From bcd47361caca803cc47c0d1eeef30a2adae3016a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 25 Aug 2018 18:13:06 -0300 Subject: [PATCH 1/5] Refactor .kitchen.yml to use pillar.example as pillar --- .kitchen.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 3e0768d..883cbd1 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -22,22 +22,13 @@ provisioner: salt_copy_filter: - .kitchen - .git + pillars-from-files: + firewalld.sls: pillar.example pillars: top.sls: base: '*': - firewalld - firewalld.sls: - firewalld: - enabled: True - services: - glusterfs: - short: glusterfs - description: 'GlusterFS network filesystem' - ports: - tcp: - - 24007-24008 - - 49152-49200 verifier: name: inspec From 7bc3a9cdd44640b90a1ba18275e34853ff9ae3bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 25 Aug 2018 18:20:27 -0300 Subject: [PATCH 2/5] Use mapped data instead of pillar.get data --- firewalld/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/firewalld/init.sls b/firewalld/init.sls index 23477e7..61327a3 100644 --- a/firewalld/init.sls +++ b/firewalld/init.sls @@ -13,7 +13,7 @@ firewalld-unsupported: Firewalld is not supported on {{ grains['osfinger'] }} See https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15/#fate-323460 -{% elif salt['pillar.get']('firewalld:enabled') %} +{% elif firewalld.enabled %} include: - firewalld.config From d3928d1be0a915134f873c6ecea333ce23034dd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 25 Aug 2018 18:27:37 -0300 Subject: [PATCH 3/5] Refactor ipset format, add backward compatibility See https://github.com/saltstack-formulas/firewalld-formula/pull/21#pullrequestreview-146958098 --- firewalld/defaults.yaml | 13 +++++++++++-- firewalld/ipsets.sls | 41 ++++++++++++++++++++++++++++++++++++----- pillar.example | 6 ++++-- 3 files changed, 51 insertions(+), 9 deletions(-) diff --git a/firewalld/defaults.yaml b/firewalld/defaults.yaml index 3dfe739..73b7e7f 100644 --- a/firewalld/defaults.yaml +++ b/firewalld/defaults.yaml @@ -1,8 +1,17 @@ # -*- coding: utf-8 -*- # vim: ft=yaml firewalld: + enabled: true package: firewalld - ipsetpackage: ipset - backendpackage: nftables service: firewalld config: /etc/firewalld.conf + + ipset: + manage: true + pkg: ipset + + backend: + manage: true + pkg: nftables + + ipsets: {} diff --git a/firewalld/ipsets.sls b/firewalld/ipsets.sls index 1fba144..f16622d 100644 --- a/firewalld/ipsets.sls +++ b/firewalld/ipsets.sls @@ -4,10 +4,41 @@ # {% from "firewalld/map.jinja" import firewalld with context %} -{%- if salt['pillar.get']('firewalld:ipset') %} +# Backward compatibility setting and deprecation notices +{% set ipset_manage = false %} +{% set ipset_pkg = 'ipset' %} +{% set ipset_sets = firewalld.ipsets %} + +{% if firewalld.ipset is mapping %} + {% set ipset_manage = firewalld.ipset.manage %} + {% set ipset_pkg = firewalld.ipset.pkg %} +{% else %} +### Manage setting (old firewalld:ipset) +firewalld-ipset-deprecated: + test.show_notification: + - text: | + 'firewalld:ipset' format has changed and setting it as boolean is deprecated. + Set 'firewalld:ipset:manage' instead. + See firewalld/pillar.example for more information + + {% set ipset_manage = firewalld.ipset %} +{% endif %} + +### Package setting (old firewalld:ipsetpackage) +{% if firewalld.ipsetpackage is defined %} +firewalld-ipsetpackage-deprecated: + test.show_notification: + - text: | + 'firewalld:ipsetpackage' is deprecated. Use 'firewalld:ipset:pkg' instead + See firewalld/pillar.example for more information + + {% set ipset_pkg = firewalld.ipsetpackage %} +{% endif %} + +{%- if ipset_manage %} package_ipset: pkg.installed: - - name: {{ firewalld.ipsetpackage }} + - name: {{ ipset_pkg }} directory_firewalld_ipsets: file.directory: # make sure this is a directory @@ -26,8 +57,8 @@ directory_firewalld_ipsets: # # This defines a ipset configuration, see firewalld.ipset (5) man page. # -{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %} -{% set z_name = v.name|default(k) %} + {% for k, v in ipset_sets.items() %} + {% set z_name = v.name|default(k) %} /etc/firewalld/ipsets/{{ z_name }}.xml: file.managed: @@ -48,5 +79,5 @@ directory_firewalld_ipsets: name: {{ z_name }} ipset: {{ v }} -{% endfor %} + {% endfor %} {%- endif %} diff --git a/pillar.example b/pillar.example index 9979838..2abd4db 100644 --- a/pillar.example +++ b/pillar.example @@ -1,7 +1,10 @@ # FirewallD pillar examples: firewalld: enabled: True - ipset: True + ipset: + manage: True + pkg: ipset + installbackend: False default_zone: public @@ -51,7 +54,6 @@ firewalld: entries: - 10.0.0.1 - zones: public: short: Public From 15a48462f078f89707ea26c00639af770c6d7aea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 25 Aug 2018 19:00:11 -0300 Subject: [PATCH 4/5] Refactor backend format, add backward compatibility, simple pkg testing See https://github.com/saltstack-formulas/firewalld-formula/pull/21#pullrequestreview-146958098 --- firewalld/backend.sls | 30 ++++++++++++++++++++-- firewalld/defaults.yaml | 4 +-- pillar.example | 3 ++- test/integration/default/backend_spec.rb | 3 +++ test/integration/default/firewalld_spec.rb | 15 +++++++++++ test/integration/default/ipset_spec.rb | 3 +++ 6 files changed, 53 insertions(+), 5 deletions(-) create mode 100644 test/integration/default/backend_spec.rb create mode 100644 test/integration/default/ipset_spec.rb diff --git a/firewalld/backend.sls b/firewalld/backend.sls index 7190c89..9b9e37f 100644 --- a/firewalld/backend.sls +++ b/firewalld/backend.sls @@ -4,8 +4,34 @@ # {% from "firewalld/map.jinja" import firewalld with context %} -{%- if salt['pillar.get']('firewalld:installbackend') %} +{% set backend_manage = firewalld.backend.manage %} +{% set backend_pkg = firewalld.backend.pkg %} + +# Backward compatibility setting and deprecation notices +### Manage setting (old firewalld:installbackend) +{% if firewalld.installbackend is defined %} +firewalld-installbackend-deprecated: + test.show_notification: + - text: | + 'firewalld:installbackend' is deprecated. Set 'firewalld:backend:manage' instead. + See firewalld/pillar.example for more information + + {% set backend_manage = firewalld.installbackend %} +{% endif %} + +### Package setting (old firewalld:backendpackage) +{% if firewalld.backendpackage is defined %} +firewalld-backendpackage-deprecated: + test.show_notification: + - text: | + 'firewalld:backendpackage' is deprecated. Use 'firewalld:backend:pkg' instead + See firewalld/pillar.example for more information + + {% set backend_pkg = firewalld.backendpackage %} +{% endif %} + +{%- if backend_manage %} package_backend: pkg.installed: - - name: {{ firewalld.backendpackage }} + - name: {{ backend_pkg }} {%- endif %} diff --git a/firewalld/defaults.yaml b/firewalld/defaults.yaml index 73b7e7f..1334058 100644 --- a/firewalld/defaults.yaml +++ b/firewalld/defaults.yaml @@ -7,11 +7,11 @@ firewalld: config: /etc/firewalld.conf ipset: - manage: true + manage: false pkg: ipset backend: - manage: true + manage: false pkg: nftables ipsets: {} diff --git a/pillar.example b/pillar.example index 2abd4db..779e933 100644 --- a/pillar.example +++ b/pillar.example @@ -5,7 +5,8 @@ firewalld: manage: True pkg: ipset - installbackend: False + installbackend: True + backendpackage: nftables default_zone: public services: diff --git a/test/integration/default/backend_spec.rb b/test/integration/default/backend_spec.rb new file mode 100644 index 0000000..f27673a --- /dev/null +++ b/test/integration/default/backend_spec.rb @@ -0,0 +1,3 @@ +describe package('nftables') do + it { should be_installed } +end diff --git a/test/integration/default/firewalld_spec.rb b/test/integration/default/firewalld_spec.rb index 07d3a60..ef81e55 100644 --- a/test/integration/default/firewalld_spec.rb +++ b/test/integration/default/firewalld_spec.rb @@ -1,3 +1,18 @@ +describe package('firewalld') do + it { should be_installed } +end + describe service('firewalld') do + it { should be_enabled } it { should be_running } end + +describe service('iptables') do + it { should_not be_enabled } + it { should_not be_running } +end + +describe service('ip6tables') do + it { should_not be_enabled } + it { should_not be_running } +end diff --git a/test/integration/default/ipset_spec.rb b/test/integration/default/ipset_spec.rb new file mode 100644 index 0000000..3a45f32 --- /dev/null +++ b/test/integration/default/ipset_spec.rb @@ -0,0 +1,3 @@ +describe package('ipset') do + it { should be_installed } +end From 951050008d865ec1adb3808ca2bbaa3d340d4b2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 25 Aug 2018 19:05:21 -0300 Subject: [PATCH 5/5] Update pillar.example --- VERSION | 2 +- pillar.example | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/VERSION b/VERSION index 0ea3a94..0c62199 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.2.0 +0.2.1 diff --git a/pillar.example b/pillar.example index 779e933..90aba75 100644 --- a/pillar.example +++ b/pillar.example @@ -1,12 +1,21 @@ # FirewallD pillar examples: firewalld: enabled: True + ipset: manage: True pkg: ipset - installbackend: True - backendpackage: nftables + # ipset: # Deprecated. Support for this format will be removed in future releases + # ipsetpackag: ipset # Deprecated. Will be removed in future releases + + backend: + manage: True + pkg: nftables + + # installbackend: True # Deprecated. Will be removed in future releases + # backendpackage: nftables # Deprecated. Will be removed in future releases + default_zone: public services: