From 824baf386b006c289fe2c8ab9453504ec9859b8d Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 29 Jan 2023 17:27:58 +0100 Subject: Firewall interface mapping logic Detect which interfaces belong to which zones, and configure firewalld accordingly. Backend zone is currently only prepared and yet to be tested and enabled. Signed-off-by: Georg Pfuetzenreuter --- pillar/global/init.sls | 7 +++++ pillar/global/macros.jinja | 6 ++++ pillar/global/map.jinja | 71 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 pillar/global/map.jinja diff --git a/pillar/global/init.sls b/pillar/global/init.sls index 74c98ec..41794b5 100644 --- a/pillar/global/init.sls +++ b/pillar/global/init.sls @@ -1,3 +1,5 @@ +{%- from slspath ~ '/map.jinja' import firewall_interfaces, public, internal, backend %} + include: - role.salt.common - role.salt.minion @@ -15,10 +17,15 @@ zypper: firewalld: zones: internal: + {{ firewall_interfaces(internal) }} ports: - comment: node_exporter port: 9200 protocol: tcp + {%- if public | length %} + public: + {{ firewall_interfaces(public) }} + {%- endif %} {%- endif %} mine_functions: diff --git a/pillar/global/macros.jinja b/pillar/global/macros.jinja index d01784a..1d3eade 100644 --- a/pillar/global/macros.jinja +++ b/pillar/global/macros.jinja @@ -18,3 +18,9 @@ - {{ ip }} {%- endfor %} {%- endmacro -%} + +{%- macro firewall_interfaces(interfaces) -%} +{%- if interfaces | length -%} +interfaces: {{ interfaces }} +{%- endif -%} +{%- endmacro -%} diff --git a/pillar/global/map.jinja b/pillar/global/map.jinja new file mode 100644 index 0000000..b5d15dc --- /dev/null +++ b/pillar/global/map.jinja @@ -0,0 +1,71 @@ +{%- from slspath ~ '/macros.jinja' import firewall_interfaces -%} +{%- set firewall_interfaces = firewall_interfaces -%} +{%- set minion = grains['id'] -%} + +{#- START Interface mapping logic -#} + +{%- set public = [] -%} +{%- set internal = [] -%} +{%- set backend = [] -%} + +{%- set internal6s = ('2a01:4f8:11e:2200') -%} +{%- set backend6s = ('fd29:8e45:f292:ff80') -%} +{#- to-do: get rid of illegal backend4s -#} +{%- set backend4s = ('172.168.100') -%} +{%- set excluded_interfaces = ('lo') -%} +{%- set interfaces = salt.saltutil.runner('mine.get', tgt=minion, fun='network.interfaces', tgt_type='glob') -%} + +{%- if minion in interfaces -%}{%- for interface, ifconfig in interfaces[minion].items() -%} +{%- if not interface.startswith(excluded_interfaces) -%} + +{%- for inetconf in ifconfig['inet'] -%} +{%- set ip4 = inetconf['address'] -%} + +{%- if salt['network.is_private'](ip4) -%} + +{%- if not interface in internal -%} +{%- do internal.append(interface) -%} +{%- endif -%} + +{%- elif ip4.startswith(backend4s) -%} + +{%- if not interface in backend -%} +{%- do backend.append(interface) -%} +{%- endif -%} + +{%- else -%} + +{%- if not interface in public -%} +{%- do public.append(interface) -%} +{%- endif -%} + +{%- endif %} + +{%- endfor %} + +{%- if 'inet6' in interface -%} +{%- for inet6conf in ifconfig['inet6'] -%} +{%- set ip6 = inet6conf['address'] -%} + +{%- if ip6.startswith(internal6s) -%} + +{%- if not interface in internal -%} +{%- do internal.append(interface) -%} +{%- endif -%} + +{%- elif ip6.startswith(backend6s) -%} + +{%- if not interface in backend -%} +{%- do backend.append(interface) -%} +{%- endif -%} + +{%- endif -%} + +{%- endfor -%} +{%- endif -%} + +{%- endif -%} +{%- endfor -%}{%- endif -%} + +{#- END Interface mapping logic -#} + -- cgit v1.2.3