implement direct rules

firewalld/direct.sls

@@ -0,0 +1,28 @@
+# == State: firewalld.direct
+
+{% from "firewalld/map.jinja" import firewalld with context %}
+
+
+# == Define: firewalld.direct
+#
+# This defines a configuration for permanent direct chains, 
+# rules and passtthroughs, see firewalld.direct (5) man page.
+
+{%- if firewalld.get('direct', False) %}
+/etc/firewalld/direct.xml:
+  file:
+    - managed
+    - name: /etc/firewalld/direct.xml
+    - user: root
+    - group: root
+    - mode: "0644"
+    - source: salt://firewalld/files/direct.xml
+    - template: jinja
+    - require:
+      - pkg: package_firewalld # make sure package is installed
+      - file: directory_firewalld
+    - listen_in: 
+      - module: service_firewalld # restart service
+    - context:
+        direct: {{ firewalld.direct|json }}
+{%- endif %}

firewalld/files/direct.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<direct>
+  {%- if 'chain' in direct %}
+  {%- for k, v in direct.chain.items() %}
+  <chain ipv="{{v.ipv}}" table="{{v.table}}" chain="{{k}}"/>
+  {%- endfor %}   
+  {%- endif %}
+  {%- if 'rule' in direct %}
+  {%- for k, v in direct.rule.items() %}
+  <rule priority="{{v.priority}}" table="{{v.table}}" ipv="{{v.ipv}}" chain="{{v.chain}}">{{v.args}}</rule>
+  {%- endfor %}   
+  {%- endif %}
+  {%- if 'passthrough' in direct %}
+  {%- for k, v in direct.passthrough.items() %}
+  <passthrough ipv="{{v.ipv}}">{{v.args}}</passthrough>
+  {%- endfor %}   
+  {%- endif %}
+</direct>

firewalld/init.sls

@@ -11,6 +11,7 @@ include:
   - firewalld.ipsets
   - firewalld.services
   - firewalld.zones
+  - firewalld.direct
 
 # iptables service that comes with rhel/centos
 iptables:

pillar.example.sls

@@ -89,3 +89,21 @@ firewalld:
         - comment: vsftpd
           port: 21
           protocol: tcp
+
+  direct:
+    chain:
+      MYCHAIN:
+        ipv: ipv4
+        table: raw
+    rule:
+      INTERNETACCESS:
+        ipv: ipv4
+        table: filter
+        chain: FORWARD
+        priority: "0"
+        args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
+    passthrough:
+      MYPASSTHROUGH:
+        ipv: ipv4
+        args: "-t raw -A MYCHAIN -j DROP"
+