From a2f4f3b36e3295311128673f33f90c93de24288d Mon Sep 17 00:00:00 2001
From: Arnaud Patard <apatard@hupstream.com>
Date: Wed, 13 Jan 2021 14:59:29 +0100
Subject: [PATCH 1/2] feat(zone.xml): allow to rate limit 'accept' in rich
 rules

The current rich_rule macro is supporting to set if the connection
should be accepted or rejected or dropped but doesn't support setting
rate limiting in the 'accept' case. Add code for that.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>
---
 firewalld/files/zone.xml                        | 2 +-
 test/integration/default/controls/zones_spec.rb | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml
index c730b1c..8a58e6a 100644
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@@ -60,7 +60,7 @@
     <audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
   {%- endif %}
   {%- if 'accept' in rule %}
-    <accept/>
+    <accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
   {%- endif %}
   {%- if 'reject' in rule %}
     <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
diff --git a/test/integration/default/controls/zones_spec.rb b/test/integration/default/controls/zones_spec.rb
index 82382ba..eee6953 100644
--- a/test/integration/default/controls/zones_spec.rb
+++ b/test/integration/default/controls/zones_spec.rb
@@ -31,7 +31,7 @@ control 'zones/public.xml configuration' do
           <source-port port="4444" protocol="tcp" />
           <rule family="ipv4">
             <source address="8.8.8.8/24" />
-            <accept/>
+            <accept></accept>
           </rule>
           <rule family="ipv4">
             <source ipset="fail2ban-ssh" />
@@ -59,12 +59,12 @@ control 'zones/rich_public.xml configuration' do
           <rule>
             <source ipset="fail2ban-ssh" />
             <service name="ssh" />
-            <accept/>
+            <accept></accept>
           </rule>
           <rule>
             <source ipset="other-ipset" />
             <service name="ssh" />
-            <accept/>
+            <accept></accept>
           </rule>
         </zone>
       ZONE_XML

From f25852637a7aeb8608b4618b952407b59b0dbf7e Mon Sep 17 00:00:00 2001
From: Arnaud Patard <apatard@hupstream.com>
Date: Thu, 21 Jan 2021 11:39:55 +0100
Subject: [PATCH 2/2] feat(pillar.example,test/): add example and test for
 richrule ratelimit

Document and test the accept rate limiting of the rich rule.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>
---
 pillar.example                                            | 8 ++++++++
 test/integration/default/controls/zones_spec.rb           | 7 +++++++
 .../integration/default/files/_mapdata/amazonlinux-2.yaml | 7 +++++++
 .../default/files/_mapdata/arch-base-latest.yaml          | 7 +++++++
 test/integration/default/files/_mapdata/centos-7.yaml     | 7 +++++++
 test/integration/default/files/_mapdata/centos-8.yaml     | 7 +++++++
 test/integration/default/files/_mapdata/debian-10.yaml    | 7 +++++++
 test/integration/default/files/_mapdata/debian-9.yaml     | 7 +++++++
 test/integration/default/files/_mapdata/fedora-31.yaml    | 7 +++++++
 test/integration/default/files/_mapdata/fedora-32.yaml    | 7 +++++++
 test/integration/default/files/_mapdata/opensuse-15.yaml  | 7 +++++++
 test/integration/default/files/_mapdata/ubuntu-16.yaml    | 7 +++++++
 test/integration/default/files/_mapdata/ubuntu-18.yaml    | 7 +++++++
 test/integration/default/files/_mapdata/ubuntu-20.yaml    | 7 +++++++
 14 files changed, 99 insertions(+)

