Allow rich_rules to be specified as a dictionary #40
Conversation
Sxderp
force-pushed
the
pr-add-dictionary-rich-rules2
branch
from
2fb0b9a to
cb75fc3
Compare
|
Rebased and pushed. Added |
When specifying rich rules as a dictionary ipsets and services can be specified as lists. They will be expanded out by the jinja template into individual rich rules for the parent zone.
Sxderp
force-pushed
the
pr-add-dictionary-rich-rules2
branch
from
cb75fc3 to
cd4cec0
Compare
|
@Sxderp Thanks for the contribution. To make this easier to review, I'd like to add some tests for this. To begin with, for the pillar/config you've shared, can you show how this would be rendered in the XML file? It would also be helpful if you give an example of the existing list method, showing the pillar and the rendered XML. We can then take those and add them to the test pillar, as well as use InSpec to confirm the rendered XML contains the changes we're expecting. Are you OK with doing this? |
|
I'll provide the XML files. Give me a day or two. |
|
@Sxderp Thanks, please take your time. I don't need the entire files, just the specific sections related to |
|
With the following pillar (slightly expanded from above, to include the list) I get the below xmls: firewalld:
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh
type: 'hash:ip'
entries:
- 10.0.0.1
other-ipset:
short: other-ipset
description: other-ipset
type: 'hash:ip'
entries:
- 10.0.0.2
zones:
rich_public:
short: rich_public
description: "Example"
rich_rules:
ssh-rr:
accept: true
ipsets:
- fail2ban-ssh
- other-ipset
services:
- ssh
- http
rich_list_public:
short: rich_list_public
description: "Example"
rich_rules:
- accept: true
ipset:
name: fail2ban-ssh
service: https
- accept: true
ipset:
name: other-ipset
service: httpsrich_public.xml <?xml version="1.0" encoding="utf-8"?>
<!--
This file is managed/generated by salt.
Do not edit this file manually, it will be overwritten!
Modify the salt pillar for firewalld instead
-->
<zone>
<short>rich_public</short>
<description>Example</description>
<rule>
<source ipset="fail2ban-ssh" />
<service name="ssh" />
<accept/>
</rule>
<rule>
<source ipset="fail2ban-ssh" />
<service name="http" />
<accept/>
</rule>
<rule>
<source ipset="other-ipset" />
<service name="ssh" />
<accept/>
</rule>
<rule>
<source ipset="other-ipset" />
<service name="http" />
<accept/>
</rule>
</zone>rich_list_public.xml <?xml version="1.0" encoding="utf-8"?>
<!--
This file is managed/generated by salt.
Do not edit this file manually, it will be overwritten!
Modify the salt pillar for firewalld instead
-->
<zone>
<short>rich_list_public</short>
<description>Example</description>
<rule>
<source ipset="fail2ban-ssh" />
<service name="https" />
<accept/>
</rule>
<rule>
<source ipset="other-ipset" />
<service name="https" />
<accept/>
</rule>
</zone> |
|
@Sxderp Great, can you also do the same for the original list method? That will make it much easier to write the tests. |
|
Git makes that simple enough. Seems my patch adds some spacing to the resulting zone file. If necessary I think that can be fixed. firewalld:
enabled: true
ipset:
manage: true
pkg: ipset
ipsets:
fail2ban-ssh:
short: fail2ban-ssh
description: fail2ban-ssh
type: 'hash:ip'
entries:
- 10.0.0.1
other-ipset:
short: other-ipset
description: other-ipset
type: 'hash:ip'
entries:
- 10.0.0.2
zones:
rich_list_public_old:
short: rich_list_public_old
description: "Example"
rich_rules:
- accept: true
ipset:
name: fail2ban-ssh
service: https
- accept: true
ipset:
name: other-ipset
service: httpsrich_list_public_old.xml <?xml version="1.0" encoding="utf-8"?>
<!--
This file is managed/generated by salt.
Do not edit this file manually, it will be overwritten!
Modify the salt pillar for firewalld instead
-->
<zone>
<short>rich_list_public_old</short>
<description>Example</description>
<rule>
<source ipset="fail2ban-ssh" />
<service name="https" />
<accept/>
</rule>
<rule>
<source ipset="other-ipset" />
<service name="https" />
<accept/>
</rule>
</zone> |
|
@Sxderp Thanks, I'll look into these soon to figure out some tests to add here. |
|
@Sxderp Got the tests written up and tested locally. Also made the whitespacing fix. Let me just run it in Travis now: If that works out, I'll push it on top of your commit and we can discuss it further. |
|
@Sxderp So it worked, the
|
|
@Sxderp Actually, I've just gone ahead and added the two good commits here, so we can link to it in the review tools available in this PR itself. Please feel free to comment, if there's an issue, we can always remove/adjust the commits. |
|
@Sxderp OK, so the tests have helped uncover an issue with trailing whitespaces:
So this has helped uncover that there are a number of lines with trailing whitespaces in the |
|
OK, that all worked: https://travis-ci.org/github/myii/firewalld-formula/builds/669810643. Force pushing the changes back here. |
myii
force-pushed
the
pr-add-dictionary-rich-rules2
branch
from
d29b5b5 to
c69fd6b
Compare
From my limited knowledge of the testing framework looks good. But I'll defer to you.
Sure. The only reason the macro was near the bottom was it took fewer changes for me to implement what I wanted. Moving to the top is fine.
Interesting. I have my VIM highlight trailing spaces in bright red. Surprised I didn't see anything. Although, if they were there previously doesn't this cause the "False-Positive" issue; same as adding line breaks? |
I had the same issue with Vim! I was surprised so I went back to the current
The difference here is that the trailing whitespace should never have been there in the first place (an error that should be fixed). If the original template had resulted in blank lines, then I would have wanted to maintain that instead with the tests, to avoid false-positives. So are you OK with this being merged with the additions, @Sxderp? |
Yes. Good to go. |
|
Thanks for providing this new feature, @Sxderp -- merged. |
|
🎉 This PR is included in version 0.10.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
When specifying rich rules as a dictionary ipsets and services can be
specified as lists. They will be expanded out by the jinja template into
individual rich rules for the parent zone.
PR progress checklist (to be filled in by reviewers)
What type of PR is this?
Primary type
[build]Changes related to the build system[chore]Changes to the build process or auxiliary tools and libraries such as documentation generation[ci]Changes to the continuous integration configuration[feat]A new feature[fix]A bug fix[perf]A code change that improves performance[refactor]A code change that neither fixes a bug nor adds a feature[revert]A change used to revert a previous commit[style]Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)Secondary type
[docs]Documentation changes[test]Adding missing or correcting existing testsDoes this PR introduce a
BREAKING CHANGE?No.
Related issues and/or pull requests
Similar to #39
Describe the changes you're proposing
No functionality is broken. If rich rules are specified as a list then all
the processing is ignore and the list is directly passed into the template,
as before.
This PR is similar to #39 . But it includes added functionality. The ability
for services and ipsets to be expanded, which allows for zone-like
configuration.
The goal of this PR was to allow extending rich rules between different
pillar files. Since lists are not merged (by default) between pillar files,
you are required to list all rich rules in a single file. By using a dictionary
we can properly extend the rules.
Use of the special keys "ipsets" and "services" was added for my
environment in particular, allowing for grouping of services and ipsets
similar to zones. I figured it might get enough traction to warrant
inclusion upstream.
Pillar / config required to test the proposed changes
Debug log showing how the proposed changes work
Documentation checklist
README(e.g.Available states).pillar.example.Testing checklist
state_top).Additional context