc/iptables/rules.v6.tmp"
  60. - watch_in:
  61. - service: iptables_services
  62. cp -a /etc/iptables/rules.v6 /etc/iptables/rules.v6.tmp:
  63. cmd.run:
  64. - onfail:
  65. - cmd: "ip6tables-restore --test /etc/iptables/rules.v6.tmp"
  66. {%- endif %}
  67. {%- else %}
  68. {%- for chain_name, chain in service.get('chain', {}).iteritems() %}
  69. iptables_{{ chain_name }}:
  70. iptables.chain_present:
  71. - family: ipv4
  72. - name: {{ chain_name }}
  73. - table: filter
  74. - require:
  75. - pkg: iptables_packages
  76. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  77. iptables_{{ chain_name }}_ipv6:
  78. iptables.chain_present:
  79. - family: ipv6
  80. - name: {{ chain_name }}
  81. - table: filter
  82. - require:
  83. - pkg: iptables_packages
  84. {%- if chain.policy is defined %}
  85. - require_in:
  86. - iptables: iptables_{{ chain_name }}_ipv6_policy
  87. {%- endif %}
  88. {%- endif %}
  89. {%- if chain.policy is defined %}
  90. iptables_{{ chain_name }}_policy:
  91. iptables.set_policy:
  92. - family: ipv4
  93. - chain: {{ chain_name }}
  94. - policy: {{ chain.policy }}
  95. - table: filter
  96. - require:
  97. - iptables: iptables_{{ chain_name }}
  98. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  99. iptables_{{ chain_name }}_ipv6_policy:
  100. iptables.set_policy:
  101. - family: ipv6
  102. - chain: {{ chain_name }}
  103. - policy: {{ chain.policy }}
  104. - table: filter
  105. - require:
  106. - iptables: iptables_{{ chain_name }}_ipv6
  107. {%- endif %}
  108. {%- endif %}
  109. {%- for service_name, service in pillar.items() %}
  110. {%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}
  111. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
  112. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
  113. {%- set grains_yaml = load_grains_file()|load_yaml %}
  114. {%- for rule in grains_yaml.iptables.rules %}
  115. {%- set rule_name = service_name+'_'+loop.index|string %}
  116. {% include "iptables/_rule.sls" %}
  117. {%- endfor %}
  118. {%- endif %}
  119. {%- endfor %}
  120. {%- for rule in chain.get('rules', []) %}
  121. {%- set rule_name = loop.index %}
  122. {% include "iptables/_rule.sls" %}
  123. {%- endfor %}
  124. {%- endfor %}
  125. {%- endif %}
  126. {%- endif %}