Saltstack Official UFW Formula
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

60 lines
2.1KB

  1. # -*- coding: utf-8 -*-
  2. # vim: ft=sls
  3. {#- Get the `tplroot` from `tpldir` #}
  4. {%- set tplroot = tpldir.split('/')[0] %}
  5. {%- set sls_package_install = tplroot ~ '.package.install' %}
  6. {%- set sls_enable_service = tplroot ~ '.service.enable' %}
  7. {%- set sls_reload_service = tplroot ~ '.service.reload' %}
  8. {%- from tplroot ~ "/map.jinja" import ufw with context %}
  9. {%- set enabled = ufw.get('enabled', False) %}
  10. include:
  11. - {{ sls_package_install }}
  12. - {{ sls_enable_service }}
  13. - {{ sls_reload_service }}
  14. # Services
  15. {%- for service_name, service_details in ufw.get('services', {}).items() %}
  16. {%- set from_addr_raw = service_details.get('from_addr', [None]) %}
  17. {%- set from_addrs = [from_addr_raw] if from_addr_raw is string else from_addr_raw %}
  18. {%- for from_addr in from_addrs %}
  19. {%- set protocol = service_details.get('protocol', None) %}
  20. {%- set deny = service_details.get('deny', None) %}
  21. {%- set limit = service_details.get('limit', None) %}
  22. {%- set method = 'deny' if deny else ('limit' if limit else 'allow') %}
  23. {%- set from_port = service_details.get('from_port', None) %}
  24. {%- set to_addr = service_details.get('to_addr', None) %}
  25. {%- set to_port = service_details.get('to_port', service_name) %}
  26. {%- set comment = service_details.get('comment', None) %}
  27. ufw-svc-{{ method }}-{{ service_name }}-{{ from_addr }}:
  28. ufw.{{ method }}:
  29. {%- if protocol is not none %}
  30. - protocol: {{ protocol }}
  31. {%- endif %}
  32. {%- if from_addr is not none %}
  33. - from_addr: {{ from_addr }}
  34. {%- endif %}
  35. {%- if from_port is not none %}
  36. - from_port: "{{ from_port }}"
  37. {%- endif %}
  38. {%- if to_addr is not none %}
  39. - to_addr: {{ to_addr }}
  40. {%- endif %}
  41. # Debian Jessie doesn't implement the **comment** directive
  42. # CentOS-6 throws an UTF-8 error
  43. {%- if comment is not none and salt['grains.get']('osfinger') != 'Debian-8' and salt['grains.get']('osfinger') != 'CentOS-6' %}
  44. - comment: '"{{ comment }}"'
  45. {%- endif %}
  46. - to_port: "{{ to_port }}"
  47. {%- if enabled %}
  48. - listen_in:
  49. - cmd: reload-ufw
  50. {%- endif %}
  51. {%- endfor %}
  52. {%- endfor %}