saltstack-formulas/firewalld-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #7 from hoonetorg/directrules

Browse Source 
implement direct rules
This commit is contained in:
Niels Abspoel 2016-09-13 23:35:31 +02:00 committed by GitHub
commit b78b3a3a2b
4 changed files with 65 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
firewalld/direct.sls Normal file
View File

@ -0,0 +1,28 @@
# == State: firewalld.direct
{% from "firewalld/map.jinja" import firewalld with context %}
# == Define: firewalld.direct
#
# This defines a configuration for permanent direct chains,
# rules and passtthroughs, see firewalld.direct (5) man page.
{%- if firewalld.get('direct', False) %}
/etc/firewalld/direct.xml:
file:
- managed
- name: /etc/firewalld/direct.xml
- user: root
- group: root
- mode: "0644"
- source: salt://firewalld/files/direct.xml
- template: jinja
- require:
- pkg: package_firewalld # make sure package is installed
- file: directory_firewalld
- listen_in:
- module: service_firewalld # restart service
- context:
direct: {{ firewalld.direct|json }}
{%- endif %}

18
firewalld/files/direct.xml Normal file
View File

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="utf-8"?>
<direct>
{%- if 'chain' in direct %}
{%- for k, v in direct.chain.items() %}
<chain ipv="{{v.ipv}}" table="{{v.table}}" chain="{{k}}"/>
{%- endfor %}
{%- endif %}
{%- if 'rule' in direct %}
{%- for k, v in direct.rule.items() %}
<rule priority="{{v.priority}}" table="{{v.table}}" ipv="{{v.ipv}}" chain="{{v.chain}}">{{v.args}}</rule>
{%- endfor %}
{%- endif %}
{%- if 'passthrough' in direct %}
{%- for k, v in direct.passthrough.items() %}
<passthrough ipv="{{v.ipv}}">{{v.args}}</passthrough>
{%- endfor %}
{%- endif %}
</direct>

1
firewalld/init.sls
View File

@ -11,6 +11,7 @@ include:
- firewalld.ipsets - firewalld.ipsets
- firewalld.services - firewalld.services
- firewalld.zones - firewalld.zones
- firewalld.direct
# iptables service that comes with rhel/centos # iptables service that comes with rhel/centos
iptables: iptables:

18
pillar.example.sls
View File

@ -89,3 +89,21 @@ firewalld:
- comment: vsftpd - comment: vsftpd
port: 21 port: 21
protocol: tcp protocol: tcp
direct:
chain:
MYCHAIN:
ipv: ipv4
table: raw
rule:
INTERNETACCESS:
ipv: ipv4
table: filter
chain: FORWARD
priority: "0"
args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT"
passthrough:
MYPASSTHROUGH:
ipv: ipv4
args: "-t raw -A MYCHAIN -j DROP"