saltstack-formulas/firewalld-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
08ab3568f0
firewalld-formula/firewalld/files/zone.xml
Arnaud Patard a2f4f3b36e feat(zone.xml): allow to rate limit 'accept' in rich rules 
The current rich_rule macro is supporting to set if the connection
should be accepted or rejected or dropped but doesn't support setting
rate limiting in the 'accept' case. Add code for that.

Signed-off-by: Arnaud Patard <apatard@hupstream.com>
2021-01-21 11:50:50 +01:00

187 lines
6.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!--
This file is managed/generated by salt.
Do not edit this file manually, it will be overwritten!
Modify the salt pillar for firewalld instead
-->
{%- macro rich_rule(rule) -%}
{%- if 'family' in rule %}
<rule family="{{ rule.family }}">
{%- else %}
<rule>
{%- endif %}
{%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}" />
{%- endif %}
{%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %} />
{%- endif %}
{%- if 'destination' in rule %}
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %} />
{%- endif %}
{%- if 'service' in rule %}
<service name="{{ rule.service }}" />
{%- endif %}
{%- if 'port' in rule %}
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
{%- endif %}
{%- if 'protocol' in rule %}
<protocol value="{{ rule.protocol }}" />
{%- endif %}
{%- if 'icmp_block' in rule %}
<icmp-block name="{{ rule.icmp_block }}" />
{%- endif %}
{%- if 'icmp_type' in rule %}
<icmp-type name="{{ rule.icmp_type }}" />
{%- endif %}
{%- if 'masquerade' in rule %}
{%- if rule.masquerade %}<masquerade/>{%- endif %}
{%- endif %}
{%- if 'forward_port' in rule %}
{%- if 'comment' in rule.forward_port %}
<!-- {{ rule.forward_port.comment }} -->
{%- endif %}
<forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'source_port' in rule %}
{%- if 'comment' in rule.source_port %}
<!-- {{ rule.source_port.comment }} -->
{%- endif %}
<source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'log' in rule %}
<log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
{%- if 'limit' in rule.log %}
<limit value="{{ rule.log.limit }}"/>
{%- endif %}
</log>
{%- endif %}
{%- if 'audit' in rule %}
<audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
{%- endif %}
{%- if 'accept' in rule %}
<accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
{%- endif %}
{%- if 'reject' in rule %}
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
{%- endif %}
{%- if 'drop' in rule %}
<drop/>
{%- endif %}
</rule>
{%- endmacro %}
<zone{%- if 'target' in zone %} target="{{ zone.target }}"{%- endif %}>
{% if 'short' in zone %}<short>{{ zone.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
{% if 'description' in zone %}<description>{{ zone.description }}</description>{% endif %}
{%- if 'interfaces' in zone %}
{%- for v in zone.interfaces %}
<interface name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'sources' in zone %}
{%- for v in zone.sources %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
<source address="{{ v.source }}" />
{%- else %}
<source address="{{ v }}" />
{%- endif %}
{%- endfor %}
{%- endif %}
{%- if 'ipsets' in zone %}
{%- for v in zone.ipsets %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
<source ipset="{{ v.ipset }}" />
{%- else %}
<source ipset="{{ v }}" />
{%- endif %}
{%- endfor %}
{%- endif %}
{%- for k,val in zone.items() %}
{%- if k.endswith("services") %}
{%- for v in val %}
<service name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- if 'ports' in zone %}
{%- for v in zone.ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'protocols' in zone %}
{%- for v in zone.protocols %}
<protocol value="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_blocks' in zone %}
{%- for v in zone.icmp_blocks %}
<icmp-block name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_block_inversion' in zone and zone.icmp_block_inversion %}
<icmp-block-inversion />
{%- endif %}
{%- if 'masquerade' in zone %}
{%- if zone.masquerade %}
<masquerade/>
{%- endif %}
{%- endif %}
{%- if 'forward_ports' in zone %}
{%- for v in zone.forward_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
{%- endfor %}
{%- endif %}
{%- if 'source_ports' in zone %}
{%- for v in zone.source_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'rich_rules' in zone %}
{%- if zone.rich_rules is list %}
{%- set rich_rules = zone.rich_rules %}
{%- else %}
{%- set expanded_ipset_rules = [] %}
{%- for name,rule in zone.rich_rules|dictsort %}
{%- if 'ipsets' in rule %}
{%- for ipset in rule.ipsets %}
{%- set tmp_rule = {} %}
{%- set _dummy = tmp_rule.update(rule) %}
{%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
{%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
{%- endfor %}
{%- else %}
{%- set _dummy = expanded_ipset_rules.append(rule) %}
{%- endif %}
{%- endfor %}
{%- set rich_rules = [] %}
{%- for rule in expanded_ipset_rules %}
{%- if 'services' in rule %}
{%- for service in rule.services %}
{%- set tmp_rule = {} %}
{%- set _dummy = tmp_rule.update(rule) %}
{%- set _dummy = tmp_rule.update({'service':service}) %}
{%- set _dummy = rich_rules.append(tmp_rule) %}
{%- endfor %}
{%- else %}
{%- set _dummy = rich_rules.append(rule) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- for rule in rich_rules %}
{{- rich_rule(rule) }}
{%- endfor %}
{%- endif %}
</zone>
Reference in New Issue View Git Blame Copy Permalink