feat: allow rich_rules to be specified as a dict

When specifying rich rules as a dictionary ipsets and services can be specified as lists. They will be expanded out by the jinja template into individual rich rules for the parent zone.
2020-03-26 08:36:02 -04:00 · 2020-03-26 08:36:02 -04:00 · cd4cec0089
commit cd4cec0089
parent cf21ccab97
2 changed files with 52 additions and 2 deletions
--- a/firewalld/files/zone.xml
+++ b/firewalld/files/zone.xml
@ -83,8 +83,7 @@
  {%- endfor %}
 {%- endif %}

-{%- if 'rich_rules' in zone %}
-  {%- for rule in zone.rich_rules %}
+{%- macro rich_rule(rule) -%}
  {%- if 'family' in rule %}
  <rule family="{{ rule.family }}">
  {%- else %}
@ -149,6 +148,42 @@
    <drop/>
  {%- endif %}    
  </rule>
+{%- endmacro %}
+
+{%- if 'rich_rules' in zone %}
+  {%- if zone.rich_rules is list %}
+    {%- set rich_rules = zone.rich_rules %}
+  {%- else %}
+    {%- set expanded_ipset_rules = [] %}
+    {%- for name,rule in zone.rich_rules|dictsort %}
+      {%- if 'ipsets' in rule %}
+        {%- for ipset in rule.ipsets %}
+          {%- set tmp_rule = {} %}
+          {%- set _dummy = tmp_rule.update(rule) %}
+          {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
+          {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
+        {%- endfor %}
+      {%- else %}
+        {%- set _dummy = expanded_ipset_rules.append(rule) %}
+      {%- endif %}
+    {%- endfor %}
+    {%- set rich_rules = [] %}
+    {%- for rule in expanded_ipset_rules %}
+      {%- if 'services' in rule %}
+        {%- for service in rule.services %}
+          {%- set tmp_rule = {} %}
+          {%- set _dummy = tmp_rule.update(rule) %}
+          {%- set _dummy = tmp_rule.update({'service':service}) %}
+          {%- set _dummy = rich_rules.append(tmp_rule) %}
+        {%- endfor %}
+      {%- else %}
+        {%- set _dummy = rich_rules.append(rule) %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endif %}
+  {%- for rule in rich_rules %}
+{{ rich_rule(rule) }}
  {%- endfor %}
 {%- endif %}
+
 </zone>
--- a/pillar.example
+++ b/pillar.example
@ -151,6 +151,21 @@ firewalld:
          port: 4444
          protocol: tcp

+    rich_public:
+      short: rich_public
+      description: "Example"
+      # Rich rules can be specified as a dictionary. All keys from standard rich rules
+      # can be used. Special keys "ipsets" and "services", if defined, take precedence.
+      # They will be auto-expanded into separate rich rules per value in the list.
+      rich_rules:
+        ssh-csg:
+          accept: true
+          ipsets:
+            - fail2ban-ssh
+            - other-ipset
+          services:
+            - ssh
+
  direct:
    chain:
      MYCHAIN: