salt
/
firewalld-formula
forked from ExternalMirrors/firewalld-formula
Watch 2
Star 0
Fork 0
Code Releases 2 Activity
Browse Source

Merge pull request #27 from aboe76/improve_service 

update service and zones with more options
tags/v0.6.2
Imran Iqbal 5 years ago
parent
f5c2acbd3a a438f30f50
commit
6a546ca192
No account linked to committer's email address
8 changed files with 181 additions and 83 deletions
Split View Show Diff Stats
  1. +0
    -56
      .kitchen.yml
  2. +4
    -2
      .travis.yml
  3. +3
    -5
      Gemfile
  4. +52
    -9
      firewalld/files/service.xml
  5. +35
    -10
      firewalld/files/zone.xml
  6. +1
    -1
      firewalld/ipsets.sls
  7. +72
    -0
      kitchen.yml
  8. +14
    -0
      pillar.example

+ 0
- 56
.kitchen.yml View File

@@ -1,56 +0,0 @@
---
driver:
name: docker

driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd

platforms:
- name: debian-9
driver_config:
provision_command:
- apt-get install udev net-tools -y
- name: ubuntu-18.04
driver_config:
provision_command:
- apt-get install udev net-tools -y
- name: centos-7
driver_config:
provision_command:
- yum install udev net-tools -y

provisioner:
name: salt_solo
log_level: info
require_chef: false
salt_version: latest
formula: firewalld
salt_copy_filter:
- .kitchen
- .git
pillars-from-files:
firewalld.sls: pillar.example
pillars:
top.sls:
base:
'*':
- firewalld

verifier:
name: inspec
sudo: true
reporter:
- cli
inspec_tests:
- path: test/integration/default

suites:
- name: default
provisioner:
state_top:
base:
'*':
- firewalld

+ 4
- 2
.travis.yml View File

@@ -1,3 +1,6 @@
stages:
- test

sudo: required
cache: bundler
language: ruby
@@ -5,7 +8,7 @@ language: ruby
services:
- docker

before_install:
install:
- bundle install

env:
@@ -16,4 +19,3 @@ env:

script:
- bundle exec kitchen verify ${INSTANCE}


+ 3
- 5
Gemfile View File

@@ -1,7 +1,5 @@
source "https://rubygems.org"

gem "test-kitchen", '>=1.23.2'
gem "kitchen-docker"
gem "kitchen-salt", ">=0.2.5"
gem "kitchen-inspec"

gem "kitchen-docker", ">= 2.9"
gem "kitchen-salt", ">= 0.6.0"
gem "kitchen-inspec", '>= 1.1'

+ 52
- 9
firewalld/files/service.xml View File

@@ -5,25 +5,68 @@
Modify the salt pillar for firewalld instead
-->
<service version="1">
{% if 'short' in service %}<short>{{ service.short }}</short>{%- else %}<short>{{ name }}</short>{%- endif %}
{% if 'description' in service %}<description>{{ service.description }}</description>{%- endif %}
{%- if 'short' in service %}
<short>{{ service.short }}</short>
{%- else %}
<short>{{ name }}</short>
{%- endif %}
{%- if 'description' in service %}
<description>{{ service.description }}</description>
{%- endif %}
{%- if 'ports' in service %}
{%- if 'tcp' in service.ports %}
{%- for v in service.ports.tcp %}
{%- if 'tcp' in service.ports %}
{%- for v in service.ports.tcp %}
<port port="{{ v }}" protocol="tcp" />
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.ports %}
{%- for v in service.ports.udp %}
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.ports %}
{%- for v in service.ports.udp %}
<port port="{{ v }}" protocol="udp" />
{%- endfor %}
{%- endif %}
{%- if 'sctp' in service.ports %}
{%- for v in service.ports.sctp %}
<port port="{{ v }}" protocol="sctp" />
{%- endfor %}
{%- endif %}
{%- if 'dccp' in service.ports %}
{%- for v in service.ports.dccp %}
<port port="{{ v }}" protocol="dccp" />
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'protocols' in service %}
{%- for v in service.protocols %}
<protocol value="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'source_ports' in service %}
{%- if 'tcp' in service.source_ports %}
{%- for v in service.source_ports.tcp %}
<source-port port="{{ v }}" protocol="tcp" />
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.source_ports %}
{%- for v in service.source_ports.udp %}
<source-port port="{{ v }}" protocol="udp" />
{%- endfor %}
{%- endif %}
{%- if 'sctp' in service.source_ports %}
{%- for v in service.source_ports.sctp %}
<source-port port="{{ v }}" protocol="sctp" />
{%- endfor %}
{%- endif %}
{%- if 'dccp' in service.source_ports %}
{%- for v in service.source_ports.dccp %}
<source-port port="{{ v }}" protocol="dccp" />
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'modules' in service %}
{%- for v in service.modules %}
<module name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'destinations' in service %}
{%- if 'ipv4' in service.destinations %}
{%- for v in service.destinations.ipv4 %}

+ 35
- 10
firewalld/files/zone.xml View File

@@ -43,7 +43,12 @@
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
<port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'protocols' in zone %}
{%- for v in zone.protocols %}
<protocol value="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_blocks' in zone %}
@@ -51,6 +56,9 @@
<icmp-block name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_block_inversion' in zone %}
<icmp-block-inversion name="{{ zone.icmp_blok_inversion }}" />
{%- endif %}
{%- if 'masquerade' in zone %}
{%- if zone.masquerade %}
<masquerade/>
@@ -64,6 +72,14 @@
<forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
{%- endfor %}
{%- endif %}
{%- if 'source_ports' in zone %}
{%- for v in zone.source_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}

{%- if 'rich_rules' in zone %}
{%- for rule in zone.rich_rules %}
@@ -73,25 +89,28 @@
<rule>
{%- endif %}
{%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}"/>
<source ipset="{{ rule.ipset.name }}" />
{%- endif %}
{%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %} />
{%- endif %}
{%- if 'destination' in rule %}
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %}/>
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %} />
{%- endif %}
{%- if 'service' in rule %}
<service name="{{ rule.service }}"/>
<service name="{{ rule.service }}" />
{%- endif %}
{%- if 'port' in rule %}
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}"/>
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
{%- endif %}
{%- if 'protocol' in rule %}
<protocol value="{{ rule.protocol }}"/>
<protocol value="{{ rule.protocol }}" />
{%- endif %}
{%- if 'icmp_block' in rule %}
<icmp_block name="{{ rule.icmp_block }}"/>
<icmp-block name="{{ rule.icmp_block }}" />
{%- endif %}
{%- if 'icmp_type' in rule %}
<icmp-type name="{{ rule.icmp_type }}" />
{%- endif %}
{%- if 'masquerade' in rule %}
{%- if rule.masquerade %}<masquerade/>{%- endif %}
@@ -102,6 +121,12 @@
{%- endif %}
<forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'source_port' in rule %}
{%- if 'comment' in rule.source_port %}
<!-- {{ rule.source_port.comment }} -->
{%- endif %}
<source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'log' in rule %}
<log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
{%- if 'limit' in rule.log %}
@@ -114,9 +139,9 @@
{%- endif %}
{%- if 'accept' in rule %}
<accept/>
{%- endif %}
{%- endif %}
{%- if 'reject' in rule %}
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %}/>
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
{%- endif %}
{%- if 'drop' in rule %}
<drop/>

+ 1
- 1
firewalld/ipsets.sls View File

@@ -77,7 +77,7 @@ directory_firewalld_ipsets:
- cmd: reload_firewalld # reload firewalld config
- context:
name: {{ z_name }}
ipset: {{ v }}
ipset: {{ v|json }}

{% endfor %}
{%- endif %}

+ 72
- 0
kitchen.yml View File

@@ -0,0 +1,72 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
driver:
name: docker

driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
pid_one_command: /usr/lib/systemd/systemd

platforms:
- name: centos-7
driver_config:
image: centos:7
provision_command:
- yum install udev net-tools glibc-common -y
- echo "LANG=en_US.UTF-8" >> /etc/locale.conf
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
platform: rhel

- name: debian-9
driver_config:
image: debian:9
provision_command:
- apt-get install udev net-tools locales -y
- echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
- locale-gen en_US.UTF-8
platform: debian
- name: ubuntu-18.04
driver_config:
image: ubuntu:18.04
provision_command:
- apt-get install udev net-tools locales -y
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
- echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
- locale-gen en_US.UTF-8
platform: ubuntu

provisioner:
name: salt_solo
log_level: info
require_chef: false
salt_version: latest
formula: firewalld
salt_copy_filter:
- .kitchen
- .git
pillars_from_files:
firewalld.sls: pillar.example
pillars:
top.sls:
base:
'*':
- firewalld
state_top:
base:
'*':
- firewalld

verifier:
name: inspec
sudo: true
reporter:
- cli
inspec_tests:
- path: test/integration/default

suites:
- name: default

+ 14
- 0
pillar.example View File

@@ -28,6 +28,11 @@ firewalld:
- 5252
modules:
- some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
destinations:
ipv4:
- 224.0.0.251
@@ -89,6 +94,8 @@ firewalld:
- https
- ssh
- salt-minion
protocols:
- igmp
rich_rules:
- family: ipv4
source:
@@ -117,6 +124,13 @@ firewalld:
- comment: vsftpd
port: 21
protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp

direct:
chain:

Write Preview
Loading…
Cancel
Save