salt
/
iptables-formula
forkattu lähteestä ExternalMirrors/iptables-formula
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Julkaisut 6 Activity
Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
63 Commitit
2 Branchit
Puu: 8188337922
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '8188337922'
${ noResults }
iptables-formula/iptables/rules.sls

118 lines
3.3KB
Raaka Blame Historia 

  1. {% from "iptables/map.jinja" import service with context %}

  2. {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}

  3. 

  4. {%- set chains = service.get('chain', {}).keys() %}

  5. {%- for chain_name, chain in service.get('chain', {}).items() %}

  6. 

  7. {%- set tables = [] %}

  8. {%- for rule in chain.get('rules', []) %}

  9. {%-   set table = rule.get('table', 'filter') %}

  10. {%-   if table not in tables %}

  11. {%-     do tables.append(table) %}

  12. {%-   endif %}

  13. {%- endfor %}

  14. {%- if chain.policy is defined %}

  15. {%-   if chain.policy is string %}

  16. {%-     if 'filter' not in tables %}

  17. {%-       do tables.append('filter') %}

  18. {%-     endif %}

  19. {%-   else %}

  20. {%-     for policy in chain.policy %}

  21. {%-       if policy.table not in tables %}

  22. {%-         do tables.append(policy.table) %}

  23. {%-       endif %}

  24. {%-     endfor %}

  25. {%-   endif %}

  26. {%- endif %}

  27. 

  28. {%- for table in tables %}

  29. iptables_{{ table }}_{{ chain_name }}:

  30.   iptables.chain_present:

  31.     - family: ipv4

  32.     - name: {{ chain_name }}

  33.     - table: {{ table }}

  34.     - require:

  35.       - pkg: iptables_packages

  36. 

  37. {%-   if grains.ipv6|default(False) and service.ipv6|default(True) %}

  38. iptables_{{ table }}_{{ chain_name }}_ipv6:

  39.   iptables.chain_present:

  40.     - family: ipv6

  41.     - name: {{ chain_name }}

  42.     - table: {{ table }}

  43.     - require:

  44.       - pkg: iptables_packages

  45. {%-     if chain.policy is defined %}

  46. {%-       if chain.policy is string %}

  47.     - require_in:

  48.       - iptables: iptables_filter_{{ chain_name }}_ipv6_policy

  49. {%-       else %}

  50. {%-         if table in chain.policy %}

  51.     - require_in:

  52.       - iptables: iptables_filter_{{ chain_name }}_ipv6_policy

  53. {%-         endif  %}

  54. {%-       endif  %}

  55. {%-     endif  %}

  56. {%-   endif %}

  57. {%- endfor %}

  58. 

  59. {%- if chain.policy is defined %}

  60. 

  61. {%-   if chain.policy is string %}

  62. {%-     set map = [{'table':'filter', 'policy':chain.policy}] %}

  63. {%-   else %}

  64. {%-     set map = chain.policy %}

  65. {%-   endif %}

  66. 

  67. {%-   for policy in map %}

  68. iptables_{{ policy.table }}_{{ chain_name }}_policy:

  69.   iptables.set_policy:

  70.     - family: ipv4

  71.     - chain: {{ chain_name }}

  72.     - policy: {{ policy.policy }}

  73.     - table: {{ policy.table }}

  74.     - require:

  75.       - iptables: iptables_{{ policy.table }}_{{ chain_name }}

  76. 

  77. {%-     if grains.ipv6|default(False) and service.ipv6|default(True) %}

  78. iptables_{{ policy.table }}_{{ chain_name }}_ipv6_policy:

  79.   iptables.set_policy:

  80.     - family: ipv6

  81.     - chain: {{ chain_name }}

  82.     - policy: {{ policy.policy }}

  83.     - table: {{ policy.table }}

  84.     - require:

  85.       - iptables: iptables_{{ policy.table }}_{{ chain_name }}_ipv6

  86. {%-     endif %}

  87. {%-   endfor %}

  88. {%- endif %}

  89. 

  90. {%- for service_name, service in pillar.items() %}

  91. {%- if service is mapping %}

  92. {%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}

  93. 

  94. {%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}

  95. {%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}

  96. {%- set grains_yaml = load_grains_file()|load_yaml %}

  97. 

  98. {%- if grains_yaml is iterable %}

  99. {%-   if grains_yaml.get('iptables',{}).rules is defined %}

  100. {%-     for rule in grains_yaml.iptables.rules %}

  101. {%-       set rule_name = service_name+'_'+loop.index|string %}

  102. {% include "iptables/_rule.sls" %}

  103. {%-     endfor %}

  104. {%-   endif %}

  105. {%- endif %}

  106. 

  107. {%- endif %}

  108. {%- endif %}

  109. {%- endfor %}

  110. 

  111. {%- for rule in chain.get('rules', []) %}

  112. {%- set rule_name = loop.index %}

  113. {% include "iptables/_rule.sls" %}

  114. {%- endfor %}

  115. 

  116. {%- endfor %}

  117. {%- endif %}