Merge pull request #23 from netmanagers/master

Refactor ipset & backend

.kitchen.yml

@@ -22,22 +22,13 @@ provisioner:
   salt_copy_filter:
     - .kitchen
     - .git
+  pillars-from-files:
+    firewalld.sls: pillar.example
   pillars:
     top.sls:
       base:
         '*':
           - firewalld
-    firewalld.sls:
-      firewalld:
-        enabled: True
-        services:
-          glusterfs:
-            short: glusterfs
-            description: 'GlusterFS network filesystem'
-            ports:
-              tcp:
-                - 24007-24008
-                - 49152-49200
 
 verifier:
   name: inspec

VERSION

@@ -1 +1 @@
-0.2.0
+0.2.1

firewalld/backend.sls

@@ -4,8 +4,34 @@
 #
 {% from "firewalld/map.jinja" import firewalld with context %}
 
-{%- if salt['pillar.get']('firewalld:installbackend') %}
+{% set backend_manage = firewalld.backend.manage %}
+{% set backend_pkg = firewalld.backend.pkg %}
+
+# Backward compatibility setting and deprecation notices
+### Manage setting (old firewalld:installbackend)
+{% if firewalld.installbackend is defined %}
+firewalld-installbackend-deprecated:
+  test.show_notification:
+    - text: |
+        'firewalld:installbackend' is deprecated. Set 'firewalld:backend:manage' instead.
+        See firewalld/pillar.example for more information
+
+  {% set backend_manage = firewalld.installbackend %}
+{% endif %}
+
+### Package setting (old firewalld:backendpackage)
+{% if firewalld.backendpackage is defined %}
+firewalld-backendpackage-deprecated:
+  test.show_notification:
+    - text: |
+        'firewalld:backendpackage' is deprecated. Use 'firewalld:backend:pkg' instead
+        See firewalld/pillar.example for more information
+
+  {% set backend_pkg = firewalld.backendpackage %}
+{% endif %}
+
+{%- if backend_manage %}
 package_backend:
   pkg.installed:
-    - name: {{ firewalld.backendpackage }}
+    - name: {{ backend_pkg }}
 {%- endif %}

firewalld/defaults.yaml

@@ -1,8 +1,17 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 firewalld:
+  enabled: true
   package: firewalld
-  ipsetpackage: ipset
-  backendpackage: nftables
   service: firewalld
   config: /etc/firewalld.conf
+
+  ipset:
+    manage: false
+    pkg: ipset
+
+  backend:
+    manage: false
+    pkg: nftables
+
+  ipsets: {}

firewalld/init.sls

@@ -13,7 +13,7 @@ firewalld-unsupported:
         Firewalld is not supported on {{ grains['osfinger'] }}
         See https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15/#fate-323460
 
-{% elif salt['pillar.get']('firewalld:enabled') %}
+{% elif firewalld.enabled %}
 
 include:
   - firewalld.config

firewalld/ipsets.sls

@@ -4,10 +4,41 @@
 #
 {% from "firewalld/map.jinja" import firewalld with context %}
 
-{%- if salt['pillar.get']('firewalld:ipset') %}
+# Backward compatibility setting and deprecation notices
+{% set ipset_manage = false %}
+{% set ipset_pkg = 'ipset' %}
+{% set ipset_sets = firewalld.ipsets %}
+
+{% if firewalld.ipset is mapping %}
+  {% set ipset_manage = firewalld.ipset.manage %}
+  {% set ipset_pkg = firewalld.ipset.pkg %}
+{% else %}
+### Manage setting (old firewalld:ipset)
+firewalld-ipset-deprecated:
+  test.show_notification:
+    - text: |
+        'firewalld:ipset' format has changed and setting it as boolean is deprecated.
+        Set 'firewalld:ipset:manage' instead.
+        See firewalld/pillar.example for more information
+
+  {% set ipset_manage = firewalld.ipset %}
+{% endif %}
+
+### Package setting (old firewalld:ipsetpackage)
+{% if firewalld.ipsetpackage is defined %}
+firewalld-ipsetpackage-deprecated:
+  test.show_notification:
+    - text: |
+        'firewalld:ipsetpackage' is deprecated. Use 'firewalld:ipset:pkg' instead
+        See firewalld/pillar.example for more information
+
+  {% set ipset_pkg = firewalld.ipsetpackage %}
+{% endif %}
+
+{%- if ipset_manage %}
 package_ipset:
   pkg.installed:
-    - name: {{ firewalld.ipsetpackage }}
+    - name: {{ ipset_pkg }}
 
 directory_firewalld_ipsets:
   file.directory:            # make sure this is a directory
@@ -26,8 +57,8 @@ directory_firewalld_ipsets:
 #
 # This defines a ipset configuration, see firewalld.ipset (5) man page.
 #
-{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %}
+  {% for k, v in ipset_sets.items() %}
-{% set z_name = v.name|default(k) %}
+  {% set z_name = v.name|default(k) %}
 
 /etc/firewalld/ipsets/{{ z_name }}.xml:
   file.managed:
@@ -48,5 +79,5 @@ directory_firewalld_ipsets:
         name: {{ z_name }}
         ipset: {{ v }}
 
-{% endfor %}
+  {% endfor %}
 {%- endif %}

pillar.example

@@ -1,8 +1,21 @@
 # FirewallD pillar examples:
 firewalld:
   enabled: True
-  ipset: True
+
-  installbackend: False
+  ipset:
+    manage: True
+    pkg: ipset
+
+  # ipset:                          # Deprecated. Support for this format will be removed in future releases
+  # ipsetpackag: ipset              # Deprecated. Will be removed in future releases
+
+  backend:
+    manage: True
+    pkg: nftables
+
+  # installbackend: True            # Deprecated. Will be removed in future releases
+  # backendpackage: nftables        # Deprecated. Will be removed in future releases
+
   default_zone: public
 
   services:
@@ -51,7 +64,6 @@ firewalld:
       entries:
         - 10.0.0.1
 
-
   zones:
     public:
       short: Public

test/integration/default/backend_spec.rb

@@ -0,0 +1,3 @@
+describe package('nftables') do
+  it { should be_installed }
+end

test/integration/default/firewalld_spec.rb

@@ -1,3 +1,18 @@
+describe package('firewalld') do
+  it { should be_installed }
+end
+
 describe service('firewalld') do
+  it { should be_enabled }
   it { should be_running }
 end
+
+describe service('iptables') do
+  it { should_not be_enabled }
+  it { should_not be_running }
+end
+
+describe service('ip6tables') do
+  it { should_not be_enabled }
+  it { should_not be_running }
+end

test/integration/default/ipset_spec.rb

@@ -0,0 +1,3 @@
+describe package('ipset') do
+  it { should be_installed }
+end