Skip to content

Commit

Permalink
Draft: Add support for policy objects
Browse files Browse the repository at this point in the history
  • Loading branch information
qha committed Apr 12, 2022
1 parent 661fa4c commit ef27e24
Show file tree
Hide file tree
Showing 15 changed files with 988 additions and 31 deletions.
81 changes: 77 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
This module manages firewalld, the userland interface that replaces
iptables and ships with RHEL7+. The module manages firewalld itself as
well as providing types and providers for managing firewalld zones,
ports, and rich rules.
policies, ports, and rich rules.

## Compatibility

Expand Down Expand Up @@ -48,6 +48,7 @@ class { 'firewalld': }
* `log_denied`: Optional, (firewalld-0.4.3.2-8+) Log denied packets, can be one
of `off`, `all`, `multicast`, `unicast`, `broadcast` (default: undef)
* `zones`: A hash of [firewalld zones](#firewalld-zones) to configure
* `policies`: A hash of [firewalld policies](#firewalld-policies) to configure
* `ports`: A hash of [firewalld ports](#firewalld-ports) to configure
* `services`: A hash of [firewalld services](#firewalld-service) to configure
* `rich_rules`: A hash of [firewalld rich rules](#firewalld-rich-rules) to configure
Expand Down Expand Up @@ -78,6 +79,7 @@ changes.
This module supports a number of resource types

* [firewalld_zone](#firewalld-zones)
* [firewalld_policy](#firewalld-policies)
* [firewalld_port](#firewalld-ports)
* [firewalld_service](#firewalld-service)
* [firewalld_ipset](#firewalld-ipsets)
Expand Down Expand Up @@ -146,14 +148,71 @@ firewalld::zones:
includes the default ssh port. If you fail to specify the
appropriate port, rich rule, or service, you will lock yourself out.

### Firewalld policies

Firewalld policies can be managed with the `firewalld_policy` resource type.

_Example in Class_:

```puppet
firewalld_policy { 'anytorestricted':
ensure => present,
target => '%%REJECT%%',
ingress_zones => ['ANY'],
egress_zones => ['restricted'],
purge_rich_rules => true,
purge_services => true,
purge_ports => true,
}
```

_Example in Hiera_:

```yaml
firewalld::policies:
anytorestricted:
ensure: present
target: '%%REJECT%%'
ingress_zones:
- 'ANY'
egress_zones:
- 'restricted'
purge_rich_rules: true
purge_services: true
purge_ports: true
```

#### Parameters (Firewalld policies)

* `target`: Specify the target of the policy.
* `ingress_zones`: An array of ingress zones for this policy.
* `egress_zones`: An array of egress zones for this policy.
* `priority`: A non zero integer specifying the priority of this
policy, policies with negative priorities apply before rules in
zones, policies with positive priorities, after. Defaults to -1.
* `icmp_blocks`: An array of ICMP blocks for the policy
* `masquerade`: If set to `true` or `false` specifies whether or not
to add masquerading to the policy
* `purge_rich_rules`: Optional, and defaulted to false. When true any
configured rich rules found in the policy that do not match what is in
the Puppet catalog will be purged.
* `purge_services`: Optional, and defaulted to false. When true any
configured services found in the policy that do not match what is in
the Puppet catalog will be purged.
* `purge_ports`: Optional, and defaulted to false. When true any
configured ports found in the policy that do not match what is in the
Puppet catalog will be purged.

### Firewalld Rich Rules

Firewalld rich rules are managed using the `firewalld_rich_rule`
resource type

Exactly one of the `zone` or `policy` parameters must be given

firewalld_rich_rules will `autorequire` the firewalld_zone specified
in the `zone` parameter so there is no need to add dependencies for
this
in the `zone` parameter or the firewalld_policy specified in the
`policy` parameter so there is no need to add dependencies for this

_Example in Class_:

Expand Down Expand Up @@ -181,7 +240,9 @@ firewalld::rich_rules:

#### Parameters (Firewalld Rich Rules)

* `zone`: Name of the zone this rich rule belongs to
* `zone`: (Optional) Name of the zone this rich rule belongs to

* `policy`: (Optional) Name of the policy this rich rule belongs to

* `family`: Protocol family, defaults to `ipv4`

Expand Down Expand Up @@ -403,6 +464,8 @@ will produce:
The `firewalld_service` type is used to add or remove both built in
and custom services from zones.

Exactly one of the `zone` or `policy` parameters must be given.

firewalld_service will `autorequire` the firewalld_zone specified in
the `zone` parameter and the firewalld::custom_service specified in
the `service` parameter, so there is no need to add dependencies for
Expand Down Expand Up @@ -445,6 +508,10 @@ firewalld::services:
defaults to parameter `default_service_zone` of class `firewalld` if
specified.

* `policy`: Name of the policy in which you want to manage the
service. Make sure to set `zone` to `unset` if you use this and have
specified `default_service_zone` for class `firewalld`.

* `ensure`: Whether to add (`present`) or remove the service
(`absent`), defaults to `present`.

Expand Down Expand Up @@ -488,6 +555,8 @@ options of an ipset you must delete the existing ipset first.
Firewalld ports can be managed with the `firewalld_port` resource
type.

Exactly one of the `zone` or `policy` parameters must be given.

firewalld_port will `autorequire` the firewalld_zone specified in the
`zone` parameter so there is no need to add dependencies for this

Expand Down Expand Up @@ -518,6 +587,10 @@ firewalld::ports:
* `zone`: Name of the zone this port belongs to, defaults to parameter
`default_port_zone` of class `firewalld` if specified.

* `policy`: Name of the policy this port belongs to. Make sure to set
`zone` to `unset` if you use this and have specified
`default_port_zone` for class `firewalld`.

* `port`: The port to manage, defaults to the resource name.

* `protocol`: The protocol this port uses, e.g. `tcp` or `udp`,
Expand Down
11 changes: 8 additions & 3 deletions lib/puppet/provider/firewalld.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ def check_running_state

def self.check_running_state
debug("Executing --state command - current value #{@state}")
ret = execute_firewall_cmd(['--state'], nil, false, false, false)
ret = execute_firewall_cmd(['--state'], nil, nil, false, false, false)
ret.exitstatus.zero?
rescue Puppet::MissingCommand
# This exception is caught in case the module is being run before
Expand All @@ -43,7 +43,7 @@ def self.check_running_state
end

# v3.0.0
def self.execute_firewall_cmd(args, zone = nil, perm = true, failonfail = true, check_online = true)
def self.execute_firewall_cmd(args, zone = nil, policy = nil, perm = true, failonfail = true, check_online = true)
if check_online && !online?
shell_cmd = 'firewall-offline-cmd'
perm = false
Expand All @@ -53,6 +53,7 @@ def self.execute_firewall_cmd(args, zone = nil, perm = true, failonfail = true,
cmd_args = []
cmd_args << '--permanent' if perm
cmd_args << ['--zone', zone] unless zone.nil?
cmd_args << ['--policy', policy] unless policy.nil?

# Add the arguments to our command string, removing any quotes, the command
# provider will sort the quotes out.
Expand All @@ -74,7 +75,11 @@ def self.execute_firewall_cmd(args, zone = nil, perm = true, failonfail = true,
end

def execute_firewall_cmd(args, zone = @resource[:zone], perm = true, failonfail = true)
self.class.execute_firewall_cmd(args, zone, perm, failonfail)
self.class.execute_firewall_cmd(args, zone, nil, perm, failonfail)
end

def execute_firewall_cmd_policy(args, policy = @resource[:policy], perm = true, failonfail = true)
self.class.execute_firewall_cmd(args, nil, policy, perm, failonfail)
end

# Arguments should be parsed as separate array entities, but quoted arg
Expand Down
Loading

0 comments on commit ef27e24

Please sign in to comment.