diff --git a/pillar.example b/pillar.example
index e68b767..0735832 100644
--- a/pillar.example
+++ b/pillar.example
@@ -126,6 +126,14 @@ firewalld:
             name: fail2ban-ssh
           reject:
             type: icmp-port-unreachable
+        - accept:
+            limit: "3/m"
+          log:
+            level: warning
+            limit: "3/m"
+            prefix: "http fw limit 3/m"
+          service: http
+
       ports:
         # {%- if grains['id'] == 'salt.example.com' %}
         - comment: salt-master
diff --git a/test/integration/default/controls/zones_spec.rb b/test/integration/default/controls/zones_spec.rb
index eee6953..b1b6cbf 100644
--- a/test/integration/default/controls/zones_spec.rb
+++ b/test/integration/default/controls/zones_spec.rb
@@ -37,6 +37,13 @@ control 'zones/public.xml configuration' do
             <source ipset="fail2ban-ssh" />
             <reject type="icmp-port-unreachable" />
           </rule>
+          <rule>
+            <service name="http" />
+            <log prefix="http fw limit 3/m" level="warning">
+              <limit value="3/m"/>
+            </log>
+            <accept> <limit value="3/m"/></accept>
+          </rule>
         </zone>
       ZONE_XML
     end
diff --git a/test/integration/default/files/_mapdata/amazonlinux-2.yaml b/test/integration/default/files/_mapdata/amazonlinux-2.yaml
index 818cb7e..dcaeff6 100644
--- a/test/integration/default/files/_mapdata/amazonlinux-2.yaml
+++ b/test/integration/default/files/_mapdata/amazonlinux-2.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/arch-base-latest.yaml b/test/integration/default/files/_mapdata/arch-base-latest.yaml
index 254c382..223d80c 100644
--- a/test/integration/default/files/_mapdata/arch-base-latest.yaml
+++ b/test/integration/default/files/_mapdata/arch-base-latest.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/centos-7.yaml b/test/integration/default/files/_mapdata/centos-7.yaml
index e77e920..55add4f 100644
--- a/test/integration/default/files/_mapdata/centos-7.yaml
+++ b/test/integration/default/files/_mapdata/centos-7.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/centos-8.yaml b/test/integration/default/files/_mapdata/centos-8.yaml
index 994f917..5d4969a 100644
--- a/test/integration/default/files/_mapdata/centos-8.yaml
+++ b/test/integration/default/files/_mapdata/centos-8.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/debian-10.yaml b/test/integration/default/files/_mapdata/debian-10.yaml
index 9d3473e..9d89fcc 100644
--- a/test/integration/default/files/_mapdata/debian-10.yaml
+++ b/test/integration/default/files/_mapdata/debian-10.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/debian-9.yaml b/test/integration/default/files/_mapdata/debian-9.yaml
index 92713d7..19a8e64 100644
--- a/test/integration/default/files/_mapdata/debian-9.yaml
+++ b/test/integration/default/files/_mapdata/debian-9.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/fedora-31.yaml b/test/integration/default/files/_mapdata/fedora-31.yaml
index 6e2d197..7838855 100644
--- a/test/integration/default/files/_mapdata/fedora-31.yaml
+++ b/test/integration/default/files/_mapdata/fedora-31.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/fedora-32.yaml b/test/integration/default/files/_mapdata/fedora-32.yaml
index b1738ec..ca4c18b 100644
--- a/test/integration/default/files/_mapdata/fedora-32.yaml
+++ b/test/integration/default/files/_mapdata/fedora-32.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/opensuse-15.yaml b/test/integration/default/files/_mapdata/opensuse-15.yaml
index 012fcaf..ac9a402 100644
--- a/test/integration/default/files/_mapdata/opensuse-15.yaml
+++ b/test/integration/default/files/_mapdata/opensuse-15.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/ubuntu-16.yaml b/test/integration/default/files/_mapdata/ubuntu-16.yaml
index 4f8fcd0..fbeedc9 100644
--- a/test/integration/default/files/_mapdata/ubuntu-16.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-16.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/ubuntu-18.yaml b/test/integration/default/files/_mapdata/ubuntu-18.yaml
index b7f93f9..dac5c61 100644
--- a/test/integration/default/files/_mapdata/ubuntu-18.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-18.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https
diff --git a/test/integration/default/files/_mapdata/ubuntu-20.yaml b/test/integration/default/files/_mapdata/ubuntu-20.yaml
index 9e037e3..5d56702 100644
--- a/test/integration/default/files/_mapdata/ubuntu-20.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-20.yaml
@@ -134,6 +134,13 @@ values:
           name: fail2ban-ssh
         reject:
           type: icmp-port-unreachable
+      - accept:
+          limit: "3/m"
+        log:
+          level: warning
+          limit: "3/m"
+          prefix: "http fw limit 3/m"
+        service: http
       services:
       - http
       - https