From 2fd70c9f41854b1082be83022c41a065cca4d57a Mon Sep 17 00:00:00 2001
From: Paul Williams <pdw@udel.edu>
Date: Fri, 24 Nov 2017 18:31:17 -0500
Subject: [PATCH] Add support for using ipsets as sources in a zone

I wanted to be able to add an ipset as a source in the zone without using a rich rule.  I believe this change accomplishes that.  Tested and working on CentOS 7 (salt master and minion).
---
 firewalld/files/zone.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml
index b7ede9a..728a56c 100644
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@@ -23,6 +23,16 @@
     {%- endif %}
   {%- endfor %}
 {%- endif %}
+{%- if 'ipsets' in zone %}
+  {%- for v in zone.ipsets %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+  <source ipset="{{ v.ipset }}" />
+    {%- else %}
+  <source ipset="{{ v }}" />
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
 {%- if 'services' in zone %}
   {%- for v in zone.services %}
   <service name="{{ v }}" />