d3928d1be0
See https://github.com/saltstack-formulas/firewalld-formula/pull/21#pullrequestreview-146958098
84 lines
2.3 KiB
Plaintext
84 lines
2.3 KiB
Plaintext
# == State: firewalld.ipsets
|
|
#
|
|
# This state ensures that /etc/firewalld/ipsets/ exists.
|
|
#
|
|
{% from "firewalld/map.jinja" import firewalld with context %}
|
|
|
|
# Backward compatibility setting and deprecation notices
|
|
{% set ipset_manage = false %}
|
|
{% set ipset_pkg = 'ipset' %}
|
|
{% set ipset_sets = firewalld.ipsets %}
|
|
|
|
{% if firewalld.ipset is mapping %}
|
|
{% set ipset_manage = firewalld.ipset.manage %}
|
|
{% set ipset_pkg = firewalld.ipset.pkg %}
|
|
{% else %}
|
|
### Manage setting (old firewalld:ipset)
|
|
firewalld-ipset-deprecated:
|
|
test.show_notification:
|
|
- text: |
|
|
'firewalld:ipset' format has changed and setting it as boolean is deprecated.
|
|
Set 'firewalld:ipset:manage' instead.
|
|
See firewalld/pillar.example for more information
|
|
|
|
{% set ipset_manage = firewalld.ipset %}
|
|
{% endif %}
|
|
|
|
### Package setting (old firewalld:ipsetpackage)
|
|
{% if firewalld.ipsetpackage is defined %}
|
|
firewalld-ipsetpackage-deprecated:
|
|
test.show_notification:
|
|
- text: |
|
|
'firewalld:ipsetpackage' is deprecated. Use 'firewalld:ipset:pkg' instead
|
|
See firewalld/pillar.example for more information
|
|
|
|
{% set ipset_pkg = firewalld.ipsetpackage %}
|
|
{% endif %}
|
|
|
|
{%- if ipset_manage %}
|
|
package_ipset:
|
|
pkg.installed:
|
|
- name: {{ ipset_pkg }}
|
|
|
|
directory_firewalld_ipsets:
|
|
file.directory: # make sure this is a directory
|
|
- name: /etc/firewalld/ipsets
|
|
- user: root
|
|
- group: root
|
|
- mode: 750
|
|
- require:
|
|
- pkg: package_firewalld # make sure package is installed
|
|
- require_in:
|
|
- service: service_firewalld
|
|
- watch_in:
|
|
- cmd: reload_firewalld # reload firewalld config
|
|
|
|
# == Define: firewalld.ipsets
|
|
#
|
|
# This defines a ipset configuration, see firewalld.ipset (5) man page.
|
|
#
|
|
{% for k, v in ipset_sets.items() %}
|
|
{% set z_name = v.name|default(k) %}
|
|
|
|
/etc/firewalld/ipsets/{{ z_name }}.xml:
|
|
file.managed:
|
|
- name: /etc/firewalld/ipsets/{{ z_name }}.xml
|
|
- user: root
|
|
- group: root
|
|
- mode: 644
|
|
- source: salt://firewalld/files/ipset.xml
|
|
- template: jinja
|
|
- require:
|
|
- pkg: package_firewalld # make sure package is installed
|
|
- file: directory_firewalld_ipsets
|
|
- require_in:
|
|
- service: service_firewalld
|
|
- watch_in:
|
|
- cmd: reload_firewalld # reload firewalld config
|
|
- context:
|
|
name: {{ z_name }}
|
|
ipset: {{ v }}
|
|
|
|
{% endfor %}
|
|
{%- endif %}
|