From d542d63c40227cca12c2f953149cf5461be4d71e Mon Sep 17 00:00:00 2001
From: kartnico <kartnico@kartzone.info>
Date: Sun, 12 Mar 2023 14:27:34 +0100
Subject: [PATCH] feat(policies): add policies management

---
 firewalld/files/policy.xml | 179 +++++++++++++++++++++++++++++++++++++
 firewalld/init.sls         |   1 +
 firewalld/policies.sls     |  46 ++++++++++
 pillar.example             |  30 +++++++
 4 files changed, 256 insertions(+)
 create mode 100644 firewalld/files/policy.xml
 create mode 100644 firewalld/policies.sls

diff --git a/firewalld/files/policy.xml b/firewalld/files/policy.xml
new file mode 100644
index 0000000..0ae4bab
--- /dev/null
+++ b/firewalld/files/policy.xml
@@ -0,0 +1,179 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  This file is managed/generated by salt.
+  Do not edit this file manually, it will be overwritten!
+  Modify the salt pillar for firewalld instead
+-->
+{%- macro rich_rule(rule) %}
+  <rule{% if 'family' in rule %} family="{{ rule.family }}"{% endif %}{% if 'priority' in rule %} priority="{{ rule.priority }}"{% endif %}>
+  {%- if 'ipset' in rule %}
+    <source ipset="{{ rule.ipset.name }}" />
+  {%- endif %}
+  {%- if 'source' in rule %}
+    <source address="{{ rule.source.address }}" {%- if 'invert' in rule.source %} invert="{{ rule.source.invert }}"{%- endif %} />
+  {%- endif %}
+  {%- if 'destination' in rule %}
+    <destination address="{{ rule.destination.address }}" {%- if 'invert' in rule.destination %} invert="{{ rule.destination.invert }}"{%- endif %} />
+  {%- endif %}
+  {%- if 'service' in rule %}
+    <service name="{{ rule.service }}" />
+  {%- endif %}
+  {%- if 'port' in rule %}
+    <port port="{{ rule.port.portid }}" protocol="{{ rule.port.protocol }}" />
+  {%- endif %}
+  {%- if 'protocol' in rule %}
+    <protocol value="{{ rule.protocol }}" />
+  {%- endif %}
+  {%- if 'icmp_block' in rule %}
+    <icmp-block name="{{ rule.icmp_block }}" />
+  {%- endif %}
+  {%- if 'icmp_type' in rule %}
+    <icmp-type name="{{ rule.icmp_type }}" />
+  {%- endif %}
+  {%- if 'masquerade' in rule %}
+    {%- if rule.masquerade %}<masquerade/>{%- endif %}
+  {%- endif %}
+  {%- if 'forward_port' in rule %}
+    {%- if 'comment' in rule.forward_port %}
+      <!-- {{ rule.forward_port.comment }} -->
+    {%- endif %}
+    <forward-port port="{{ rule.forward_port.portid }}" protocol="{{ rule.forward_port.protocol }}"{%- if 'to_port' in rule.forward_port %} to-port="{{ rule.forward_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.forward_port %} to-addr="{{ rule.forward_port.to_addr }}"{%- endif %} />
+  {%- endif %}
+  {%- if 'source_port' in rule %}
+    {%- if 'comment' in rule.source_port %}
+      <!-- {{ rule.source_port.comment }} -->
+    {%- endif %}
+    <source-port port="{{ rule.source_port.portid }}" protocol="{{ rule.source_port.protocol }}"{%- if 'to_port' in rule.source_port %} to-port="{{ rule.source_port.to_port }}"{%- endif %}{%- if 'to_addr' in rule.source_port %} to-addr="{{ rule.source_port.to_addr }}"{%- endif %} />
+  {%- endif %}
+  {%- if 'log' in rule %}
+    <log{%- if 'prefix' in rule.log %} prefix="{{ rule.log.prefix }}"{%- endif %}{%- if 'level' in rule.log %} level="{{ rule.log.level }}"{%- endif %}>
+    {%- if 'limit' in rule.log %}
+      <limit value="{{ rule.log.limit }}"/>
+    {%- endif %}
+    </log>
+  {%- endif %}
+  {%- if 'audit' in rule %}
+    <audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
+  {%- endif %}
+  {%- if 'accept' in rule %}
