update service and zones with more options

update kitchen travis fix ipsets.sls
2019-04-05 21:04:30 +02:00 · 2019-04-05 21:04:30 +02:00 · 18fc482853
commit 18fc482853
parent f5c2acbd3a
8 changed files with 173 additions and 74 deletions
--- a/.kitchen.yml
+++ b/.kitchen.yml
@ -1,56 +0,0 @@
---
-driver:
-  name: docker
-
-driver_config:
-  use_sudo: false
-  privileged: true
-  provision_command: mkdir -p /run/sshd
-  run_command: /lib/systemd/systemd
-
-platforms:
-  - name: debian-9
-    driver_config:
-      provision_command:
-        - apt-get install udev net-tools -y
-  - name: ubuntu-18.04
-    driver_config:
-      provision_command:
-        - apt-get install udev net-tools -y
-  - name: centos-7
-    driver_config:
-      provision_command:
-        - yum install udev net-tools -y
-
-provisioner:
-  name: salt_solo
-  log_level: info
-  require_chef: false
-  salt_version: latest
-  formula: firewalld
-  salt_copy_filter:
-    - .kitchen
-    - .git
-  pillars-from-files:
-    firewalld.sls: pillar.example
-  pillars:
-    top.sls:
-      base:
-        '*':
-          - firewalld
-
-verifier:
-  name: inspec
-  sudo: true
-  reporter:
-    - cli
-  inspec_tests:
-    - path: test/integration/default
-
-suites:
-  - name: default
-    provisioner:
-      state_top:
-        base:
-          '*':
-            - firewalld
--- a/.travis.yml
+++ b/.travis.yml
@ -1,3 +1,6 @@
+stages:
+  - test
+
 sudo: required
 cache: bundler
 language: ruby
@ -5,7 +8,7 @@ language: ruby
 services:
  - docker

-before_install:
+install:
  - bundle install

 env:
@ -16,4 +19,3 @@ env:

 script:
  - bundle exec kitchen verify ${INSTANCE}
-
--- a/5
+++ b/5
@ -1,7 +1,6 @@
 source "https://rubygems.org"

+gem "kitchen-docker", ">= 2.9"
+gem "kitchen-salt", ">=0.6.0"
 gem "test-kitchen", '>=1.23.2'
-gem "kitchen-docker"
-gem "kitchen-salt", ">=0.2.5"
 gem "kitchen-inspec"
-
--- a/firewalld/files/service.xml
+++ b/firewalld/files/service.xml
@ -5,25 +5,68 @@
  Modify the salt pillar for firewalld instead
 -->
 <service version="1">
-  {% if 'short' in service %}<short>{{ service.short }}</short>{%- else %}<short>{{ name }}</short>{%- endif %}
-  {% if 'description' in service %}<description>{{ service.description }}</description>{%- endif %}
-{%- if 'ports' in service %}
-{%- if 'tcp' in service.ports %}
-  {%- for v in service.ports.tcp %}
-  <port port="{{ v }}" protocol="tcp" />
-  {%- endfor %}   
+{%- if 'short' in service %}
+  <short>{{ service.short }}</short>
+{%- else %}
+  <short>{{ name }}</short>
 {%- endif %}
-{%- if 'udp' in service.ports %}
-  {%- for v in service.ports.udp %}
+{%- if 'description' in service %}
+  <description>{{ service.description }}</description>
+{%- endif %}
+{%- if 'ports' in service %}
+  {%- if 'tcp' in service.ports %}
+    {%- for v in service.ports.tcp %}
+  <port port="{{ v }}" protocol="tcp" />
+    {%- endfor %}   
+  {%- endif %}
+  {%- if 'udp' in service.ports %}
+    {%- for v in service.ports.udp %}
  <port port="{{ v }}" protocol="udp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'sctp' in service.ports %}
+    {%- for v in service.ports.sctp %}
+  <port port="{{ v }}" protocol="sctp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'dccp' in service.ports %}
+    {%- for v in service.ports.dccp %}
+  <port port="{{ v }}" protocol="dccp" />
+    {%- endfor %}
+  {%- endif %}
+{%- endif %}
+{%- if 'protocols' in service %}
+  {%- for v in service.protocols %}
+  <protocol value="{{ v }}" />
  {%- endfor %}
 {%- endif %}
+{%- if 'source_ports' in service %}
+  {%- if 'tcp' in service.source_ports %}
+    {%- for v in service.source_ports.tcp %}
+  <source-port port="{{ v }}" protocol="tcp" />
+    {%- endfor %}   
+  {%- endif %}
+  {%- if 'udp' in service.source_ports %}
+    {%- for v in service.source_ports.udp %}
+  <source-port port="{{ v }}" protocol="udp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'sctp' in service.source_ports %}
+    {%- for v in service.source_ports.sctp %}
+  <source-port port="{{ v }}" protocol="sctp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'dccp' in service.source_ports %}
+    {%- for v in service.source_ports.dccp %}
+  <source-port port="{{ v }}" protocol="dccp" />
+    {%- endfor %}
+  {%- endif %}
+{%- endif %}
 {%- if 'modules' in service %}
  {%- for v in service.modules %}
  <module name="{{ v }}" />
  {%- endfor %}
 {%- endif %}
-{%- endif %}
 {%- if 'destinations' in service %}
  {%- if 'ipv4' in service.destinations %}
    {%- for v in service.destinations.ipv4 %}
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@ -46,11 +46,19 @@
  <port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
  {%- endfor %}
 {%- endif %}
+{%- if 'protocols' in zone %}
+  {%- for v in zone.protocols %}
+  <protocol value="{{ v }}" />
+  {%- endfor %}
+{%- endif %}
 {%- if 'icmp_blocks' in zone %}
  {%- for v in zone.icmp_blocks %}
  <icmp-block name="{{ v }}" />
  {%- endfor %}
 {%- endif %}
+{%- if 'icmp_block_inversion' in zone %}
+  <icmp-block-inversion name="{{ zone.icmp_blok_inversion }}" />
+{%- endif %}
 {%- if 'masquerade' in zone %}
  {%- if zone.masquerade %}
  <masquerade/>
@ -64,6 +72,14 @@
  <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
  {%- endfor %}
 {%- endif %}
+{%- if 'source_ports' in zone %}
+  {%- for v in zone.source_ports %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+    {%- endif %}
+  <source-port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
+  {%- endfor %}
+{%- endif %}

 {%- if 'rich_rules' in zone %}
  {%- for rule in zone.rich_rules %}
@ -91,7 +107,10 @@
    <protocol value="{{ rule.protocol }}"/>
  {%- endif %}    
  {%- if 'icmp_block' in rule %}
-    <icmp_block name="{{ rule.icmp_block }}"/>
+    <icmp-block name="{{ rule.icmp_block }}"/>
+  {%- endif %}    
+  {%- if 'icmp_type' in rule %}
+    <icmp-type name="{{ rule.icmp_type }}"/>
  {%- endif %}    
  {%- if 'masquerade' in rule %}
    {%- if rule.masquerade %}<masquerade/>{%- endif %}
@ -102,6 +121,12 @@
    {%- endif %}
    <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
  {%- endif %}    
+  {%- if 'source_port' in rule %}
+    {%- if 'comment' in rule.source_port %}
+      <!-- {{ rule.source_port.comment }} -->
+    {%- endif %}
+    <source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
+  {%- endif %}    
  {%- if 'log' in rule %}
    <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
    {%- if 'limit' in rule.log %}
@ -114,7 +139,7 @@
  {%- endif %}    
  {%- if 'accept' in rule %}
    <accept/>
-  {%- endif %}    
+  {%- endif %}
  {%- if 'reject' in rule %}
    <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %}/>
  {%- endif %}    
--- a/firewalld/ipsets.sls
+++ b/firewalld/ipsets.sls
@ -77,7 +77,7 @@ directory_firewalld_ipsets:
      - cmd: reload_firewalld # reload firewalld config
    - context:
        name: {{ z_name }}
-        ipset: {{ v }}
+        ipset: {{ v|json }}

  {% endfor %}
 {%- endif %}
--- a/kitchen.yml
+++ b/kitchen.yml
@ -0,0 +1,72 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+driver:
+  name: docker
+
+driver_config:
+  use_sudo: false
+  privileged: true
+  provision_command: mkdir -p /run/sshd
+  run_command: /lib/systemd/systemd
+  pid_one_command: /usr/lib/systemd/systemd
+
+platforms:
+  - name: centos-7
+    driver_config:
+      image: centos:7
+      provision_command:
+        - yum install udev net-tools glibc-common -y
+        - echo "LANG=en_US.UTF-8" >> /etc/locale.conf
+        - localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+      platform: rhel
+
+  - name: debian-9
+    driver_config:
+      image: debian:9
+      provision_command:
+        - apt-get install udev net-tools locales -y
+        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+        - locale-gen en_US.UTF-8
+      platform: debian
+  - name: ubuntu-18.04
+    driver_config:
+      image: ubuntu:18.04
+      provision_command:
+        - apt-get install udev net-tools locales -y
+        - localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+        - locale-gen en_US.UTF-8
+      platform: ubuntu
+
+provisioner:
+  name: salt_solo
+  log_level: info
+  require_chef: false
+  salt_version: latest
+  formula: firewalld
+  salt_copy_filter:
+    - .kitchen
+    - .git
+  pillars_from_files:
+    firewalld.sls: pillar.example
+  pillars:
+    top.sls:
+      base:
+        '*':
+          - firewalld
+  state_top:
+    base:
+      '*':
+        - firewalld
+
+verifier:
+  name: inspec
+  sudo: true
+  reporter:
+    - cli
+  inspec_tests:
+    - path: test/integration/default
+
+suites:
+  - name: default
--- a/pillar.example
+++ b/pillar.example
@ -28,6 +28,11 @@ firewalld:
          - 5252
      modules:
        - some_module_to_load
+      protocols:
+        - igmp
+      source_ports:
+        tcp:
+          - 21
      destinations:
        ipv4:
          - 224.0.0.251
@ -89,6 +94,8 @@ firewalld:
        - https
        - ssh
        - salt-minion
+      protocols:
+        - igmp
      rich_rules:
        - family: ipv4
          source:
@ -117,6 +124,13 @@ firewalld:
        - comment: vsftpd
          port: 21
          protocol: tcp
+      source_ports:
+        - comment: something
+          port: 2222
+          protocol: tcp
+        - comment: something_else
+          port: 4444
+          protocol: tcp

  direct:
    chain: