Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778
  1. {% from "iptables/map.jinja" import service with context %}
  2. {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
  3. {%- set chains = service.get('chain', {}).keys() %}
  4. {%- for chain_name, chain in service.get('chain', {}).iteritems() %}
  5. iptables_{{ chain_name }}:
  6. iptables.chain_present:
  7. - family: ipv4
  8. - name: {{ chain_name }}
  9. - table: filter
  10. - require:
  11. - pkg: iptables_packages
  12. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  13. iptables_{{ chain_name }}_ipv6:
  14. iptables.chain_present:
  15. - family: ipv6
  16. - name: {{ chain_name }}
  17. - table: filter
  18. - require:
  19. - pkg: iptables_packages
  20. {%- if chain.policy is defined %}
  21. - require_in:
  22. - iptables: iptables_{{ chain_name }}_ipv6_policy
  23. {%- endif %}
  24. {%- endif %}
  25. {%- if chain.policy is defined %}
  26. iptables_{{ chain_name }}_policy:
  27. iptables.set_policy:
  28. - family: ipv4
  29. - chain: {{ chain_name }}
  30. - policy: {{ chain.policy }}
  31. - table: filter
  32. - require:
  33. - iptables: iptables_{{ chain_name }}
  34. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  35. iptables_{{ chain_name }}_ipv6_policy:
  36. iptables.set_policy:
  37. - family: ipv6
  38. - chain: {{ chain_name }}
  39. - policy: {{ chain.policy }}
  40. - table: filter
  41. - require:
  42. - iptables: iptables_{{ chain_name }}_ipv6
  43. {%- endif %}
  44. {%- endif %}
  45. {%- for service_name, service in pillar.items() %}
  46. {%- if service is mapping %}
  47. {%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}
  48. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
  49. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
  50. {%- set grains_yaml = load_grains_file()|load_yaml %}
  51. {%- if grains_yaml is iterable %}
  52. {%- if grains_yaml.get('iptables',{}).rules is defined %}
  53. {%- for rule in grains_yaml.iptables.rules %}
  54. {%- set rule_name = service_name+'_'+loop.index|string %}
  55. {% include "iptables/_rule.sls" %}
  56. {%- endfor %}
  57. {%- endif %}
  58. {%- endif %}
  59. {%- endif %}
  60. {%- endif %}
  61. {%- endfor %}
  62. {%- for rule in chain.get('rules', []) %}
  63. {%- set rule_name = loop.index %}
  64. {% include "iptables/_rule.sls" %}
  65. {%- endfor %}
  66. {%- endfor %}
  67. {%- endif %}