Allow rich_rules to be specified as a dictionary

Sxderp · Sxderp · commit 2fb0b9a2e6b3 · 2020-03-30T08:40:59.000-04:00
When specifying rich rules as a dictionary ipsets and services can be
specified as lists. They will be expanded out by the jinja template into
individual rich rules for the parent zone.
diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml
@@ -83,8 +83,7 @@
   {%- endfor %}
 {%- endif %}
 
-{%- if 'rich_rules' in zone %}
-  {%- for rule in zone.rich_rules %}
+{%- macro rich_rule(rule) -%}
   {%- if 'family' in rule %}
   <rule family="{{ rule.family }}">
   {%- else %}
@@ -149,6 +148,42 @@
     <drop/>
   {%- endif %}    
   </rule>
+{%- endmacro %}
+
+{%- if 'rich_rules' in zone %}
+  {%- if zone.rich_rules is list %}
+    {%- set rich_rules = zone.rich_rules %}
+  {%- else %}
+    {%- set expanded_ipset_rules = [] %}
+    {%- for name,rule in zone.rich_rules|dictsort %}
+      {%- if 'ipsets' in rule %}
+        {%- for ipset in rule.ipsets %}
+          {%- set tmp_rule = {} %}
+          {%- set _dummy = tmp_rule.update(rule) %}
+          {%- set _dummy = tmp_rule.update({'ipset':{'name':ipset}}) %}
+          {%- set _dummy = expanded_ipset_rules.append(tmp_rule) %}
+        {%- endfor %}
+      {%- else %}
+        {%- set _dummy = expanded_ipset_rules.append(rule) %}
+      {%- endif %}
+    {%- endfor %}
+    {%- set rich_rules = [] %}
+    {%- for rule in expanded_ipset_rules %}
+      {%- if 'services' in rule %}
+        {%- for service in rule.services %}
+          {%- set tmp_rule = {} %}
+          {%- set _dummy = tmp_rule.update(rule) %}
+          {%- set _dummy = tmp_rule.update({'service':service}) %}
+          {%- set _dummy = rich_rules.append(tmp_rule) %}
+        {%- endfor %}
+      {%- else %}
+        {%- set _dummy = rich_rules.append(rule) %}
+      {%- endif %}
+    {%- endfor %}
+  {%- endif %}
+  {%- for rule in rich_rules %}
+{{ rich_rule(rule) }}
   {%- endfor %}
 {%- endif %}
+
 </zone>
diff --git a/pillar.example b/pillar.example
@@ -151,6 +151,21 @@ firewalld:
           port: 4444
           protocol: tcp
 
+    rich_public:
+      short: rich_public
+      description: "Example"
+      # Rich rules can be specified as a dictionary. All keys from standard rich rules
+      # are applicable. Special keys "ipsets" and "services", if defined, take precedence.
+      # They will be auto-expanded into separate rich rules per value in the list.
+      rich_rules:
+        ssh-csg:
+          accept: true
+          ipsets:
+            - fail2ban-ssh
+            - other-ipset
+          services:
+            - ssh
+
   direct:
     chain:
       MYCHAIN:
