feat(rich-rules): add priority to rich rules

fixes #51
2021-06-18 12:23:06 -04:00 · 2021-06-18 12:23:06 -04:00 · 9c2b41d0f9
parent abbfe162a1
commit 9c2b41d0f9
21 changed files with 140 additions and 6 deletions
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@ -4,12 +4,8 @@
  Do not edit this file manually, it will be overwritten!
  Modify the salt pillar for firewalld instead
 -->
-{%- macro rich_rule(rule) -%}
-  {%- if 'family' in rule %}
-  <rule family="{{ rule.family }}">
-  {%- else %}
-  <rule>
-  {%- endif %}
+{%- macro rich_rule(rule) %}
+  <rule{% if 'family' in rule %} family="{{ rule.family }}"{% endif %}{% if 'priority' in rule %} priority="{{ rule.priority }}"{% endif %}>
  {%- if 'ipset' in rule %}
    <source ipset="{{ rule.ipset.name }}" />
  {%- endif %}
--- a/pillar.example
+++ b/pillar.example
@ -167,6 +167,13 @@ firewalld:
      # can be used. Special keys "ipsets" and "services", if defined, take precedence.
      # They will be auto-expanded into separate rich rules per value in the list.
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+            - other-ipset
+          priority: 15
+          services:
+            - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/controls/zones_spec.rb
+++ b/test/integration/default/controls/zones_spec.rb
@ -63,6 +63,11 @@ control 'zones/rich_public.xml configuration' do
        <zone>
          <short>rich_public</short>
          <description>Example</description>
+          <rule priority="15">
+            <source ipset="other-ipset" />
+            <service name="http" />
+            <accept></accept>
+          </rule>
          <rule>
            <source ipset="fail2ban-ssh" />
            <service name="ssh" />
--- a/test/integration/default/files/_mapdata/amazonlinux-1.yaml
+++ b/test/integration/default/files/_mapdata/amazonlinux-1.yaml
@ -150,6 +150,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/amazonlinux-2.yaml
+++ b/test/integration/default/files/_mapdata/amazonlinux-2.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/arch-base-latest.yaml
+++ b/test/integration/default/files/_mapdata/arch-base-latest.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/centos-7.yaml
+++ b/test/integration/default/files/_mapdata/centos-7.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/centos-8.yaml
+++ b/test/integration/default/files/_mapdata/centos-8.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/debian-10.yaml
+++ b/test/integration/default/files/_mapdata/debian-10.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/debian-9.yaml
+++ b/test/integration/default/files/_mapdata/debian-9.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/fedora-31.yaml
+++ b/test/integration/default/files/_mapdata/fedora-31.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/fedora-32.yaml
+++ b/test/integration/default/files/_mapdata/fedora-32.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/fedora-33.yaml
+++ b/test/integration/default/files/_mapdata/fedora-33.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/fedora-34.yaml
+++ b/test/integration/default/files/_mapdata/fedora-34.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/opensuse-15.yaml
+++ b/test/integration/default/files/_mapdata/opensuse-15.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/opensuse-tumbleweed.yaml
+++ b/test/integration/default/files/_mapdata/opensuse-tumbleweed.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/oraclelinux-7.yaml
+++ b/test/integration/default/files/_mapdata/oraclelinux-7.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/oraclelinux-8.yaml
+++ b/test/integration/default/files/_mapdata/oraclelinux-8.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/ubuntu-16.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-16.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/ubuntu-18.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-18.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets:
--- a/test/integration/default/files/_mapdata/ubuntu-20.yaml
+++ b/test/integration/default/files/_mapdata/ubuntu-20.yaml
@ -157,6 +157,13 @@ values:
    rich_public:
      description: Example
      rich_rules:
+        http-priority:
+          accept: true
+          ipsets:
+          - other-ipset
+          priority: 15
+          services:
+          - http
        ssh-csg:
          accept: true
          ipsets: