Переглянути джерело

Added support for 'ufw allow from <ip> to any' & ufw defaults

tags/v0.2.0
Mike Campbell 8 роки тому
джерело
коміт
26d00d8f89
3 змінених файлів з 88 додано та 3 видалено
  1. +12
    -1
      _modules/ufw.py
  2. +42
    -0
      _states/ufw.py
  3. +34
    -2
      ufw/init.sls

+ 12
- 1
_modules/ufw.py Переглянути файл

@@ -6,6 +6,17 @@ def is_enabled():
out = __salt__['cmd.run'](cmd, python_shell=True)
return True if out else False

def get_default_incoming():
cmd = 'ufw status verbose | grep "Default:"'
out = __salt__['cmd.run'](cmd, python_shell=True)
policy = re.search('(\w+) \(incoming\)', out).group(1)
return policy

def get_default_outgoing():
cmd = 'ufw status verbose | grep "Default:"'
out = __salt__['cmd.run'](cmd, python_shell=True)
policy = re.search('(\w+) \(outgoing\)', out).group(1)
return policy

def set_enabled(enabled):
cmd = 'ufw --force enable' if enabled else 'ufw disable'
@@ -15,5 +26,5 @@ def set_enabled(enabled):
def add_rule(rule):
cmd = "ufw " + rule
out = __salt__['cmd.run'](cmd)
__salt__['cmd.run']("ufw reload")
# __salt__['cmd.run']("ufw reload") # why reload after adding a rule? :/
return out

+ 42
- 0
_states/ufw.py Переглянути файл

@@ -78,6 +78,48 @@ def enabled(name, **kwargs):
return _changed(name, "UFW is enabled", enabled=True)


def default_incoming(name, default):
rule = "default {0} incoming".format(default)
if __opts__['test']:
return _test(name, "{0}: {1}".format(name, rule))

current = __salt__['ufw.get_default_incoming']()

if default != current:
try:
out = __salt__['ufw.add_rule'](rule)
except (CommandExecutionError, CommandNotFoundError) as e:
return _error(name, e.message)

for line in out.split('\n'):
if line.startswith("Default incoming policy changed to"):
return _changed(name, "{0} set to {1}".format(name, default), rule=rule)
return _error(name, line)

return _unchanged(name, "{0} was already set to {1}".format(name, default))


def default_outgoing(name, default):
rule = "default {0} outgoing".format(default)
if __opts__['test']:
return _test(name, "{0}: {1}".format(name, rule))

current = __salt__['ufw.get_default_outgoing']()

if default != current:
try:
out = __salt__['ufw.add_rule'](rule)
except (CommandExecutionError, CommandNotFoundError) as e:
return _error(name, e.message)

for line in out.split('\n'):
if line.startswith("Default outgoing policy changed to"):
return _changed(name, "{0} set to {1}".format(name, default), rule=rule)
return _error(name, line)

return _unchanged(name, "{0} was already set to {1}".format(name, default))


def allowed(name, app=None, interface=None, protocol=None,
from_addr=None, from_port=None, to_addr=None, to_port=None):


+ 34
- 2
ufw/init.sls Переглянути файл

@@ -7,11 +7,27 @@ ufw:
- installed
service.running:
- enable: True
ufw:
- enabled

{%- if ufw.get('defaults', {}).get('incoming', False) %}

ufw-default-incoming:
ufw.default_incoming:
- default: {{ufw.get('defaults', {}).get('incoming', 'allow')}}
- require:
- pkg: ufw

{% endif %}

{%- if ufw.get('defaults', {}).get('outgoing', False) %}

ufw-default-outgoing:
ufw.default_outgoing:
- default: {{ufw.get('defaults', {}).get('outgoing', 'deny')}}
- require:
- pkg: ufw

{% endif %}

{%- for service_name, service_details in ufw.get('services', {}).items() %}

{%- for from_addr in service_details.get('from_addr', [None]) %}
@@ -62,6 +78,22 @@ ufw-interface-{{interface}}:

{%- endfor %}

# Open
{%- for from_addr in ufw.get('open', []).items() %}

ufw-open-{{from_addr}}:
ufw.allowed:
- from_addr: {{from_addr}}
- require:
- pkg: ufw

{%- endfor %}

enable-ufw:
ufw.enabled:
- require:
- pkg: ufw

{% else %}
#ufw:
#ufw:

Завантаження…
Відмінити
Зберегти