summaryrefslogtreecommitdiffstats
path: root/pillar/global/map.jinja
diff options
context:
space:
mode:
authorGeorg Pfuetzenreuter2023-01-29 17:27:58 +0100
committerGeorg Pfuetzenreuter2023-01-29 17:27:58 +0100
commit824baf386b006c289fe2c8ab9453504ec9859b8d (patch)
treefdbebcf6800f1d32205a8ba0c04d3804e500fb43 /pillar/global/map.jinja
parentc8aa6c6157d0eb96d2d1077e1e74720ff31c91c3 (diff)
downloadsalt-824baf386b006c289fe2c8ab9453504ec9859b8d.tar.gz
salt-824baf386b006c289fe2c8ab9453504ec9859b8d.tar.bz2
salt-824baf386b006c289fe2c8ab9453504ec9859b8d.zip
Firewall interface mapping logic
Detect which interfaces belong to which zones, and configure firewalld accordingly. Backend zone is currently only prepared and yet to be tested and enabled. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Diffstat (limited to 'pillar/global/map.jinja')
-rw-r--r--pillar/global/map.jinja71
1 files changed, 71 insertions, 0 deletions
diff --git a/pillar/global/map.jinja b/pillar/global/map.jinja
new file mode 100644
index 0000000..b5d15dc
--- /dev/null
+++ b/pillar/global/map.jinja
@@ -0,0 +1,71 @@
+{%- from slspath ~ '/macros.jinja' import firewall_interfaces -%}
+{%- set firewall_interfaces = firewall_interfaces -%}
+{%- set minion = grains['id'] -%}
+
+{#- START Interface mapping logic -#}
+
+{%- set public = [] -%}
+{%- set internal = [] -%}
+{%- set backend = [] -%}
+
+{%- set internal6s = ('2a01:4f8:11e:2200') -%}
+{%- set backend6s = ('fd29:8e45:f292:ff80') -%}
+{#- to-do: get rid of illegal backend4s -#}
+{%- set backend4s = ('172.168.100') -%}
+{%- set excluded_interfaces = ('lo') -%}
+{%- set interfaces = salt.saltutil.runner('mine.get', tgt=minion, fun='network.interfaces', tgt_type='glob') -%}
+
+{%- if minion in interfaces -%}{%- for interface, ifconfig in interfaces[minion].items() -%}
+{%- if not interface.startswith(excluded_interfaces) -%}
+
+{%- for inetconf in ifconfig['inet'] -%}
+{%- set ip4 = inetconf['address'] -%}
+
+{%- if salt['network.is_private'](ip4) -%}
+
+{%- if not interface in internal -%}
+{%- do internal.append(interface) -%}
+{%- endif -%}
+
+{%- elif ip4.startswith(backend4s) -%}
+
+{%- if not interface in backend -%}
+{%- do backend.append(interface) -%}
+{%- endif -%}
+
+{%- else -%}
+
+{%- if not interface in public -%}
+{%- do public.append(interface) -%}
+{%- endif -%}
+
+{%- endif %}
+
+{%- endfor %}
+
+{%- if 'inet6' in interface -%}
+{%- for inet6conf in ifconfig['inet6'] -%}
+{%- set ip6 = inet6conf['address'] -%}
+
+{%- if ip6.startswith(internal6s) -%}
+
+{%- if not interface in internal -%}
+{%- do internal.append(interface) -%}
+{%- endif -%}
+
+{%- elif ip6.startswith(backend6s) -%}
+
+{%- if not interface in backend -%}
+{%- do backend.append(interface) -%}
+{%- endif -%}
+
+{%- endif -%}
+
+{%- endfor -%}
+{%- endif -%}
+
+{%- endif -%}
+{%- endfor -%}{%- endif -%}
+
+{#- END Interface mapping logic -#}
+