From 8d0172f5c7e0e1a2856dbbc0bf149ee8ddfd225a Mon Sep 17 00:00:00 2001
From: Michal Hrusecky <Michal@Hrusecky.net>
Date: Tue, 11 Feb 2020 15:10:45 +0100
Subject: [PATCH] feat(zone.xml): allow more services definition inside zone

Now multiple sections ending with `services` can be defined for each in pillar
and all of them will get merged into one service block in the zone. The goal is
to keep backward compatibility while allowing different services to be defined
in different pillars. So basically have various parts of the pillar affecting
the firewall without need to define everything centrally. Helpful for the
exceptions to the rules.
---
 firewalld/files/zone.xml | 10 ++++++----
 pillar.example           |  4 +++-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml
index 6525d71..dabe00a 100644
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@@ -33,11 +33,13 @@
     {%- endif %}
   {%- endfor %}
 {%- endif %}
-{%- if 'services' in zone %}
-  {%- for v in zone.services %}
+{%- for k,val in zone.items() %}
+  {%- if k.endswith("services") %}
+    {%- for v in val %}
   <service name="{{ v }}" />
-  {%- endfor %}
-{%- endif %}
+    {%- endfor %}
+  {%- endif %}
+{%- endfor %}
 {%- if 'ports' in zone %}
   {%- for v in zone.ports %}
     {%- if 'comment' in v %}
diff --git a/pillar.example b/pillar.example
index 6d78533..bdb1854 100644
--- a/pillar.example
+++ b/pillar.example
@@ -107,10 +107,12 @@ firewalld:
         are accepted.
       services:
         - http
-        - zabbixcustom
         - https
         - ssh
         - salt-minion
+      # Anything in zone definition ending with services will get merged into services
+      other_services:
+        - zabbixcustom
       protocols:
         - igmp
       rich_rules: