From 824baf386b006c289fe2c8ab9453504ec9859b8d Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 29 Jan 2023 17:27:58 +0100
Subject: Firewall interface mapping logic

Detect which interfaces belong to which zones, and configure firewalld
accordingly.
Backend zone is currently only prepared and yet to be tested and
enabled.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/global/init.sls     |  7 +++++
 pillar/global/macros.jinja |  6 ++++
 pillar/global/map.jinja    | 71 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 pillar/global/map.jinja

diff --git a/pillar/global/init.sls b/pillar/global/init.sls
index 74c98ec..41794b5 100644
--- a/pillar/global/init.sls
+++ b/pillar/global/init.sls
@@ -1,3 +1,5 @@
+{%- from slspath ~ '/map.jinja' import firewall_interfaces, public, internal, backend %}
+
 include:
   - role.salt.common
   - role.salt.minion
@@ -15,10 +17,15 @@ zypper:
 firewalld:
   zones:
     internal:
+      {{ firewall_interfaces(internal) }}
       ports:
         - comment: node_exporter
           port: 9200
           protocol: tcp
+    {%- if public | length %}
+    public:
+      {{ firewall_interfaces(public) }}
+    {%- endif %}
 {%- endif %}
 
 mine_functions:
diff --git a/pillar/global/macros.jinja b/pillar/global/macros.jinja
index d01784a..1d3eade 100644
--- a/pillar/global/macros.jinja
+++ b/pillar/global/macros.jinja
@@ -18,3 +18,9 @@
 - {{ ip }}
 {%- endfor %}
 {%- endmacro -%}
+
+{%- macro firewall_interfaces(interfaces) -%}
+{%- if interfaces | length -%}
+interfaces: {{ interfaces }}
+{%- endif -%}
+{%- endmacro -%}
diff --git a/pillar/global/map.jinja b/pillar/global/map.jinja
new file mode 100644
index 0000000..b5d15dc
--- /dev/null
+++ b/pillar/global/map.jinja
@@ -0,0 +1,71 @@
+{%- from slspath ~ '/macros.jinja' import firewall_interfaces -%}
+{%- set firewall_interfaces = firewall_interfaces -%}
+{%- set minion = grains['id'] -%}
+
+{#- START Interface mapping logic -#}
+
+{%- set public = [] -%}
+{%- set internal = [] -%}
+{%- set backend = [] -%}
+
+{%- set internal6s = ('2a01:4f8:11e:2200') -%}
+{%- set backend6s = ('fd29:8e45:f292:ff80') -%}
+{#- to-do: get rid of illegal backend4s -#}
+{%- set backend4s = ('172.168.100') -%}
+{%- set excluded_interfaces = ('lo') -%}
+{%- set interfaces = salt.saltutil.runner('mine.get', tgt=minion, fun='network.interfaces', tgt_type='glob') -%}
+
+{%- if minion in interfaces -%}{%- for interface, ifconfig in interfaces[minion].items() -%}
+{%- if not interface.startswith(excluded_interfaces) -%}
+
+{%- for inetconf in ifconfig['inet'] -%}
+{%- set ip4 = inetconf['address'] -%}
+
+{%- if salt['network.is_private'](ip4) -%}
+
+{%- if not interface in internal -%}
+{%- do internal.append(interface) -%}
+{%- endif -%}
+
+{%- elif ip4.startswith(backend4s) -%}
+
+{%- if not interface in backend -%}
+{%- do backend.append(interface) -%}
+{%- endif -%}
+
+{%- else -%}
+
+{%- if not interface in public -%}
+{%- do public.append(interface) -%}
+{%- endif -%}
+
+{%- endif %}
+
+{%- endfor %}
+
+{%- if 'inet6' in interface -%}
+{%- for inet6conf in ifconfig['inet6'] -%}
+{%- set ip6 = inet6conf['address'] -%}
+
+{%- if ip6.startswith(internal6s) -%}
+
+{%- if not interface in internal -%}
+{%- do internal.append(interface) -%}
+{%- endif -%}
+
+{%- elif ip6.startswith(backend6s) -%}
+
+{%- if not interface in backend -%}
+{%- do backend.append(interface) -%}
+{%- endif -%}
+
+{%- endif -%}
+
+{%- endfor -%}
+{%- endif -%}
+
+{%- endif -%}
+{%- endfor -%}{%- endif -%}
+
+{#- END Interface mapping logic -#}
+
-- 
cgit v1.2.3