cd4cec0089
When specifying rich rules as a dictionary ipsets and services can be specified as lists. They will be expanded out by the jinja template into individual rich rules for the parent zone.
190 lines
6.5 KiB
XML
190 lines
6.5 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!--
|
|
This file is managed/generated by salt.
|
|
Do not edit this file manually, it will be overwritten!
|
|
Modify the salt pillar for firewalld instead
|
|
-->
|
|
<zone{%- if 'target' in zone %} target="{{ zone.target }}"{%- endif %}>
|
|
{% if 'short' in zone %}<short>{{ zone.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
|
|
{% if 'description' in zone %}<description>{{ zone.description }}</description>{% endif %}
|
|
|
|
{%- if 'interfaces' in zone %}
|
|
{%- for v in zone.interfaces %}
|
|
<interface name="{{ v }}" />
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- if 'sources' in zone %}
|
|
{%- for v in zone.sources %}
|
|
{%- if 'comment' in v %}
|
|
<!-- {{ v.comment }} -->
|
|
<source address="{{ v.source }}" />
|
|
{%- else %}
|
|
<source address="{{ v }}" />
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- if 'ipsets' in zone %}
|
|
{%- for v in zone.ipsets %}
|
|
{%- if 'comment' in v %}
|
|
<!-- {{ v.comment }} -->
|
|
<source ipset="{{ v.ipset }}" />
|
|
{%- else %}
|
|
<source ipset="{{ v }}" />
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- for k,val in zone.items() %}
|
|
{%- if k.endswith("services") %}
|
|
{%- for v in val %}
|
|
<service name="{{ v }}" />
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
{%- if 'ports' in zone %}
|
|
{%- for v in zone.ports %}
|
|
{%- if 'comment' in v %}
|
|
<!-- {{ v.comment }} -->
|
|
{%- endif %}
|
|
<port port="{{ v.port }}" protocol="{{ v.protocol }}" />
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- if 'protocols' in zone %}
|
|
{%- for v in zone.protocols %}
|
|
<protocol value="{{ v }}" />
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- if 'icmp_blocks' in zone %}
|
|
{%- for v in zone.icmp_blocks %}
|
|
<icmp-block name="{{ v }}" />
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- if 'icmp_block_inversion' in zone and zone.icmp_block_inversion %}
|
|
<icmp-block-inversion />
|
|
{%- endif %}
|
|
{%- if 'masquerade' in zone %}
|
|
{%- if zone.masquerade %}
|
|
<masquerade/>
|
|
{%- endif %}
|
|
{%- endif %}
|
|
{%- if 'forward_ports' in zone %}
|
|
{%- for v in zone.forward_ports %}
|
|
{%- if 'comment' in v %}
|
|
<!-- {{ v.comment }} -->
|
|
{%- endif %}
|
|
<forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- if 'source_ports' in zone %}
|
|
{%- for v in zone.source_ports %}
|
|
{%- if 'comment' in v %}
|
|
<!-- {{ v.comment }} -->
|
|
{%- endif %}
|
|
<source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
|
|
{%- macro rich_rule(rule) -%}
|
|
{%- if 'family' in rule %}
|
|
<rule family="{{ rule.family }}">
|
|
{%- else %}
|
|
<rule>
|
|
{%- endif %}
|
|
{%- if 'ipset' in rule %}
|
|
<source ipset="{{ rule.ipset.name }}" />
|
|
{%- endif %}
|
|
{%- if 'source' in rule %}
|
|
<source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %}invert="{{ rule.source.invert }}"{%- endif %} />
|
|
{%- endif %}
|
|
{%- if 'destination' in rule %}
|
|
<destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %}invert="{{ rule.destination.invert }}"{%- endif %} />
|
|
{%- endif %}
|
|
{%- if 'service' in rule %}
|
|
<service name="{{ rule.service }}" />
|
|
{%- endif %}
|
|
{%- if 'port' in rule %}
|
|
<port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
|
|
{%- endif %}
|
|
{%- if 'protocol' in rule %}
|
|
<protocol value="{{ rule.protocol }}" />
|
|
{%- endif %}
|
|
{%- if 'icmp_block' in rule %}
|
|
<icmp-block name="{{ rule.icmp_block }}" />
|
|
{%- endif %}
|
|
{%- if 'icmp_type' in rule %}
|
|
<icmp-type name="{{ rule.icmp_type }}" />
|
|
{%- endif %}
|
|
{%- if 'masquerade' in rule %}
|
|
{%- if rule.masquerade %}<masquerade/>{%- endif %}
|
|
{%- endif %}
|
|
{%- if 'forward_port' in rule %}
|
|
{%- if 'comment' in rule.forward_port %}
|
|
<!-- {{ rule.forward_port.comment }} -->
|
|
{%- endif %}
|
|
<forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
|
|
{%- endif %}
|
|
{%- if 'source_port' in rule %}
|
|
{%- if 'comment' in rule.source_port %}
|
|
<!-- {{ rule.source_port.comment }} -->
|
|
{%- endif %}
|
|
<source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
|
|
{%- endif %}
|
|
{%- if 'log' in rule %}
|
|
<log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
|
|
{%- if 'limit' in rule.log %}
|
|
<limit value="{{ rule.log.limit }}"/>
|
|
{%- endif %}
|
|
</log>
|
|
{%- endif %}
|
|
{%- if 'audit' in rule %}
|
|
<audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
|
|
{%- endif %}
|
|
{%- if 'accept' in rule %}
|
|
<accept/>
|
|
{%- endif %}
|
|
{%- if 'reject' in rule %}
|
|
<reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
|
|
{%- endif %}
|
|
{%- if 'drop' in rule %}
|
|
<drop/>
|
|
{%- endif %}
|
|
</rule>
|
|
{%- endmacro %}
|
|
|
|
{%- if 'rich_rules' in zone %}
|
|
{%- if zone.rich_rules is list %}
|
|
{%- set rich_rules = zone.rich_rules %}
|
|
{%- else %}
|
|
{%- set expanded_ipset_rules = [] %}
|
|
{%- for name,rule in zone.rich_rules|dictsort %}
|
|
{%- if 'ipsets' in rule %}
|
|
{%- for ipset in rule.ipsets %}
|
|
{%- set tmp_rule = {} %}
|
|
{%- set _dummy = tmp_rule.update(rule) %}
|
|
{%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
|
|
{%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
|
|
{%- endfor %}
|
|
{%- else %}
|
|
{%- set _dummy = expanded_ipset_rules.append(rule) %}
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
{%- set rich_rules = [] %}
|
|
{%- for rule in expanded_ipset_rules %}
|
|
{%- if 'services' in rule %}
|
|
{%- for service in rule.services %}
|
|
{%- set tmp_rule = {} %}
|
|
{%- set _dummy = tmp_rule.update(rule) %}
|
|
{%- set _dummy = tmp_rule.update({'service':service}) %}
|
|
{%- set _dummy = rich_rules.append(tmp_rule) %}
|
|
{%- endfor %}
|
|
{%- else %}
|
|
{%- set _dummy = rich_rules.append(rule) %}
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
{%- for rule in rich_rules %}
|
|
{{ rich_rule(rule) }}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
|
|
</zone>
|