Merge pull request #30 from netmanagers/master

Minor update, to use `defaults.yaml`, `map.jinja`, etc.

Author: aboe76

.gitignore

@@ -1,5 +1,103 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# PyInstaller
+#  Usually these files are written by a python script from a packager
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
 .kitchen
-tests/build/
-*.swp
-*.pyc
+.kitchen.local.yml
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# pyenv
+.python-version
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# dotenv
+.env
+
+# virtualenv
+.venv
+venv/
+ENV/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
 .ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/

CHANGELOG.rst

@@ -1,10 +1,14 @@
 iptables formula
 ================
 
-0.1 (2014-05-01)
+0.3.0 (2018-12-28)
 
-- Initial version with support just for iptables
+- Update formula to use defaults.yml and map.jinja
 
-0.1.1 (2018-12-27)
+0.2.0 (2018-12-27)
 
 - Update kitchen testing
+
+0.1.0 (2014-05-01)
+
+- Initial version with support just for iptables

README.md

@@ -6,25 +6,29 @@ Thanks to the nature of Pillars it is possible to write global and local setting
 
 Pull requests are welcome for other platforms (or other improvements ofcourse!)
 
-.. image:: https://travis-ci.org/saltstack-formulas/iptables-formula.svg?branch=master
+![Build Status](https://travis-ci.org/saltstack-formulas/iptables-formula.svg?branch=master "Travis-CI testing status")
 
 Usage
 =====
 
 All the configuration for the firewall is done via the pillar (see the pillar.example file).
 
 Enable globally:
+
 `pillars/firewall.sls`
-```
+
+```yaml
 firewall:
   enabled: True
   install: True  
   strict: True
 ```
 
 Allow SSH:
+
 `pillars/firewall/ssh.sls`
-```
+
+```yaml
 firewall:
   services:
     ssh:
@@ -35,7 +39,8 @@ firewall:
 ```
 
 Apply rules to specific interface:
-```
+
+```yaml
 firewall:
   services:
     ssh:
@@ -45,7 +50,9 @@ firewall:
 ```
 
 Apply rules for multiple protocols:
-```
+
+
+```yaml
 firewall:
   services:
     ssh:
@@ -56,7 +63,7 @@ firewall:
 
 Allow an entire class such as your internal network:
 
-```
+```yaml
   whitelist:
     networks:
       ips_allow:
@@ -66,6 +73,7 @@ Allow an entire class such as your internal network:
 Salt combines both and effectively enables your firewall and applies the rules.
 
 Notes:
+
  * Setting install to True will install `iptables` and `iptables-persistent` for you
  * Strict mode means: Deny **everything** except explicitly allowed (use with care!)
  * block_nomatch: With non-strict mode adds in a "REJECT" rule below the accept rules, otherwise other traffic to that service is still allowed. Can be defined per-service or globally, defaults to False.
@@ -78,7 +86,8 @@ Using iptables.service
 Salt can't merge pillars, so you can only define `firewall:services` in once place. With the firewall.service state and stateconf, you can define pillars for different services and include and extend the iptables.service state with the `parent` parameter to enable a default firewall configuration with special rules for different services.
 
 `pillars/otherservice.sls`
-```
+
+```yaml
 otherservice:
   firewall:
     services:
@@ -89,7 +98,8 @@ otherservice:
 ```
 
 `states/otherservice.sls`
-```
+
+```yaml
 #!stateconf yaml . jinja
 
 include:
@@ -106,7 +116,7 @@ Using iptables.nat
 
 You can use nat for interface.
 
-```
+```yaml
   #Support nat
   # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.18.0/24 -d 10.20.0.2 -j MASQUERADE
 

iptables/defaults.yaml

@@ -0,0 +1,9 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+firewall:
+  enabled: false
+  install: false
+  strict: false
+  block_nomatch: false
+  pkgs:
+    - iptables

iptables/init.sls

@@ -1,14 +1,14 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
 # Firewall management module
-{%- if salt['pillar.get']('firewall:enabled') %}
-  {% set firewall = salt['pillar.get']('firewall', {}) %}
-  {% set install = firewall.get('install', False) %}
-  {% set strict_mode = firewall.get('strict', False) %}
-  {% set global_block_nomatch = firewall.get('block_nomatch', False) %}
-  {% set packages = salt['grains.filter_by']({
-    'Debian': ['iptables', 'iptables-persistent'],
-    'RedHat': ['iptables'],
-    'default': 'Debian'}) %}
+{% from "iptables/map.jinja" import firewall with context %}
+{% set install = firewall.install %}
+{% set strict_mode = firewall.strict %}
+{% set global_block_nomatch = firewall.block_nomatch %}
+{% set packages = firewall.pkgs %}
 
+{%- if firewall.enabled %}
     {%- if install %}
       # Install required packages for firewalling
       iptables_packages:
@@ -165,4 +165,9 @@
     {%- endfor %}
   {%- endfor %}
 
+{% else %} # Firewall is disabled by default
+firewall_disabled:
+  test.show_notification:
+    - name: Firewall is disabled by default
+    - text: firewall:enabled is False
 {%- endif %}

iptables/map.jinja

@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
+
+{% import_yaml 'iptables/defaults.yaml' as defaults %}
+{% import_yaml 'iptables/osfamilymap.yaml' as osfamilymap %}
+
+{% set firewall = salt['grains.filter_by'](
+    defaults,
+    merge = salt['grains.filter_by'](
+        osfamilymap,
+        grain='os_family',
+        merge = salt['pillar.get']('firewall', {})
+    ),
+    base='firewall')
+%}

iptables/osfamilymap.yaml

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+Debian:
+  pkgs:
+    - iptables
+    - iptables-persistent