From 18fc482853272f4e1de4a36924b8e0ceb23a2335 Mon Sep 17 00:00:00 2001
From: Niels Abspoel <aboe@spectre.wraith.lan>
Date: Fri, 5 Apr 2019 21:04:30 +0200
Subject: [PATCH 1/4] update service and zones with more options update kitchen
 travis fix ipsets.sls

---
 .kitchen.yml                | 56 -----------------------------
 .travis.yml                 |  6 ++--
 Gemfile                     |  5 ++-
 firewalld/files/service.xml | 63 ++++++++++++++++++++++++++------
 firewalld/files/zone.xml    | 29 +++++++++++++--
 firewalld/ipsets.sls        |  2 +-
 kitchen.yml                 | 72 +++++++++++++++++++++++++++++++++++++
 pillar.example              | 14 ++++++++
 8 files changed, 173 insertions(+), 74 deletions(-)
 delete mode 100644 .kitchen.yml
 create mode 100644 kitchen.yml

diff --git a/.kitchen.yml b/.kitchen.yml
deleted file mode 100644
index ea6d358..0000000
--- a/.kitchen.yml
+++ /dev/null
@@ -1,56 +0,0 @@
----
-driver:
-  name: docker
-
-driver_config:
-  use_sudo: false
-  privileged: true
-  provision_command: mkdir -p /run/sshd
-  run_command: /lib/systemd/systemd
-
-platforms:
-  - name: debian-9
-    driver_config:
-      provision_command:
-        - apt-get install udev net-tools -y
-  - name: ubuntu-18.04
-    driver_config:
-      provision_command:
-        - apt-get install udev net-tools -y
-  - name: centos-7
-    driver_config:
-      provision_command:
-        - yum install udev net-tools -y
-
-provisioner:
-  name: salt_solo
-  log_level: info
-  require_chef: false
-  salt_version: latest
-  formula: firewalld
-  salt_copy_filter:
-    - .kitchen
-    - .git
-  pillars-from-files:
-    firewalld.sls: pillar.example
-  pillars:
-    top.sls:
-      base:
-        '*':
-          - firewalld
-
-verifier:
-  name: inspec
-  sudo: true
-  reporter:
-    - cli
-  inspec_tests:
-    - path: test/integration/default
-
-suites:
-  - name: default
-    provisioner:
-      state_top:
-        base:
-          '*':
-            - firewalld
diff --git a/.travis.yml b/.travis.yml
index dde9c8f..09b0205 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,6 @@
+stages:
+  - test
+
 sudo: required
 cache: bundler
 language: ruby
@@ -5,7 +8,7 @@ language: ruby
 services:
   - docker
 
-before_install:
+install:
   - bundle install
 
 env:
@@ -16,4 +19,3 @@ env:
 
 script:
   - bundle exec kitchen verify ${INSTANCE}
-
diff --git a/Gemfile b/Gemfile
index d177b65..85aad72 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,7 +1,6 @@
 source "https://rubygems.org"
 
+gem "kitchen-docker", ">= 2.9"
+gem "kitchen-salt", ">=0.6.0"
 gem "test-kitchen", '>=1.23.2'
-gem "kitchen-docker"
-gem "kitchen-salt", ">=0.2.5"
 gem "kitchen-inspec"
-
diff --git a/firewalld/files/service.xml b/firewalld/files/service.xml
index 7f82938..7d92f35 100644
--- a/firewalld/files/service.xml
+++ b/firewalld/files/service.xml
@@ -5,25 +5,68 @@
   Modify the salt pillar for firewalld instead
 -->
 <service version="1">
-  {% if 'short' in service %}<short>{{ service.short }}</short>{%- else %}<short>{{ name }}</short>{%- endif %}
-  {% if 'description' in service %}<description>{{ service.description }}</description>{%- endif %}
-{%- if 'ports' in service %}
-{%- if 'tcp' in service.ports %}
-  {%- for v in service.ports.tcp %}
-  <port port="{{ v }}" protocol="tcp" />
-  {%- endfor %}   
+{%- if 'short' in service %}
+  <short>{{ service.short }}</short>
+{%- else %}
+  <short>{{ name }}</short>
 {%- endif %}
-{%- if 'udp' in service.ports %}
-  {%- for v in service.ports.udp %}
+{%- if 'description' in service %}
+  <description>{{ service.description }}</description>
+{%- endif %}
+{%- if 'ports' in service %}
+  {%- if 'tcp' in service.ports %}
+    {%- for v in service.ports.tcp %}
+  <port port="{{ v }}" protocol="tcp" />
+    {%- endfor %}   
+  {%- endif %}
+  {%- if 'udp' in service.ports %}
+    {%- for v in service.ports.udp %}
   <port port="{{ v }}" protocol="udp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'sctp' in service.ports %}
+    {%- for v in service.ports.sctp %}
+  <port port="{{ v }}" protocol="sctp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'dccp' in service.ports %}
+    {%- for v in service.ports.dccp %}
+  <port port="{{ v }}" protocol="dccp" />
+    {%- endfor %}
+  {%- endif %}
+{%- endif %}
+{%- if 'protocols' in service %}
+  {%- for v in service.protocols %}
+  <protocol value="{{ v }}" />
   {%- endfor %}
 {%- endif %}
+{%- if 'source_ports' in service %}
+  {%- if 'tcp' in service.source_ports %}
+    {%- for v in service.source_ports.tcp %}
+  <source-port port="{{ v }}" protocol="tcp" />
+    {%- endfor %}   
+  {%- endif %}
+  {%- if 'udp' in service.source_ports %}
+    {%- for v in service.source_ports.udp %}
+  <source-port port="{{ v }}" protocol="udp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'sctp' in service.source_ports %}
+    {%- for v in service.source_ports.sctp %}
+  <source-port port="{{ v }}" protocol="sctp" />
+    {%- endfor %}
+  {%- endif %}
+  {%- if 'dccp' in service.source_ports %}
+    {%- for v in service.source_ports.dccp %}
+  <source-port port="{{ v }}" protocol="dccp" />
+    {%- endfor %}
+  {%- endif %}
+{%- endif %}
 {%- if 'modules' in service %}
   {%- for v in service.modules %}
   <module name="{{ v }}" />
   {%- endfor %}
 {%- endif %}
-{%- endif %}
 {%- if 'destinations' in service %}
   {%- if 'ipv4' in service.destinations %}
     {%- for v in service.destinations.ipv4 %}
diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml
index 728a56c..9095200 100644
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@@ -46,11 +46,19 @@
   <port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
   {%- endfor %}
 {%- endif %}
+{%- if 'protocols' in zone %}
+  {%- for v in zone.protocols %}
+  <protocol value="{{ v }}" />
+  {%- endfor %}
+{%- endif %}
 {%- if 'icmp_blocks' in zone %}
   {%- for v in zone.icmp_blocks %}
   <icmp-block name="{{ v }}" />
   {%- endfor %}
 {%- endif %}
+{%- if 'icmp_block_inversion' in zone %}
+  <icmp-block-inversion name="{{ zone.icmp_blok_inversion }}" />
+{%- endif %}
 {%- if 'masquerade' in zone %}
   {%- if zone.masquerade %}
   <masquerade/>
@@ -64,6 +72,14 @@
   <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
   {%- endfor %}
 {%- endif %}
+{%- if 'source_ports' in zone %}
+  {%- for v in zone.source_ports %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+    {%- endif %}
+  <source-port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
+  {%- endfor %}
+{%- endif %}
 
 {%- if 'rich_rules' in zone %}
   {%- for rule in zone.rich_rules %}
@@ -91,7 +107,10 @@
     <protocol value="{{ rule.protocol }}"/>
   {%- endif %}    
   {%- if 'icmp_block' in rule %}
-    <icmp_block name="{{ rule.icmp_block }}"/>
+    <icmp-block name="{{ rule.icmp_block }}"/>
+  {%- endif %}    
+  {%- if 'icmp_type' in rule %}
+    <icmp-type name="{{ rule.icmp_type }}"/>
   {%- endif %}    
   {%- if 'masquerade' in rule %}
     {%- if rule.masquerade %}<masquerade/>{%- endif %}
@@ -102,6 +121,12 @@
     {%- endif %}
     <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
   {%- endif %}    
+  {%- if 'source_port' in rule %}
+    {%- if 'comment' in rule.source_port %}
+      <!-- {{ rule.source_port.comment }} -->
+    {%- endif %}
+    <source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
+  {%- endif %}    
   {%- if 'log' in rule %}
     <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
     {%- if 'limit' in rule.log %}
@@ -114,7 +139,7 @@
   {%- endif %}    
   {%- if 'accept' in rule %}
     <accept/>
-  {%- endif %}    
+  {%- endif %}
   {%- if 'reject' in rule %}
     <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %}/>
   {%- endif %}    
diff --git a/firewalld/ipsets.sls b/firewalld/ipsets.sls
index f16622d..3fbcc66 100644
--- a/firewalld/ipsets.sls
+++ b/firewalld/ipsets.sls
@@ -77,7 +77,7 @@ directory_firewalld_ipsets:
       - cmd: reload_firewalld # reload firewalld config
     - context:
         name: {{ z_name }}
-        ipset: {{ v }}
+        ipset: {{ v|json }}
 
   {% endfor %}
 {%- endif %}
diff --git a/kitchen.yml b/kitchen.yml
new file mode 100644
index 0000000..40f2e7a
--- /dev/null
+++ b/kitchen.yml
@@ -0,0 +1,72 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+driver:
+  name: docker
+
+driver_config:
+  use_sudo: false
+  privileged: true
+  provision_command: mkdir -p /run/sshd
+  run_command: /lib/systemd/systemd
+  pid_one_command: /usr/lib/systemd/systemd
+
+platforms:
+  - name: centos-7
+    driver_config:
+      image: centos:7
+      provision_command:
+        - yum install udev net-tools glibc-common -y
+        - echo "LANG=en_US.UTF-8" >> /etc/locale.conf
+        - localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+      platform: rhel
+
+  - name: debian-9
+    driver_config:
+      image: debian:9
+      provision_command:
+        - apt-get install udev net-tools locales -y
+        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+        - locale-gen en_US.UTF-8
+      platform: debian
+  - name: ubuntu-18.04
+    driver_config:
+      image: ubuntu:18.04
+      provision_command:
+        - apt-get install udev net-tools locales -y
+        - localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+        - echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
+        - locale-gen en_US.UTF-8
+      platform: ubuntu
+
+provisioner:
+  name: salt_solo
+  log_level: info
+  require_chef: false
+  salt_version: latest
+  formula: firewalld
+  salt_copy_filter:
+    - .kitchen
+    - .git
+  pillars_from_files:
+    firewalld.sls: pillar.example
+  pillars:
+    top.sls:
+      base:
+        '*':
+          - firewalld
+  state_top:
+    base:
+      '*':
+        - firewalld
+
+verifier:
+  name: inspec
+  sudo: true
+  reporter:
+    - cli
+  inspec_tests:
+    - path: test/integration/default
+
+suites:
+  - name: default
diff --git a/pillar.example b/pillar.example
index 6035fe3..193f749 100644
--- a/pillar.example
+++ b/pillar.example
@@ -28,6 +28,11 @@ firewalld:
           - 5252
       modules:
         - some_module_to_load
+      protocols:
+        - igmp
+      source_ports:
+        tcp:
+          - 21
       destinations:
         ipv4:
           - 224.0.0.251
@@ -89,6 +94,8 @@ firewalld:
         - https
         - ssh
         - salt-minion
+      protocols:
+        - igmp
       rich_rules:
         - family: ipv4
           source:
@@ -117,6 +124,13 @@ firewalld:
         - comment: vsftpd
           port: 21
           protocol: tcp
+      source_ports:
+        - comment: something
+          port: 2222
+          protocol: tcp
+        - comment: something_else
+          port: 4444
+          protocol: tcp
 
   direct:
     chain:

From 87ecf4eea4dbd44ba82ce8b55ec80598acc7943c Mon Sep 17 00:00:00 2001
From: Niels Abspoel <aboe@spectre.wraith.lan>
Date: Sat, 6 Apr 2019 21:58:48 +0200
Subject: [PATCH 2/4] update gems

---
 Gemfile | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/Gemfile b/Gemfile
index 85aad72..0494c89 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,6 +1,5 @@
 source "https://rubygems.org"
 
 gem "kitchen-docker", ">= 2.9"
-gem "kitchen-salt", ">=0.6.0"
-gem "test-kitchen", '>=1.23.2'
-gem "kitchen-inspec"
+gem "kitchen-salt", ">= 0.6.0"
+gem "test-kitchen", '>= 1.1'

From 9522826dcb5a6487a6813130d3211ac584910b4b Mon Sep 17 00:00:00 2001
From: Niels Abspoel <aboe@spectre.wraith.lan>
Date: Sat, 6 Apr 2019 22:03:15 +0200
Subject: [PATCH 3/4] update gems

---
 Gemfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile b/Gemfile
index 0494c89..e95eb27 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,4 +2,4 @@ source "https://rubygems.org"
 
 gem "kitchen-docker", ">= 2.9"
 gem "kitchen-salt", ">= 0.6.0"
-gem "test-kitchen", '>= 1.1'
+gem "kitchen-inspec", '>= 1.1'

From a438f30f50a6f74895fd601bcd415fb6d1705b1b Mon Sep 17 00:00:00 2001
From: Niels Abspoel <aboe@spectre.wraith.lan>
Date: Sat, 6 Apr 2019 23:26:48 +0200
Subject: [PATCH 4/4] fix spacing in closing tags

---
 firewalld/files/zone.xml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml
index 9095200..ca96e47 100644
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@@ -43,7 +43,7 @@
     {%- if 'comment' in v %}
   <!-- {{ v.comment }} -->
     {%- endif %}
-  <port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
+  <port port="{{ v.port }}" protocol="{{ v.protocol }}" />
   {%- endfor %}
 {%- endif %}
 {%- if 'protocols' in zone %}
@@ -77,7 +77,7 @@
     {%- if 'comment' in v %}
   <!-- {{ v.comment }} -->
     {%- endif %}
-  <source-port port="{{ v.port }}" protocol="{{ v.protocol }}"/>
+  <source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
   {%- endfor %}
 {%- endif %}
 
@@ -89,28 +89,28 @@
   <rule>
   {%- endif %}    
   {%- if 'ipset' in rule %}
-    <source ipset="{{ rule.ipset.name }}"/>
+    <source ipset="{{ rule.ipset.name }}" />
   {%- endif %}
   {%- if 'source' in rule %}
-    <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/>
+    <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %} />
   {%- endif %}    
   {%- if 'destination' in rule %}
-    <destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %}/>
+    <destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %} />
   {%- endif %}    
   {%- if 'service' in rule %}
-    <service name="{{ rule.service }}"/>
+    <service name="{{ rule.service }}" />
   {%- endif %}    
   {%- if 'port' in rule %}
-    <port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}"/>
+    <port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
   {%- endif %}    
   {%- if 'protocol' in rule %}
-    <protocol value="{{ rule.protocol }}"/>
+    <protocol value="{{ rule.protocol }}" />
   {%- endif %}    
   {%- if 'icmp_block' in rule %}
-    <icmp-block name="{{ rule.icmp_block }}"/>
+    <icmp-block name="{{ rule.icmp_block }}" />
   {%- endif %}    
   {%- if 'icmp_type' in rule %}
-    <icmp-type name="{{ rule.icmp_type }}"/>
+    <icmp-type name="{{ rule.icmp_type }}" />
   {%- endif %}    
   {%- if 'masquerade' in rule %}
     {%- if rule.masquerade %}<masquerade/>{%- endif %}
@@ -141,7 +141,7 @@
     <accept/>
   {%- endif %}
   {%- if 'reject' in rule %}
-    <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %}/>
+    <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
   {%- endif %}    
   {%- if 'drop' in rule %}
     <drop/>