saltstack-formulas/firewalld-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #27 from aboe76/improve_service

Browse Source 
update service and zones with more options
This commit is contained in:
Imran Iqbal 2019-04-06 22:39:30 +01:00 committed by GitHub
commit 6a546ca192
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 182 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
.kitchen.yml
View File

@ -1,56 +0,0 @@
---
driver:
name: docker
driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
platforms:
- name: debian-9
driver_config:
provision_command:
- apt-get install udev net-tools -y
- name: ubuntu-18.04
driver_config:
provision_command:
- apt-get install udev net-tools -y
- name: centos-7
driver_config:
provision_command:
- yum install udev net-tools -y
provisioner:
name: salt_solo
log_level: info
require_chef: false
salt_version: latest
formula: firewalld
salt_copy_filter:
- .kitchen
- .git
pillars-from-files:
firewalld.sls: pillar.example
pillars:
top.sls:
base:
'*':
- firewalld
verifier:
name: inspec
sudo: true
reporter:
- cli
inspec_tests:
- path: test/integration/default
suites:
- name: default
provisioner:
state_top:
base:
'*':
- firewalld

6
.travis.yml
View File

@ -1,3 +1,6 @@
stages:
- test
sudo: required sudo: required
cache: bundler cache: bundler
language: ruby language: ruby
@ -5,7 +8,7 @@ language: ruby
services: services:
- docker - docker
before_install: install:
- bundle install - bundle install
env: env:
@ -16,4 +19,3 @@ env:
script: script:
- bundle exec kitchen verify ${INSTANCE} - bundle exec kitchen verify ${INSTANCE}

8
Gemfile
View File

@ -1,7 +1,5 @@
source "https://rubygems.org" source "https://rubygems.org"
gem "test-kitchen", '>=1.23.2' gem "kitchen-docker", ">= 2.9"
gem "kitchen-docker" gem "kitchen-salt", ">= 0.6.0"
gem "kitchen-salt", ">=0.2.5" gem "kitchen-inspec", '>= 1.1'
gem "kitchen-inspec"

61
firewalld/files/service.xml
View File

@ -5,25 +5,68 @@
Modify the salt pillar for firewalld instead Modify the salt pillar for firewalld instead
--> -->
<service version="1"> <service version="1">
{% if 'short' in service %}<short>{{ service.short }}</short>{%- else %}<short>{{ name }}</short>{%- endif %} {%- if 'short' in service %}
{% if 'description' in service %}<description>{{ service.description }}</description>{%- endif %} <short>{{ service.short }}</short>
{%- else %}
<short>{{ name }}</short>
{%- endif %}
{%- if 'description' in service %}
<description>{{ service.description }}</description>
{%- endif %}
{%- if 'ports' in service %} {%- if 'ports' in service %}
{%- if 'tcp' in service.ports %} {%- if 'tcp' in service.ports %}
{%- for v in service.ports.tcp %} {%- for v in service.ports.tcp %}
<port port="{{ v }}" protocol="tcp" /> <port port="{{ v }}" protocol="tcp" />
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.ports %}
{%- for v in service.ports.udp %}
<port port="{{ v }}" protocol="udp" />
{%- endfor %}
{%- endif %}
{%- if 'sctp' in service.ports %}
{%- for v in service.ports.sctp %}
<port port="{{ v }}" protocol="sctp" />
{%- endfor %}
{%- endif %}
{%- if 'dccp' in service.ports %}
{%- for v in service.ports.dccp %}
<port port="{{ v }}" protocol="dccp" />
{%- endfor %}
{%- endif %}
{%- endif %}
{%- if 'protocols' in service %}
{%- for v in service.protocols %}
<protocol value="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'udp' in service.ports %} {%- if 'source_ports' in service %}
{%- for v in service.ports.udp %} {%- if 'tcp' in service.source_ports %}
<port port="{{ v }}" protocol="udp" /> {%- for v in service.source_ports.tcp %}
{%- endfor %} <source-port port="{{ v }}" protocol="tcp" />
{%- endfor %}
{%- endif %}
{%- if 'udp' in service.source_ports %}
{%- for v in service.source_ports.udp %}
<source-port port="{{ v }}" protocol="udp" />
{%- endfor %}
{%- endif %}
{%- if 'sctp' in service.source_ports %}
{%- for v in service.source_ports.sctp %}
<source-port port="{{ v }}" protocol="sctp" />
{%- endfor %}
{%- endif %}
{%- if 'dccp' in service.source_ports %}
{%- for v in service.source_ports.dccp %}
<source-port port="{{ v }}" protocol="dccp" />
{%- endfor %}
{%- endif %}
{%- endif %} {%- endif %}
{%- if 'modules' in service %} {%- if 'modules' in service %}
{%- for v in service.modules %} {%- for v in service.modules %}
<module name="{{ v }}" /> <module name="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- endif %}
{%- if 'destinations' in service %} {%- if 'destinations' in service %}
{%- if 'ipv4' in service.destinations %} {%- if 'ipv4' in service.destinations %}
{%- for v in service.destinations.ipv4 %} {%- for v in service.destinations.ipv4 %}

