salt
/
firewalld-formula
forkeado de ExternalMirrors/firewalld-formula
Seguir 2
Destacar 0
Fork 0
Código Lanzamientos 2 Actividad
Explorar el Código

Merge pull request #27 from aboe76/improve_service 

update service and zones with more options
tags/v0.6.2
Imran Iqbal hace 5 años
padre
f5c2acbd3a a438f30f50
commit
6a546ca192
Ninguna cuenta vinculada a la dirección de correo electrónico del committer
Se han modificado 8 ficheros con 181 adiciones y 83 borrados
Unificar vista Mostrar estadísticas de diff
  1. +0
    -56
      .kitchen.yml
  2. +4
    -2
      .travis.yml
  3. +3
    -5
      Gemfile
  4. +52
    -9
      firewalld/files/service.xml
  5. +35
    -10
      firewalld/files/zone.xml
  6. +1
    -1
      firewalld/ipsets.sls
  7. +72
    -0
      kitchen.yml
  8. +14
    -0
      pillar.example

+ 0
- 56
.kitchen.yml Ver fichero

---
driver:
name: docker

driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd

platforms:
- name: debian-9
driver_config:
provision_command:
- apt-get install udev net-tools -y
- name: ubuntu-18.04
driver_config:
provision_command:
- apt-get install udev net-tools -y
- name: centos-7
driver_config:
provision_command:
- yum install udev net-tools -y

provisioner:
name: salt_solo
log_level: info
require_chef: false
salt_version: latest
formula: firewalld
salt_copy_filter:
- .kitchen
- .git
pillars-from-files:
firewalld.sls: pillar.example
pillars:
top.sls:
base:
'*':
- firewalld

verifier:
name: inspec
sudo: true
reporter:
- cli
inspec_tests:
- path: test/integration/default

suites:
- name: default
provisioner:
state_top:
base:
'*':
- firewalld

+ 4
- 2
.travis.yml Ver fichero

stages:
- test

sudo: required sudo: required
cache: bundler cache: bundler
language: ruby language: ruby
services: services:
- docker - docker


before_install:
install:
- bundle install - bundle install


env: env:


script: script:
- bundle exec kitchen verify ${INSTANCE} - bundle exec kitchen verify ${INSTANCE}


+ 3
- 5
Gemfile Ver fichero

source "https://rubygems.org" source "https://rubygems.org"


gem "test-kitchen", '>=1.23.2'
gem "kitchen-docker"
gem "kitchen-salt", ">=0.2.5"
gem "kitchen-inspec"

gem "kitchen-docker", ">= 2.9"
gem "kitchen-salt", ">= 0.6.0"
gem "kitchen-inspec", '>= 1.1'

+ 52
- 9
firewalld/files/service.xml Ver fichero

Modify the salt pillar for firewalld instead Modify the salt pillar for firewalld instead
--> -->
<service version="1"> <service version="1">
{% if 'short' in service %}<short>{{ service.short }}</short>{%- else %}<short>{{ name }}</short>{%- endif %}
{% if 'description' in service %}<description>{{ service.description }}</description>{%- endif %}
{%- if 'short' in service %}
<short>{{ service.short }}</short>
{%- else %}
<short>{{ name }}</short>
{%- endif %}
{%- if 'description' in service %}
<description>{{ service.description }}</description>
{%- endif %}
{%- if 'ports' in service %} {%- if 'ports' in service %}
{%- if 'tcp' in service.ports %}
{%- for v in service.ports.tcp %}
{%- if 'tcp' in service.ports %}
{%- for v in service.ports.tcp %}
<port port="{{ v }}" protocol="tcp" /> <port port="{{ v }}" protocol="tcp" />
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.ports %}
{%- for v in service.ports.udp %}
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.ports %}
{%- for v in service.ports.udp %}
<port port="{{ v }}" protocol="udp" /> <port port="{{ v }}" protocol="udp" />
{%- endfor %}
{%- endif %}
{%- if 'sctp' in service.ports %}
{%- for v in service.ports.sctp %}
<port port="{{ v }}" protocol="sctp" />
{%- endfor %}
{%- endif %}
{%- if 'dccp' in service.ports %}
{%- for v in service.ports.dccp %}
<port port="{{ v }}" protocol="dccp" />
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'protocols' in service %}
{%- for v in service.protocols %}
<protocol value="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'source_ports' in service %}
{%- if 'tcp' in service.source_ports %}
{%- for v in service.source_ports.tcp %}
<source-port port="{{ v }}" protocol="tcp" />
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.source_ports %}
{%- for v in service.source_ports.udp %}
<source-port port="{{ v }}" protocol="udp" />
{%- endfor %}
{%- endif %}
{%- if 'sctp' in service.source_ports %}
{%- for v in service.source_ports.sctp %}
<source-port port="{{ v }}" protocol="sctp" />
{%- endfor %}
{%- endif %}
{%- if 'dccp' in service.source_ports %}
{%- for v in service.source_ports.dccp %}
<source-port port="{{ v }}" protocol="dccp" />
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'modules' in service %} {%- if 'modules' in service %}
{%- for v in service.modules %} {%- for v in service.modules %}
<module name="{{ v }}" /> <module name="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- endif %}
{%- if 'destinations' in service %} {%- if 'destinations' in service %}
{%- if 'ipv4' in service.destinations %} {%- if 'ipv4' in service.destinations %}
{%- for v in service.destinations.ipv4 %} {%- for v in service.destinations.ipv4 %}

+ 35
- 10
firewalld/files/zone.xml Ver fichero

{%- if 'comment' in v %} {%- if 'comment' in v %}
<!-- {{ v.comment }} --> <!-- {{ v.comment }} -->
{%- endif %} {%- endif %}
<port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
<port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'protocols' in zone %}
{%- for v in zone.protocols %}
<protocol value="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'icmp_blocks' in zone %} {%- if 'icmp_blocks' in zone %}
<icmp-block name="{{ v }}" /> <icmp-block name="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'icmp_block_inversion' in zone %}
<icmp-block-inversion name="{{ zone.icmp_blok_inversion }}" />
{%- endif %}
{%- if 'masquerade' in zone %} {%- if 'masquerade' in zone %}
{%- if zone.masquerade %} {%- if zone.masquerade %}
<masquerade/> <masquerade/>
<forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} /> <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'source_ports' in zone %}
{%- for v in zone.source_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}


{%- if 'rich_rules' in zone %} {%- if 'rich_rules' in zone %}
{%- for rule in zone.rich_rules %} {%- for rule in zone.rich_rules %}
<rule> <rule>
{%- endif %} {%- endif %}
{%- if 'ipset' in rule %} {%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}"/>
<source ipset="{{ rule.ipset.name }}" />
{%- endif %} {%- endif %}
{%- if 'source' in rule %} {%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'destination' in rule %} {%- if 'destination' in rule %}
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %}/>
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'service' in rule %} {%- if 'service' in rule %}
<service name="{{ rule.service }}"/>
<service name="{{ rule.service }}" />
{%- endif %} {%- endif %}
{%- if 'port' in rule %} {%- if 'port' in rule %}
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}"/>
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
{%- endif %} {%- endif %}
{%- if 'protocol' in rule %} {%- if 'protocol' in rule %}
<protocol value="{{ rule.protocol }}"/>
<protocol value="{{ rule.protocol }}" />
{%- endif %} {%- endif %}
{%- if 'icmp_block' in rule %} {%- if 'icmp_block' in rule %}
<icmp_block name="{{ rule.icmp_block }}"/>
<icmp-block name="{{ rule.icmp_block }}" />
{%- endif %}
{%- if 'icmp_type' in rule %}
<icmp-type name="{{ rule.icmp_type }}" />
{%- endif %} {%- endif %}
{%- if 'masquerade' in rule %} {%- if 'masquerade' in rule %}
{%- if rule.masquerade %}<masquerade/>{%- endif %} {%- if rule.masquerade %}<masquerade/>{%- endif %}
{%- endif %} {%- endif %}
<forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} /> <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'source_port' in rule %}
{%- if 'comment' in rule.source_port %}
<!-- {{ rule.source_port.comment }} -->
{%- endif %}
<source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'log' in rule %} {%- if 'log' in rule %}
<log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}> <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
{%- if 'limit' in rule.log %} {%- if 'limit' in rule.log %}
{%- endif %} {%- endif %}
{%- if 'accept' in rule %} {%- if 'accept' in rule %}
<accept/> <accept/>
{%- endif %}
{%- endif %}
{%- if 'reject' in rule %} {%- if 'reject' in rule %}
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %}/>
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'drop' in rule %} {%- if 'drop' in rule %}
<drop/> <drop/>

+ 1
- 1
firewalld/ipsets.sls Ver fichero

- cmd: reload_firewalld # reload firewalld config - cmd: reload_firewalld # reload firewalld config
- context: - context:
name: {{ z_name }} name: {{ z_name }}
ipset: {{ v }}
ipset: {{ v|json }}


{% endfor %} {% endfor %}
{%- endif %} {%- endif %}

+ 72
- 0
kitchen.yml Ver fichero

# -*- coding: utf-8 -*-
# vim: ft=yaml
---
driver:
name: docker

driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
pid_one_command: /usr/lib/systemd/systemd

platforms:
- name: centos-7
driver_config:
image: centos:7
provision_command:
- yum install udev net-tools glibc-common -y
- echo "LANG=en_US.UTF-8" >> /etc/locale.conf
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
platform: rhel

- name: debian-9
driver_config:
image: debian:9
provision_command:
- apt-get install udev net-tools locales -y
- echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
- locale-gen en_US.UTF-8
platform: debian
- name: ubuntu-18.04
driver_config:
image: ubuntu:18.04
provision_command:
- apt-get install udev net-tools locales -y
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
- echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
- locale-gen en_US.UTF-8
platform: ubuntu

provisioner:
name: salt_solo
log_level: info
require_chef: false
salt_version: latest
formula: firewalld
salt_copy_filter:
- .kitchen
- .git
pillars_from_files:
firewalld.sls: pillar.example
pillars:
top.sls:
base:
'*':
- firewalld
state_top:
base:
'*':
- firewalld

verifier:
name: inspec
sudo: true
reporter:
- cli
inspec_tests:
- path: test/integration/default

suites:
- name: default

+ 14
- 0
pillar.example Ver fichero

- 5252 - 5252
modules: modules:
- some_module_to_load - some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
destinations: destinations:
ipv4: ipv4:
- 224.0.0.251 - 224.0.0.251
- https - https
- ssh - ssh
- salt-minion - salt-minion
protocols:
- igmp
rich_rules: rich_rules:
- family: ipv4 - family: ipv4
source: source:
- comment: vsftpd - comment: vsftpd
port: 21 port: 21
protocol: tcp protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp


direct: direct:
chain: chain:

Escribir Vista previa
Cargando…
Cancelar
Guardar