+    <accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
+  {%- endif %}
+  {%- if 'reject' in rule %}
+    <reject{%- if rule.reject is mapping and 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />
+  {%- endif %}
+  {%- if 'drop' in rule %}
+    <drop/>
+  {%- endif %}
+  </rule>
+{%- endmacro %}
+<policy{%- if 'target' in policy %} target="{{ policy.target }}"{%- endif %}{%- if 'priority' in policy %} priority="{{ policy.priority }}"{%- endif %}>
+  {% if 'short' in policy %}<short>{{ policy.short }}</short>{% else %}<short>{{ name }}</short>{% endif %}
+  {% if 'description' in policy %}<description>{{ policy.description }}</description>{% endif %}
+  {% if 'ingress_zone' in policy %}<ingress-zone name="{{ policy.ingress_zone }}" />{% endif %}
+  {% if 'egress_zone' in policy %}<egress-zone name="{{ policy.egress_zone }}" />{% endif %}
+  
+{%- if 'sources' in policy %}
+  {%- for v in policy.sources %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+  <source address="{{ v.source }}" />
+    {%- else %}
+  <source address="{{ v }}" />
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+{%- if 'ipsets' in policy %}
+  {%- for v in policy.ipsets %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+  <source ipset="{{ v.ipset }}" />
+    {%- else %}
+  <source ipset="{{ v }}" />
+    {%- endif %}
+  {%- endfor %}
+{%- endif %}
+{%- for k,val in policy.items() %}
+  {%- if k.endswith("services") %}
+    {%- for v in val %}
+  <service name="{{ v }}" />
+    {%- endfor %}
+  {%- endif %}
+{%- endfor %}
+{%- if 'ports' in policy %}
+  {%- for v in policy.ports %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+    {%- endif %}
+  <port port="{{ v.port }}" protocol="{{ v.protocol }}" />
+  {%- endfor %}
+{%- endif %}
+{%- if 'protocols' in policy %}
+  {%- for v in policy.protocols %}
+  <protocol value="{{ v }}" />
+  {%- endfor %}
+{%- endif %}
+{%- if 'icmp_blocks' in policy %}
+  {%- for v in policy.icmp_blocks %}
+  <icmp-block name="{{ v }}" />
+  {%- endfor %}
+{%- endif %}
+{%- if 'icmp_block_inversion' in policy and policy.icmp_block_inversion %}
+  <icmp-block-inversion />
+{%- endif %}
+{%- if 'masquerade' in policy %}
+  {%- if policy.masquerade %}
+  <masquerade/>
+  {%- endif %}
+{%- endif %}
+{%- if 'forward_ports' in policy %}
+  {%- for v in policy.forward_ports %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+    {%- endif %}
+  <forward-port port="{{ v.portid }}" protocol="{{ v.protocol }}"{%- if 'to_port' in v %} to-port="{{ v.to_port }}"{%- endif %}{%- if 'to_addr' in v %} to-addr="{{ v.to_addr }}"{%- endif %} />
+  {%- endfor %}
+{%- endif %}
+{%- if 'source_ports' in policy %}
+  {%- for v in policy.source_ports %}
+    {%- if 'comment' in v %}
+  <!-- {{ v.comment }} -->
+    {%- endif %}
+  <source-port port="{{ v.port }}" protocol="{{ v.protocol }}" />
+  {%- endfor %}
+{%- endif %}
+{%- if 'rich_rules' in policy %}
+  {%- if policy.rich_rules is list %}
+    {%- set rich_rules = policy.rich_rules %}
+  {%- else %}
+    {%- set expanded_ipset_rules = [] %}
+    {%- for name,rule in policy.rich_rules|dictsort %}
+      {%- if 'ipsets' in rule %}
+        {%- for ipset in rule.ipsets %}
+          {%- set tmp_rule = {} %}
+          {%- set _dummy = tmp_rule.update(rule) %}
+          {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
+          {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
+        {%- endfor %}
+      {%- else %}
+        {%- set _dummy = expanded_ipset_rules.append(rule) %}
+      {%- endif %}
