LibertaCasa/salt
LibertaCasa/salt
9
1
Fork 0
Code Issues 5 Pull Requests Releases Activity

Firewall interface mapping logic
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Details

Browse Source 
Detect which interfaces belong to which zones, and configure firewalld
accordingly.
Backend zone is currently only prepared and yet to be tested and
enabled.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
Georg Pfuetzenreuter 2023-01-29 17:27:58 +01:00
parent c8aa6c6157
commit 824baf386b
Signed by: Georg
GPG Key ID: 1ED2F138E7E6FF57
3 changed files with 84 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pillar/global/init.sls
View File

@ -1,3 +1,5 @@
{%- from slspath ~ '/map.jinja' import firewall_interfaces, public, internal, backend %}
include: include:
- role.salt.common - role.salt.common
- role.salt.minion - role.salt.minion
@ -15,10 +17,15 @@ zypper:
firewalld: firewalld:
zones: zones:
internal: internal:
{{ firewall_interfaces(internal) }}
ports: ports:
- comment: node_exporter - comment: node_exporter
port: 9200 port: 9200
protocol: tcp protocol: tcp
{%- if public | length %}
public:
{{ firewall_interfaces(public) }}
{%- endif %}
{%- endif %} {%- endif %}
mine_functions: mine_functions:

6
pillar/global/macros.jinja
View File

@ -18,3 +18,9 @@
- {{ ip }} - {{ ip }}
{%- endfor %} {%- endfor %}
{%- endmacro -%} {%- endmacro -%}
{%- macro firewall_interfaces(interfaces) -%}
{%- if interfaces | length -%}
interfaces: {{ interfaces }}
{%- endif -%}
{%- endmacro -%}

71
pillar/global/map.jinja Normal file
View File

@ -0,0 +1,71 @@
{%- from slspath ~ '/macros.jinja' import firewall_interfaces -%}
{%- set firewall_interfaces = firewall_interfaces -%}
{%- set minion = grains['id'] -%}
{#- START Interface mapping logic -#}
{%- set public = [] -%}
{%- set internal = [] -%}
{%- set backend = [] -%}
{%- set internal6s = ('2a01:4f8:11e:2200') -%}
{%- set backend6s = ('fd29:8e45:f292:ff80') -%}
{#- to-do: get rid of illegal backend4s -#}
{%- set backend4s = ('172.168.100') -%}
{%- set excluded_interfaces = ('lo') -%}
{%- set interfaces = salt.saltutil.runner('mine.get', tgt=minion, fun='network.interfaces', tgt_type='glob') -%}
{%- if minion in interfaces -%}{%- for interface, ifconfig in interfaces[minion].items() -%}
{%- if not interface.startswith(excluded_interfaces) -%}
{%- for inetconf in ifconfig['inet'] -%}
{%- set ip4 = inetconf['address'] -%}
{%- if salt['network.is_private'](ip4) -%}
{%- if not interface in internal -%}
{%- do internal.append(interface) -%}
{%- endif -%}
{%- elif ip4.startswith(backend4s) -%}
{%- if not interface in backend -%}
{%- do backend.append(interface) -%}
{%- endif -%}
{%- else -%}
{%- if not interface in public -%}
{%- do public.append(interface) -%}
{%- endif -%}
{%- endif %}
{%- endfor %}
{%- if 'inet6' in interface -%}
{%- for inet6conf in ifconfig['inet6'] -%}
{%- set ip6 = inet6conf['address'] -%}
{%- if ip6.startswith(internal6s) -%}
{%- if not interface in internal -%}
{%- do internal.append(interface) -%}
{%- endif -%}
{%- elif ip6.startswith(backend6s) -%}
{%- if not interface in backend -%}
{%- do backend.append(interface) -%}
{%- endif -%}
{%- endif -%}
{%- endfor -%}
{%- endif -%}
{%- endif -%}
{%- endfor -%}{%- endif -%}
{#- END Interface mapping logic -#}