feat(state): allow deny rules to not be forced to the top

_states/ufw.py

 
 
 def deny(name, app=None, interface=None, protocol=None,
-         from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None):
+         from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None, force_first=True):
 
-    return _add_rule('insert 1 deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment)
+    if force_first is False:
+        return _add_rule('deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment)
+    else:
+        return _add_rule('insert 1 deny', name, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment)
 
 
 def limit(name, app=None, interface=None, protocol=None,

docs/README.rst

      applications:
        - OpenSSH
 
+Allow generic traffic on ens7, and allow 1 ip to access port 22 and explicitly block all others:
+
+.. code-block::
+
+   ufw:
+     interfaces:
+       ens7:
+     services:
+       22:
+         protocol: tcp
+         to_port: 22
+         from_addr:
+           - 192.168.1.1
+       22/deny:
+         protocol: tcp
+         to_port: 22
+         deny: true
+         force_first: false
+
 Testing
 -------
 

pillar.example

       protocol: tcp
       comment: Netbios
 
-    # Deny from a specific port, by number.
+    # Deny from a specific port, by number, but don't force
+    # the rule as the first rule in the ufw state
     140:
       protocol: tcp
       deny: true
+      force_first: false
 
     # Deny everything from a specific ip address
     '*':

test/salt/pillar/default.sls

     '443':
       protocol: tcp
       comment: Allow HTTPS
+    '1000':
+      protocol: tcp
+      deny: true
+      force_first: false
+      comment: Deny 1000 not as first

ufw/config/applications.sls

   {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %}
 
   {%- for from_addr in from_addrs %}
-    {%- set deny    = app_details.get('deny', None) %}
-    {%- set limit   = app_details.get('limit', None) %}
-    {%- set method  = 'deny' if deny else ('limit' if limit else 'allow') %}
-    {%- set to_addr = app_details.get('to_addr', None) %}
-    {%- set comment = app_details.get('comment', None) %}
+    {%- set deny        = app_details.get('deny', None) %}
+    {%- set force_first = app_details.get('force_first', None) %}
+    {%- set limit       = app_details.get('limit', None) %}
+    {%- set method      = 'deny' if deny else ('limit' if limit else 'allow') %}
+    {%- set to_addr     = app_details.get('to_addr', None) %}
+    {%- set comment     = app_details.get('comment', None) %}
 
 {%- if from_addr is not none %}
 ufw-app-{{ method }}-{{ app_name }}-{{ from_addr }}:
 {%- endif %}
   ufw.{{ method }}:
     - app: '"{{ app_name }}"'
+    {%- if force_first is not none %}
+    - force_first: {{ force_first }}
+    {%- endif %}
     {%- if from_addr is not none %}
     - from_addr: {{ from_addr }}
     {%- endif %}

ufw/config/services.sls

   {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %}
 
   {%- for from_addr in from_addrs %}
-    {%- set protocol  = service_details.get('protocol', None) %}
-    {%- set deny      = service_details.get('deny', None) %}
-    {%- set limit     = service_details.get('limit', None) %}
-    {%- set method    = 'deny' if deny else ('limit' if limit else 'allow') %}
-    {%- set from_port = service_details.get('from_port', None) %}
-    {%- set to_addr   = service_details.get('to_addr', None) %}
-    {%- set to_port   = service_details.get('to_port', service_name) %}
-    {%- set comment   = service_details.get('comment', None) %}
+    {%- set protocol    = service_details.get('protocol', None) %}
+    {%- set deny        = service_details.get('deny', None) %}
+    {%- set force_first = service_details.get('force_first', None) %}
+    {%- set limit       = service_details.get('limit', None) %}
+    {%- set method      = 'deny' if deny else ('limit' if limit else 'allow') %}
+    {%- set from_port   = service_details.get('from_port', None) %}
+    {%- set to_addr     = service_details.get('to_addr', None) %}
+    {%- set to_port     = service_details.get('to_port', service_name) %}
+    {%- set comment     = service_details.get('comment', None) %}
 
 ufw-svc-{{ method }}-{{ service_name }}-{{ from_addr }}:
   ufw.{{ method }}:
     {%- if protocol is not none %}
     - protocol: {{ protocol }}
     {%- endif %}
+    {%- if force_first is not none %}
+    - force_first: {{ force_first }}
+    {%- endif %}
     {%- if from_addr is not none %}
     - from_addr: {{ from_addr }}
     {%- endif %}