From ae1f2453d3d595edf930d730f6c3c5df88f4d070 Mon Sep 17 00:00:00 2001
From: Niels Abspoel <aboe76@users.noreply.github.com>
Date: Sun, 15 Sep 2019 22:01:15 +0200
Subject: [PATCH] add updated firewalld.conf from 0.7.1

---
 firewalld/files/firewalld.conf | 19 +++++++++++++++++++
 pillar.example                 |  6 ++++++
 2 files changed, 25 insertions(+)

diff --git a/firewalld/files/firewalld.conf b/firewalld/files/firewalld.conf
index 4f8872c..c989717 100644
--- a/firewalld/files/firewalld.conf
+++ b/firewalld/files/firewalld.conf
@@ -76,3 +76,22 @@ AutomaticHelpers={{ firewalld.AutomaticHelpers|default('sytem') }}
 #	- iptables (iptables, ip6tables, ebtables and ipset)
 FirewallBackend={{ firewalld.FirewallBackend|default('nftables') }}
 {%- endif %}
+{%- if firewalld.get('FlushAllOnReload', False) %}
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+FlushAllOnReload={{ firewalld.FlushAllOnReload|default('yes') }}
+{%- endif %}
+{%- if firewalld.get('RFC3964_IPv4', False) %}
+
+# RFC3964_IPv4
+# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
+# correspond to IPv4 addresses that should not be routed over the public
+# internet.
+# Defaults to "yes".
+RFC3964_IPv4={{ firewalld.RFC3964_IPv4|default('yes') }}
+{%- endif %}
diff --git a/pillar.example b/pillar.example
index 193f749..0969b97 100644
--- a/pillar.example
+++ b/pillar.example
@@ -1,6 +1,12 @@
 # FirewallD pillar examples:
 firewalld:
   enabled: True
+  IndividualCalls: 'no'
+  LogDenied: 'off'
+  AutomaticHelpers: 'system'
+  FirewallBackend: 'nftables'
+  FlushAllOnReload: 'yes'
+  RFC3964_IPv4: 'yes'
 
   ipset:
     manage: True