diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml index dabe00a..39bdfd7 100644 --- a/firewalld/files/zone.xml +++ b/firewalld/files/zone.xml @@ -83,8 +83,7 @@ {%- endfor %} {%- endif %} -{%- if 'rich_rules' in zone %} - {%- for rule in zone.rich_rules %} +{%- macro rich_rule(rule) -%} {%- if 'family' in rule %} {%- else %} @@ -149,6 +148,42 @@ {%- endif %} +{%- endmacro %} + +{%- if 'rich_rules' in zone %} + {%- if zone.rich_rules is list %} + {%- set rich_rules = zone.rich_rules %} + {%- else %} + {%- set expanded_ipset_rules = [] %} + {%- for name,rule in zone.rich_rules|dictsort %} + {%- if 'ipsets' in rule %} + {%- for ipset in rule.ipsets %} + {%- set tmp_rule = {} %} + {%- set _dummy = tmp_rule.update(rule) %} + {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %} + {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %} + {%- endfor %} + {%- else %} + {%- set _dummy = expanded_ipset_rules.append(rule) %} + {%- endif %} + {%- endfor %} + {%- set rich_rules = [] %} + {%- for rule in expanded_ipset_rules %} + {%- if 'services' in rule %} + {%- for service in rule.services %} + {%- set tmp_rule = {} %} + {%- set _dummy = tmp_rule.update(rule) %} + {%- set _dummy = tmp_rule.update({'service':service}) %} + {%- set _dummy = rich_rules.append(tmp_rule) %} + {%- endfor %} + {%- else %} + {%- set _dummy = rich_rules.append(rule) %} + {%- endif %} + {%- endfor %} + {%- endif %} + {%- for rule in rich_rules %} +{{ rich_rule(rule) }} {%- endfor %} {%- endif %} + diff --git a/pillar.example b/pillar.example index bdb1854..3f64319 100644 --- a/pillar.example +++ b/pillar.example @@ -151,6 +151,21 @@ firewalld: port: 4444 protocol: tcp + rich_public: + short: rich_public + description: "Example" + # Rich rules can be specified as a dictionary. All keys from standard rich rules + # can be used. Special keys "ipsets" and "services", if defined, take precedence. + # They will be auto-expanded into separate rich rules per value in the list. + rich_rules: + ssh-csg: + accept: true + ipsets: + - fail2ban-ssh + - other-ipset + services: + - ssh + direct: chain: MYCHAIN: