Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add forwarding to zones #61

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add forwarding to zones #61

wants to merge 6 commits into from

Conversation

kees-closed
Copy link

@kees-closed kees-closed commented May 8, 2024
edited
Loading

PR progress checklist (to be filled in by reviewers)

  • Changes to documentation are appropriate (or tick if not required)
  • Changes to tests are appropriate (or tick if not required)
  • Reviews completed

What type of PR is this?

Primary type

  • [build] Changes related to the build system
  • [chore] Changes to the build process or auxiliary tools and libraries such as documentation generation
  • [ci] Changes to the continuous integration configuration
  • [feat] A new feature
  • [fix] A bug fix
  • [perf] A code change that improves performance
  • [refactor] A code change that neither fixes a bug nor adds a feature
  • [revert] A change used to revert a previous commit
  • [style] Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)

Secondary type

  • [docs] Documentation changes
  • [test] Adding missing or correcting existing tests

Does this PR introduce a BREAKING CHANGE?

No.

Related issues and/or pull requests

Describe the changes you're proposing

At the moment, there is no support for forwarding in zones. By adding <forward/> to a zone file, forwarding is enabled.

Enabling it with firewall-cmd --zone=home --add-forward

# firewall-cmd --info-zone=home
home (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 10.0.0.0/16
  services: 
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Pillar / config required to test the proposed changes

Here is the proposed config change:

firewalld-formula/pillar.example

Line 119 in c991988

forward: true

Debug log showing how the proposed changes work

          ID: /etc/firewalld/zones/int-routed.xml
    Function: file.managed
      Result: True
     Comment: File /etc/firewalld/zones/int-routed.xml updated
     Started: 16:45:20.416216
    Duration: 52.923 ms                                                                                                
     Changes:                                                                                                          
              ----------                                                                                               
              diff:                                       
                  ---                                                                                                  
                  +++                                                                                                  
                  @@ -19,6 +19,7 @@                    
                     <port port="1024-60999" protocol="tcp" />
                     <!-- Allow well-known and ephemeral ports -->                         
                     <port port="1024-60999" protocol="udp" />                                   
                  +  <forward/>                       
                     <rule family="ipv4">
                       <source ipset="mon" />             
                       <service name="node-exporter" />

And the firewalld output matches as well.

# firewall-cmd --info-zone=int-routed                             
int-routed (active)                       
  target: default          
  icmp-block-inversion: no
  interfaces:                                                                                                          
  sources: 172.1.1.0/20                 
  services:          
  ports:                                                                                  
  protocols:                                                                                                           
  forward: yes                                                                                                         
  masquerade: no                                                                                                       
  forward-ports:                                                                                                       
  source-ports:                                                                                                        
  icmp-blocks:                                                                                                         
  rich rules:

Documentation checklist

  • Updated the README (e.g. Available states).
  • Updated pillar.example.

Testing checklist

  • Included in Kitchen (i.e. under state_top).
  • Covered by new/existing tests (e.g. InSpec, Serverspec, etc.).
  • Updated the relevant test pillar.

Additional context

@kees-closed
Copy link
Author

Can someone have a look at this one? The failed tests seem to be unrelated to my changes and have more to do with an unmaintained test pipeline?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kees-closed