firewalld-formula
firewalld-formula copied to clipboard
Published
20 hours ago •
saltstack-formulas
saltstack-formulas
Add forwarding to zones
PR progress checklist (to be filled in by reviewers)
- [ ] Changes to documentation are appropriate (or tick if not required)
- [ ] Changes to tests are appropriate (or tick if not required)
- [ ] Reviews completed
What type of PR is this?
Primary type
- [ ]
[build]Changes related to the build system - [ ]
[chore]Changes to the build process or auxiliary tools and libraries such as documentation generation - [ ]
[ci]Changes to the continuous integration configuration - [x]
[feat]A new feature - [ ]
[fix]A bug fix - [ ]
[perf]A code change that improves performance - [ ]
[refactor]A code change that neither fixes a bug nor adds a feature - [ ]
[revert]A change used to revert a previous commit - [ ]
[style]Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)
Secondary type
- [x]
[docs]Documentation changes - [x]
[test]Adding missing or correcting existing tests
Does this PR introduce a BREAKING CHANGE?
No.
Related issues and/or pull requests
Describe the changes you're proposing
At the moment, there is no support for forwarding in zones. By adding <forward/> to a zone file, forwarding is enabled.
Enabling it with firewall-cmd --zone=home --add-forward
# firewall-cmd --info-zone=home
home (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: 10.0.0.0/16
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Pillar / config required to test the proposed changes
Here is the proposed config change: https://github.com/saltstack-formulas/firewalld-formula/blob/c9919881a7b52c78f1fa230f8b918e97b8327fb4/pillar.example#L119
Debug log showing how the proposed changes work
ID: /etc/firewalld/zones/int-routed.xml
Function: file.managed
Result: True
Comment: File /etc/firewalld/zones/int-routed.xml updated
Started: 16:45:20.416216
Duration: 52.923 ms
Changes:
----------
diff:
---
+++
@@ -19,6 +19,7 @@
<port port="1024-60999" protocol="tcp" />
<!-- Allow well-known and ephemeral ports -->
<port port="1024-60999" protocol="udp" />
+ <forward/>
<rule family="ipv4">
<source ipset="mon" />
<service name="node-exporter" />
And the firewalld output matches as well.
# firewall-cmd --info-zone=int-routed
int-routed (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 172.1.1.0/20
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Documentation checklist
- [ ] Updated the
README(e.g.Available states). - [x] Updated
pillar.example.
Testing checklist
- [ ] Included in Kitchen (i.e. under
state_top). - [ ] Covered by new/existing tests (e.g. InSpec, Serverspec, etc.).
- [x] Updated the relevant test pillar.
