add webscale changes

_states/ufw.py

 def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to_port):
     cmd = [method]
     if app is not None:
-        cmd.append(app)
+      cmd.append("from")
+      if from_addr is not None:
+        cmd.append(from_addr)
+      else:
+        cmd.append("any")
+
+      cmd.append("to")
+      if to_addr is not None:
+        cmd.append(to_addr)
+      else:
+        cmd.append("any")
+
+      cmd.append("app")
+      cmd.append(app)
     elif interface is not None:
     	cmd.append("in")
     	cmd.append("on")

pillar.example

 
   enabled: True
 
+  settings:
+    ipv6: True
+    default_input_policy: 'DROP'
+    default_output_policy: 'ACCEPT'
+    default_forward_policy: 'DROP'
+    default_application_policy: 'SKIP'
+    manage_builtins: False
+    ipt_sysctl: '/etc/ufw/sysctl.conf'
+    ipt_modules:
+      - nf_conntrack_ftp
+      - nf_nat_ftp
+      - nf_conntrack_netbios_ns
+
+  sysctl:
+    forwarding: 1
+    rp_filter: 1
+    accept_source_route: 0
+    accept_redirects: 0
+    icmp_echo_ignore_broadcasts: 1
+    icmp_ignore_bogus_error_responses: 1
+    icmp_echo_ignore_all: 0
+    log_martians: 0
+    tcp_syncookies: 0
+    tcp_sack: 1
+    ipv6_autoconf: 1
+    use_tempaddr: 1
+
   services:
 
     # Allow 80/tcp (http) traffic from only two remote addresses.
 
   # Allow an application defined at /etc/ufw/applications.d/
   applications:
-    - OpenSSH
+    OpenSSH:
+      enabled: True
 
   # Allow all traffic in on the specified interface
   interfaces:
-    - eth1
+    - eth1

ufw/init.sls

 # UFW management module
 {%- set ufw = pillar.get('ufw', {}) %}
 {%- if ufw.get('enabled', False) %}
+{% set default_template = ufw.get('default_template', 'salt://ufw/templates/default.jinja') -%}
+{% set sysctl_template = ufw.get('sysctl_template', 'salt://ufw/templates/sysctl.jinja') -%}
 
 ufw:
-  pkg:
-    - installed
+  pkg.installed:
+    - name: ufw
   service.running:
     - enable: True
+    - watch:
+      - file: /etc/default/ufw
+      - file: /etc/ufw/sysctl.conf
+
+/etc/default/ufw:
+  file.managed:
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+    - source: {{ default_template }}
+
+/etc/ufw/sysctl.conf:
+  file.managed:
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+    - source: {{ sysctl_template }}
 
   {%- if ufw.get('defaults', {}).get('incoming', False) %}
 
   {%- endfor %}
 
   # Applications
-  {%- for app_name in ufw.get('applications', []) %}
-
+  {%- for app_name, app_details in ufw.get('applications', {}).items() %}
+    
+    {%- for from_addr in app_details.get('from_addr', [None]) %}
+      {%- set to_addr = app_details.get('to_addr', None) %}
+
+{%- if from_addr != None%}
+ufw-app-{{app_name}}-{{from_addr}}:
+{%- else %}
 ufw-app-{{app_name}}:
+{%- endif %}
   ufw.allowed:
-    - app: {{app_name}}
+    - app: '"{{app_name}}"'
+    {%- if from_addr != None %}
+    - from_addr: {{from_addr}}
+    {%- endif %}
+    {%- if to_addr != None %}
+    - to_addr: {{to_addr}}
+    {%- endif %}
     - require:
       - pkg: ufw
 
+    {%- endfor %}
   {%- endfor %}
   
   # Interfaces
     - require:
       - pkg: ufw
 
+disable-logging:
+  cmd.run:
+    - name: ufw logging off
+    - unless: "grep 'LOGLEVEL=off' /etc/ufw/ufw.conf"
+
+
 {% else %}
   #ufw:
     #ufw:

ufw/python.sls

+python-ufw:
+  pkg.installed:
+    - name: python-ufw

ufw/templates/default.jinja

+{% set ufw_cfg = pillar.get('ufw', {}) -%}
+{% set settings_cfg = ufw_cfg.get('settings', {}) -%}
+{% set ipv6 = "yes" if settings_cfg.get('ipv6', True) else "no" -%}
+{% set default_input_policy = settings_cfg.get('default_input_policy', 'DROP') -%}
+{% set default_output_policy = settings_cfg.get('default_output_policy', 'ACCEPT') -%}
+{% set default_forward_policy = settings_cfg.get('default_forward_policy', 'DROP') -%}
+{% set default_application_policy = settings_cfg.get('default_application_policy', 'SKIP') -%}
+{% set manage_builtins = "yes" if settings_cfg.get('manage_builtins', False) else "no" -%}
+{% set ipt_sysctl = settings_cfg.get('ipt_sysctl', '/etc/ufw/sysctl.conf') -%}
+{% set ipt_modules = settings_cfg.get('ipt_modules', ['nf_conntrack_ftp', 'nf_nat_ftp', 'nf_conntrack_netbios_ns'])|join(" ") -%}
+
+# /etc/default/ufw
+#
+# File managed by Salt. Do not edit manually.
+
+# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
+# accepted). You will need to 'disable' and then 'enable' the firewall for
+# the changes to take affect.
+IPV6={{ ipv6 }}
+
+# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
+# you change this you will most likely want to adjust your rules.
+DEFAULT_INPUT_POLICY="{{ default_input_policy }}"
+
+# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
+# you change this you will most likely want to adjust your rules.
+DEFAULT_OUTPUT_POLICY="{{ default_output_policy }}"
+
+# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
+# if you change this you will most likely want to adjust your rules
+DEFAULT_FORWARD_POLICY="{{ default_forward_policy }}"
+
+# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
+# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
+# details
+DEFAULT_APPLICATION_POLICY="{{ default_application_policy }}"
+
+# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
+# manage the built-in chains too. Warning: setting this to 'yes' will break
+# non-ufw managed firewall rules
+MANAGE_BUILTINS={{ manage_builtins }}
+
+#
+# IPT backend
+#
+# only enable if using iptables backend
+IPT_SYSCTL={{ ipt_sysctl }}
+
+# Extra connection tracking modules to load. Complete list can be found in
+# net/netfilter/Kconfig of your kernel source. Some common modules:
+# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
+# nf_conntrack_netbios_ns: NetBIOS (samba) client support
+# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
+# nf_conntrack_ftp, nf_nat_ftp: active FTP support
+# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
+IPT_MODULES="{{ ipt_modules }}"

ufw/templates/sysctl.jinja

+{% set ufw_cfg = pillar.get('ufw', {}) -%}
+{% set sysctl_cfg = ufw_cfg.get('sysctl', {}) -%}
+{% set forwarding = sysctl_cfg.get('forwarding', 0) -%}
+{% set rp_filter = sysctl_cfg.get('rp_filter', 1) -%}
+{% set accept_source_route = sysctl_cfg.get('accept_source_route', 0) -%}
+{% set accept_redirects = sysctl_cfg.get('accept_redirects', 0) -%}
+{% set icmp_echo_ignore_broadcasts = sysctl_cfg.get('icmp_echo_ignore_broadcasts', 1) -%}
+{% set icmp_ignore_bogus_error_responses = sysctl_cfg.get('icmp_ignore_bogus_error_responses', 1) -%}
+{% set icmp_echo_ignore_all = sysctl_cfg.get('icmp_echo_ignore_all', 0) -%}
+{% set log_martians = sysctl_cfg.get('log_martians', 0) -%}
+{% set tcp_syncookies = sysctl_cfg.get('tcp_syncookies', 0) -%}
+{% set tcp_sack = sysctl_cfg.get('tcp_sack', 1) -%}
+{% set ipv6_autoconf = sysctl_cfg.get('ipv6_autoconf', 1) -%}
+{% set use_tempaddr = sysctl_cfg.get('use_tempaddr', 1) -%}
+# File managed by Salt. Do not edit manually.
+#
+# Configuration file for setting network variables. Please note these settings
+# override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please
+# adjust IPT_SYSCTL in /etc/default/ufw.
+#
+
+# Uncomment this to allow this host to route packets between interfaces
+net/ipv4/ip_forward={{ forwarding }}
+net/ipv6/conf/default/forwarding={{ forwarding }}
+net/ipv6/conf/all/forwarding={{ forwarding }}
+
+# Turn on Source Address Verification in all interfaces to prevent some
+# spoofing attacks
+net/ipv4/conf/default/rp_filter={{ rp_filter }}
+net/ipv4/conf/all/rp_filter={{ rp_filter }}
+
+# Do not accept IP source route packets (we are not a router)
+net/ipv4/conf/default/accept_source_route={{ accept_source_route }}
+net/ipv4/conf/all/accept_source_route={{ accept_source_route }}
+net/ipv6/conf/default/accept_source_route={{ accept_source_route }}
+net/ipv6/conf/all/accept_source_route={{ accept_source_route }}
+
+# Disable ICMP redirects. ICMP redirects are rarely used but can be used in
+# MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
+# traffic to those sites.
+net/ipv4/conf/default/accept_redirects={{ accept_redirects }}
+net/ipv4/conf/all/accept_redirects={{ accept_redirects }}
+net/ipv6/conf/default/accept_redirects={{ accept_redirects }}
+net/ipv6/conf/all/accept_redirects={{ accept_redirects }}
+
+# Ignore bogus ICMP errors
+net/ipv4/icmp_echo_ignore_broadcasts={{ icmp_echo_ignore_broadcasts }}
+net/ipv4/icmp_ignore_bogus_error_responses={{ icmp_ignore_bogus_error_responses }}
+net/ipv4/icmp_echo_ignore_all={{ icmp_echo_ignore_all }}
+
+# Don't log Martian Packets (impossible packets)
+net/ipv4/conf/default/log_martians={{ log_martians }}
+net/ipv4/conf/all/log_martians={{ log_martians }}
+
+# Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
+# (http://lkml.org/lkml/2008/2/5/167)
+net/ipv4/tcp_syncookies={{ tcp_syncookies }}
+
+#net/ipv4/tcp_fin_timeout=30
+#net/ipv4/tcp_keepalive_intvl=1800
+
+# normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or
+# earlier pf firewall, should set this to 0
+net/ipv4/tcp_sack={{ tcp_sack }}
+
+# Uncomment this to turn off ipv6 autoconfiguration
+net/ipv6/conf/default/autoconf={{ ipv6_autoconf }}
+net/ipv6/conf/all/autoconf={{ ipv6_autoconf }}
+
+# Uncomment this to enable ipv6 privacy addressing
+net/ipv6/conf/default/use_tempaddr={{ use_tempaddr }}
+net/ipv6/conf/all/use_tempaddr={{ use_tempaddr }}