преди 3 години · 6a9d4ccabb
--- a/_states/ufw.py
+++ b/_states/ufw.py
@@ -192,9 +192,12 @@ def default_outgoing(name, default):


 def deny(name, app=None, interface=None, protocol=None,
         from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None):
         from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None, force_first=True):

    return _add_rule('insert 1 deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment)
    if force_first is False:
        return _add_rule('deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment)
    else:
        return _add_rule('insert 1 deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment)


 def limit(name, app=None, interface=None, protocol=None,
--- a/docs/README.rst
+++ b/docs/README.rst
@@ -151,6 +151,25 @@ Allow an application defined at /etc/ufw/applications.d/:
     applications:
       - OpenSSH

 Allow generic traffic on ens7, and allow 1 ip to access port 22 and explicitly block all others:

 .. code-block::

   ufw:
     interfaces:
       ens7:
     services:
       22:
         protocol: tcp
         to_port: 22
         from_addr:
           - 192.168.1.1
       22/deny:
         protocol: tcp
         to_port: 22
         deny: true
         force_first: false

 Testing
 -------

--- a/pillar.example
+++ b/pillar.example
@@ -61,10 +61,12 @@ ufw:
      protocol: tcp
      comment: Netbios

    # Deny from a specific port, by number.
    # Deny from a specific port, by number, but don't force
    # the rule as the first rule in the ufw state
    140:
      protocol: tcp
      deny: true
      force_first: false

    # Deny everything from a specific ip address
    '*':
--- a/test/salt/pillar/default.sls
+++ b/test/salt/pillar/default.sls
@@ -34,3 +34,8 @@ ufw:
    '443':
      protocol: tcp
      comment: Allow HTTPS
    '1000':
      protocol: tcp
      deny: true
      force_first: false
      comment: Deny 1000 not as first
--- a/ufw/config/applications.sls
+++ b/ufw/config/applications.sls
@@ -22,11 +22,12 @@ include:
  {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %}

  {%- for from_addr in from_addrs %}
    {%- set deny    = app_details.get('deny', None) %}
    {%- set limit   = app_details.get('limit', None) %}
    {%- set method  = 'deny' if deny else ('limit' if limit else 'allow') %}
    {%- set to_addr = app_details.get('to_addr', None) %}
    {%- set comment = app_details.get('comment', None) %}
    {%- set deny        = app_details.get('deny', None) %}
    {%- set force_first = app_details.get('force_first', None) %}
    {%- set limit       = app_details.get('limit', None) %}
    {%- set method      = 'deny' if deny else ('limit' if limit else 'allow') %}
    {%- set to_addr     = app_details.get('to_addr', None) %}
    {%- set comment     = app_details.get('comment', None) %}

 {%- if from_addr is not none %}
 ufw-app-{{ method }}-{{ app_name }}-{{ from_addr }}:
@@ -35,6 +36,9 @@ ufw-app-{{ method }}-{{ app_name }}:
 {%- endif %}
  ufw.{{ method }}:
    - app: '"{{ app_name }}"'
    {%- if force_first is not none %}
    - force_first: {{ force_first }}
    {%- endif %}
    {%- if from_addr is not none %}
    - from_addr: {{ from_addr }}
    {%- endif %}
--- a/ufw/config/services.sls
+++ b/ufw/config/services.sls
@@ -22,20 +22,24 @@ include:
  {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %}

  {%- for from_addr in from_addrs %}
    {%- set protocol  = service_details.get('protocol', None) %}
    {%- set deny      = service_details.get('deny', None) %}
    {%- set limit     = service_details.get('limit', None) %}
    {%- set method    = 'deny' if deny else ('limit' if limit else 'allow') %}
    {%- set from_port = service_details.get('from_port', None) %}
    {%- set to_addr   = service_details.get('to_addr', None) %}
    {%- set to_port   = service_details.get('to_port', service_name) %}
    {%- set comment   = service_details.get('comment', None) %}
    {%- set protocol    = service_details.get('protocol', None) %}
    {%- set deny        = service_details.get('deny', None) %}
    {%- set force_first = service_details.get('force_first', None) %}
    {%- set limit       = service_details.get('limit', None) %}
    {%- set method      = 'deny' if deny else ('limit' if limit else 'allow') %}
    {%- set from_port   = service_details.get('from_port', None) %}
    {%- set to_addr     = service_details.get('to_addr', None) %}
    {%- set to_port     = service_details.get('to_port', service_name) %}
    {%- set comment     = service_details.get('comment', None) %}

 ufw-svc-{{ method }}-{{ service_name }}-{{ from_addr }}:
  ufw.{{ method }}:
    {%- if protocol is not none %}
    - protocol: {{ protocol }}
    {%- endif %}
    {%- if force_first is not none %}
    - force_first: {{ force_first }}
    {%- endif %}
    {%- if from_addr is not none %}
    - from_addr: {{ from_addr }}
    {%- endif %}