Refactor ipset format, add backward compatibility

See https://github.com/saltstack-formulas/firewalld-formula/pull/21#pullrequestreview-146958098
2018-08-25 18:27:37 -03:00 · 2018-08-25 18:27:37 -03:00 · d3928d1be0
commit d3928d1be0
parent 7bc3a9cdd4
3 changed files with 51 additions and 9 deletions
--- a/firewalld/defaults.yaml
+++ b/firewalld/defaults.yaml
@ -1,8 +1,17 @@
 # -*- coding: utf-8 -*-
 # vim: ft=yaml
 firewalld:
+  enabled: true
  package: firewalld
-  ipsetpackage: ipset
-  backendpackage: nftables
  service: firewalld
  config: /etc/firewalld.conf
+
+  ipset:
+    manage: true
+    pkg: ipset
+
+  backend:
+    manage: true
+    pkg: nftables
+
+  ipsets: {}
--- a/firewalld/ipsets.sls
+++ b/firewalld/ipsets.sls
@ -4,10 +4,41 @@
 #
 {% from "firewalld/map.jinja" import firewalld with context %}

-{%- if salt['pillar.get']('firewalld:ipset') %}
+# Backward compatibility setting and deprecation notices
+{% set ipset_manage = false %}
+{% set ipset_pkg = 'ipset' %}
+{% set ipset_sets = firewalld.ipsets %}
+
+{% if firewalld.ipset is mapping %}
+  {% set ipset_manage = firewalld.ipset.manage %}
+  {% set ipset_pkg = firewalld.ipset.pkg %}
+{% else %}
+### Manage setting (old firewalld:ipset)
+firewalld-ipset-deprecated:
+  test.show_notification:
+    - text: |
+        'firewalld:ipset' format has changed and setting it as boolean is deprecated.
+        Set 'firewalld:ipset:manage' instead.
+        See firewalld/pillar.example for more information
+
+  {% set ipset_manage = firewalld.ipset %}
+{% endif %}
+
+### Package setting (old firewalld:ipsetpackage)
+{% if firewalld.ipsetpackage is defined %}
+firewalld-ipsetpackage-deprecated:
+  test.show_notification:
+    - text: |
+        'firewalld:ipsetpackage' is deprecated. Use 'firewalld:ipset:pkg' instead
+        See firewalld/pillar.example for more information
+
+  {% set ipset_pkg = firewalld.ipsetpackage %}
+{% endif %}
+
+{%- if ipset_manage %}
 package_ipset:
  pkg.installed:
-    - name: {{ firewalld.ipsetpackage }}
+    - name: {{ ipset_pkg }}

 directory_firewalld_ipsets:
  file.directory:            # make sure this is a directory
@ -26,8 +57,8 @@ directory_firewalld_ipsets:
 #
 # This defines a ipset configuration, see firewalld.ipset (5) man page.
 #
-{% for k, v in salt['pillar.get']('firewalld:ipsets', {}).items() %}
-{% set z_name = v.name|default(k) %}
+  {% for k, v in ipset_sets.items() %}
+  {% set z_name = v.name|default(k) %}

 /etc/firewalld/ipsets/{{ z_name }}.xml:
  file.managed:
@ -48,5 +79,5 @@ directory_firewalld_ipsets:
        name: {{ z_name }}
        ipset: {{ v }}

-{% endfor %}
+  {% endfor %}
 {%- endif %}
--- a/pillar.example
+++ b/pillar.example
@ -1,7 +1,10 @@
 # FirewallD pillar examples:
 firewalld:
  enabled: True
-  ipset: True
+  ipset:
+    manage: True
+    pkg: ipset
+
  installbackend: False
  default_zone: public

@ -51,7 +54,6 @@ firewalld:
      entries:
        - 10.0.0.1

-
  zones:
    public:
      short: Public