+    {%- endfor %}
+    {%- set rich_rules = [] %}
+    {%- for rule in expanded_ipset_rules %}
+      {%- if 'services' in rule %}
+        {%- for service in rule.services %}
+          {%- set tmp_rule = {} %}
+          {%- set _dummy = tmp_rule.update(rule) %}
+          {%- set _dummy = tmp_rule.update({'service':service}) %}
+          {%- set _dummy = rich_rules.append(tmp_rule) %}
+        {%- endfor %}
+      {%- else %}
+        {%- set _dummy = rich_rules.append(rule) %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endif %}
+  {%- for rule in rich_rules %}
+{{- rich_rule(rule) }}
+  {%- endfor %}
+{%- endif %}
+</policy>
diff --git a/firewalld/init.sls b/firewalld/init.sls
index 8e4aec8..c1bec7c 100644
--- a/firewalld/init.sls
+++ b/firewalld/init.sls
@@ -24,6 +24,7 @@ include:
   - firewalld.backend
   - firewalld.services
   - firewalld.zones
+  - firewalld.policies
   - firewalld.direct
 
 # iptables service that comes with rhel/centos
diff --git a/firewalld/policies.sls b/firewalld/policies.sls
new file mode 100644
index 0000000..b03ed5b
--- /dev/null
+++ b/firewalld/policies.sls
@@ -0,0 +1,46 @@
+# == State: firewalld.policies
+#
+# This state ensures that /etc/firewalld/policies/ exists.
+#
+{% from "firewalld/map.jinja" import firewalld with context %}
+
+directory_firewalld_policies:
+  file.directory:            # make sure this is a directory
+    - name: /etc/firewalld/policies
+    - user: root
+    - group: root
+    - mode: 750
+    - require:
+      - pkg: package_firewalld # make sure package is installed
+    - require_in:
+      - service: service_firewalld
+    - watch_in:
+      - cmd: reload_firewalld # reload firewalld config
+
+# == Define: firewalld.policies
+#
+# This defines a policy configuration, see firewalld.policy (5) man page.
+#
+{% for k, v in salt['pillar.get']('firewalld:policies', {}).items() %}
+{% set z_name = v.name|default(k) %}
+
+/etc/firewalld/policies/{{ z_name }}.xml:
+  file.managed:
+    - name: /etc/firewalld/policies/{{ z_name }}.xml
+    - user: root
+    - group: root
+    - mode: 644
+    - source: salt://firewalld/files/policy.xml
+    - template: jinja
+    - require:
+      - pkg: package_firewalld # make sure package is installed
+      - file: directory_firewalld_policies
+    - require_in:
+      - service: service_firewalld
+    - watch_in:
+      - cmd: reload_firewalld # reload firewalld config
+    - context:
+        name: {{ z_name }}
+        policy: {{ v|json }}
+
+{% endfor %}
diff --git a/pillar.example b/pillar.example
index 87d4690..2ee0aab 100644
--- a/pillar.example
+++ b/pillar.example
@@ -182,6 +182,36 @@ firewalld:
           services:
             - ssh
 
+  policies:
+    myOutputPolicy:
+      short: myOutputPolicy
+      target: DROP
+      ingress-zones: ANY
+      egress-zones: HOST
+      description: >-
+        This example, creates a policy that applies to traffic originating from the host
+        running firewalld and is destined to any zone. Or said differently traffic
+        in the OUTPUT chain.
+      services:
+        - http
+        - https
+        - ssh
+      rich_rules:
+        - family: ipv4
+          destination:
+            address: 8.8.8.8
+          port:
+            portid: 53
+            protocol: udp
+          accept: true
+      ports:
+        - comment: salt-master
+          port: 4505
+          protocol: tcp
+        - comment: salt-master
+          port: 4506
+          protocol: tcp
+
   direct:
     chain:
       MYCHAIN: