saltstack-formulas/firewalld-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
0d0f191449
firewalld-formula/firewalld/files/zone.xml
Michal Hrusecky 8d0172f5c7
feat(zone.xml): allow more services definition inside zone 
Now multiple sections ending with `services` can be defined for each in pillar
and all of them will get merged into one service block in the zone. The goal is
to keep backward compatibility while allowing different services to be defined
in different pillars. So basically have various parts of the pillar affecting
the firewall without need to define everything centrally. Helpful for the
exceptions to the rules.
2020-02-11 15:29:11 +01:00

155 lines
5.3 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!--
This file is managed/generated by salt.
Do not edit this file manually, it will be overwritten!
Modify the salt pillar for firewalld instead
-->
<zone{%- if 'target' in zone %} target="{{ zone.target }}"{%- endif %}>
{% if 'short' in zone %}<short>{{ zone.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
{% if 'description' in zone %}<description>{{ zone.description }}</description>{% endif %}
{%- if 'interfaces' in zone %}
{%- for v in zone.interfaces %}
<interface name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'sources' in zone %}
{%- for v in zone.sources %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
<source address="{{ v.source }}" />
{%- else %}
<source address="{{ v }}" />
{%- endif %}
{%- endfor %}
{%- endif %}
{%- if 'ipsets' in zone %}
{%- for v in zone.ipsets %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
<source ipset="{{ v.ipset }}" />
{%- else %}
<source ipset="{{ v }}" />
{%- endif %}
{%- endfor %}
{%- endif %}
{%- for k,val in zone.items() %}
{%- if k.endswith("services") %}
{%- for v in val %}
<service name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- if 'ports' in zone %}
{%- for v in zone.ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'protocols' in zone %}
{%- for v in zone.protocols %}
<protocol value="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_blocks' in zone %}
{%- for v in zone.icmp_blocks %}
<icmp-block name="{{ v }}" />
{%- endfor %}
{%- endif %}
{%- if 'icmp_block_inversion' in zone and zone.icmp_block_inversion %}
<icmp-block-inversion />
{%- endif %}
{%- if 'masquerade' in zone %}
{%- if zone.masquerade %}
<masquerade/>
{%- endif %}
{%- endif %}
{%- if 'forward_ports' in zone %}
{%- for v in zone.forward_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
{%- endfor %}
{%- endif %}
{%- if 'source_ports' in zone %}
{%- for v in zone.source_ports %}
{%- if 'comment' in v %}
<!-- {{ v.comment }} -->
{%- endif %}
<source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
{%- endfor %}
{%- endif %}
{%- if 'rich_rules' in zone %}
{%- for rule in zone.rich_rules %}
{%- if 'family' in rule %}
<rule family="{{ rule.family }}">
{%- else %}
<rule>
{%- endif %}
{%- if 'ipset' in rule %}
<source ipset="{{ rule.ipset.name }}" />
{%- endif %}
{%- if 'source' in rule %}
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %} />
{%- endif %}
{%- if 'destination' in rule %}
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %} />
{%- endif %}
{%- if 'service' in rule %}
<service name="{{ rule.service }}" />
{%- endif %}
{%- if 'port' in rule %}
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
{%- endif %}
{%- if 'protocol' in rule %}
<protocol value="{{ rule.protocol }}" />
{%- endif %}
{%- if 'icmp_block' in rule %}
<icmp-block name="{{ rule.icmp_block }}" />
{%- endif %}
{%- if 'icmp_type' in rule %}
<icmp-type name="{{ rule.icmp_type }}" />
{%- endif %}
{%- if 'masquerade' in rule %}
{%- if rule.masquerade %}<masquerade/>{%- endif %}
{%- endif %}
{%- if 'forward_port' in rule %}
{%- if 'comment' in rule.forward_port %}
<!-- {{ rule.forward_port.comment }} -->
{%- endif %}
<forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'source_port' in rule %}
{%- if 'comment' in rule.source_port %}
<!-- {{ rule.source_port.comment }} -->
{%- endif %}
<source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
{%- endif %}
{%- if 'log' in rule %}
<log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
{%- if 'limit' in rule.log %}
<limit value="{{ rule.log.limit }}"/>
{%- endif %}
</log>
{%- endif %}
{%- if 'audit' in rule %}
<audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
{%- endif %}
{%- if 'accept' in rule %}
<accept/>
{%- endif %}
{%- if 'reject' in rule %}
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
{%- endif %}
{%- if 'drop' in rule %}
<drop/>
{%- endif %}
</rule>
{%- endfor %}
{%- endif %}
</zone>
Reference in New Issue View Git Blame Copy Permalink