feat(firewalld.conf): support configuration of AllowZoneDrifting

Close #44.

Configuration description taken from:

* https://firewalld.org/documentation/man-pages/firewalld.conf.html
This commit is contained in:
Imran Iqbal 2020-10-24 07:08:04 +01:00
parent d32059bd2b
commit 0ff53ffb27
No known key found for this signature in database
GPG Key ID: 6D8629439D2B7819
3 changed files with 17 additions and 0 deletions

View File

@ -95,3 +95,18 @@ FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
# Defaults to "yes". # Defaults to "yes".
RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }} RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
{%- endif %} {%- endif %}
{%- if firewalld.get('AllowZoneDrifting', False) %}
# AllowZoneDrifting
# Older versions of firewalld had undocumented behavior known as "zone
# drifting". This allowed packets to ingress multiple zones - this is a
# violation of zone based firewalls. However, some users rely on this behavior
# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
# desire such behavior. It's disabled by default for security reasons. Note: If
# "yes" packets will only drift from source based zones to interface based
# zones (including the default zone). Packets never drift from interface based
# zones to other interfaces based zones (including the default zone). Valid
# values; "yes", "no".
# Defaults to "no".
AllowZoneDrifting={{ firewalld.AllowZoneDrifting|default('no') }}
{%- endif %}

View File

@ -10,6 +10,7 @@ firewalld:
FirewallBackend: 'nftables' FirewallBackend: 'nftables'
FlushAllOnReload: 'yes' FlushAllOnReload: 'yes'
RFC3964_IPv4: 'yes' RFC3964_IPv4: 'yes'
AllowZoneDrifting: 'no'
ipset: ipset:
manage: true manage: true

View File

@ -5,6 +5,7 @@ control 'firewalld `map.jinja` YAML dump' do
yaml_dump = "---\n" yaml_dump = "---\n"
yaml_dump += <<~YAML_DUMP.chomp yaml_dump += <<~YAML_DUMP.chomp
AllowZoneDrifting: 'no'
AutomaticHelpers: system AutomaticHelpers: system
FirewallBackend: nftables FirewallBackend: nftables
FlushAllOnReload: 'yes' FlushAllOnReload: 'yes'