43
firewalld/files/zone.xml
View File

@ -43,7 +43,12 @@
{%- if 'comment' in v %} {%- if 'comment' in v %}
<!-- {{ v.comment }} --> <!-- {{ v.comment }} -->
{%- endif %} {%- endif %}
<port port="{{ v.port }}" protocol="{{ v.protocol }}"/> <port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'protocols' in zone %}
{%- for v in zone.protocols %}
<protocol value="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'icmp_blocks' in zone %} {%- if 'icmp_blocks' in zone %}
@ -51,6 +56,9 @@
<icmp-block name="{{ v }}" /> <icmp-block name="{{ v }}" />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'icmp_block_inversion' in zone %}
<icmp-block-inversion name="{{ zone.icmp_blok_inversion }}" />
{%- endif %}
{%- if 'masquerade' in zone %} {%- if 'masquerade' in zone %}
{%- if zone.masquerade %} {%- if zone.masquerade %}
<masquerade/> <masquerade/>
@ -64,6 +72,14 @@
<forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} /> <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}
{%- if 'source_ports' in zone %}
{%- for v in zone.source_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'rich_rules' in zone %} {%- if 'rich_rules' in zone %}
{%- for rule in zone.rich_rules %} {%- for rule in zone.rich_rules %}
@ -73,25 +89,28 @@
<rule> <rule>
{%- endif %} {%- endif %}
{%- if 'ipset' in rule %} {%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}"/> <source ipset="{{ rule.ipset.name }}" />
{%- endif %} {%- endif %}
{%- if 'source' in rule %} {%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %}/> <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'destination' in rule %} {%- if 'destination' in rule %}
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %}/> <destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'service' in rule %} {%- if 'service' in rule %}
<service name="{{ rule.service }}"/> <service name="{{ rule.service }}" />
{%- endif %} {%- endif %}
{%- if 'port' in rule %} {%- if 'port' in rule %}
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}"/> <port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
{%- endif %} {%- endif %}
{%- if 'protocol' in rule %} {%- if 'protocol' in rule %}
<protocol value="{{ rule.protocol }}"/> <protocol value="{{ rule.protocol }}" />
{%- endif %} {%- endif %}
{%- if 'icmp_block' in rule %} {%- if 'icmp_block' in rule %}
<icmp_block name="{{ rule.icmp_block }}"/> <icmp-block name="{{ rule.icmp_block }}" />
{%- endif %}
{%- if 'icmp_type' in rule %}
<icmp-type name="{{ rule.icmp_type }}" />
{%- endif %} {%- endif %}
{%- if 'masquerade' in rule %} {%- if 'masquerade' in rule %}
{%- if rule.masquerade %}<masquerade/>{%- endif %} {%- if rule.masquerade %}<masquerade/>{%- endif %}
@ -102,6 +121,12 @@
{%- endif %} {%- endif %}
<forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} /> <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'source_port' in rule %}
{%- if 'comment' in rule.source_port %}
<!-- {{ rule.source_port.comment }} -->
{%- endif %}
<source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'log' in rule %} {%- if 'log' in rule %}
<log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}> <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
{%- if 'limit' in rule.log %} {%- if 'limit' in rule.log %}
@ -116,7 +141,7 @@
<accept/> <accept/>
{%- endif %} {%- endif %}
{%- if 'reject' in rule %} {%- if 'reject' in rule %}
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %}/> <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
{%- endif %} {%- endif %}
{%- if 'drop' in rule %} {%- if 'drop' in rule %}
<drop/> <drop/>

2
firewalld/ipsets.sls
View File

@ -77,7 +77,7 @@ directory_firewalld_ipsets:
- cmd: reload_firewalld # reload firewalld config - cmd: reload_firewalld # reload firewalld config
- context: - context:
name: {{ z_name }} name: {{ z_name }}
ipset: {{ v }} ipset: {{ v|json }}
{% endfor %} {% endfor %}
{%- endif %} {%- endif %}

72
kitchen.yml Normal file
View File

@ -0,0 +1,72 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
driver:
name: docker
driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
pid_one_command: /usr/lib/systemd/systemd
platforms:
- name: centos-7
driver_config:
image: centos:7
provision_command:
- yum install udev net-tools glibc-common -y
- echo "LANG=en_US.UTF-8" >> /etc/locale.conf
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
platform: rhel
- name: debian-9
driver_config:
image: debian:9
provision_command:
- apt-get install udev net-tools locales -y
- echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
- locale-gen en_US.UTF-8
platform: debian
- name: ubuntu-18.04
driver_config:
image: ubuntu:18.04
provision_command:
- apt-get install udev net-tools locales -y
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
- echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
- locale-gen en_US.UTF-8
platform: ubuntu
provisioner:
name: salt_solo
log_level: info
require_chef: false
salt_version: latest
formula: firewalld
salt_copy_filter:
- .kitchen
- .git
pillars_from_files:
firewalld.sls: pillar.example
pillars:
top.sls:
base:
'*':
- firewalld
state_top:
base:
'*':
- firewalld
verifier:
name: inspec
sudo: true
reporter:
- cli
inspec_tests:
- path: test/integration/default
suites:
- name: default

14
pillar.example
View File

@ -28,6 +28,11 @@ firewalld:
- 5252 - 5252
modules: modules:
- some_module_to_load - some_module_to_load
protocols:
- igmp
source_ports:
tcp:
- 21
destinations: destinations:
ipv4: ipv4:
- 224.0.0.251 - 224.0.0.251
@ -89,6 +94,8 @@ firewalld:
- https - https
- ssh - ssh
- salt-minion - salt-minion
protocols:
- igmp
rich_rules: rich_rules:
- family: ipv4 - family: ipv4
source: source:
@ -117,6 +124,13 @@ firewalld:
- comment: vsftpd - comment: vsftpd
port: 21 port: 21
protocol: tcp protocol: tcp
source_ports:
- comment: something
port: 2222
protocol: tcp
- comment: something_else
port: 4444
protocol: tcp
direct: direct:
chain: chain: