Problem with Firewalld Rich Rules
586 views
Skip to first unread message
Marcello Percoco
Dec 4, 2020, 9:25:30 AM12/4/20
to Salt-users
Hi, i have a rpoblem tryng to set firewalld rich rules with salstack
Salt 3002 on CnetOS 8.
I need to deploy some rules like this:
firewall-cmd --zone=public --permanent --add-rich-rule="rule family=\"ipv4\" destination address=\"10.208.108.212\" forward-port port=\"80\" protocol=\"tcp\" to-port=\"8089\""
So i prepared grains to have the data i need:
fwd_rules:
rule1:
ports:
http:
fromport: 80
toport: 8089
https:
fromport: 443
toport: 4089
ips:
- 10.208.108.200
- 10.208.108.201
rule1:
ports:
http:
fromport: 80
toport: 8089
https:
fromport: 443
toport: 4089
ips:
- 10.208.108.200
- 10.208.108.201
And wrote a state (i've omitted iterations):
{{ ip }}-{{ port['fromport'] }}-{{ port['toport'] }}:
firewalld.present:
- name: public
- prune_services: False
rich_rules:
- family: ipv4
destination:
address: {{ ip }}
forward-port:
port: {{ port['fromport'] }}
protocol: tcp
to-port: {{ port['toport'] }}
firewalld.present:
- name: public
- prune_services: False
rich_rules:
- family: ipv4
destination:
address: {{ ip }}
forward-port:
port: {{ port['fromport'] }}
protocol: tcp
to-port: {{ port['toport'] }}
But i recieve an error:
2020-12-04 13:17:03,860 [salt.loaded.int.module.cmdmod:851 ][ERROR ][47193] retcode: 122
2020-12-04 13:17:03,860 [salt.state :321 ][ERROR ][47193] Error: firewall-cmd failed: Error: INVALID_RULE: unknown element OrderedDict([(family,
2020-12-04 13:17:05,160 [salt.loaded.int.module.cmdmod:845 ][ERROR ][47193] Command '['/usr/bin/firewall-cmd', '--zone=public', '--add-rich-rule=OrderedDict([(family, ipv4), (destination, OrderedDict([(address, 10.208.4.5)])), (forward-port, OrderedDict([(port, 443), (protocol, tcp), (to-port, 5089)]))])', '--permanent']' failed with return code: 122
2020-12-04 13:17:03,860 [salt.state :321 ][ERROR ][47193] Error: firewall-cmd failed: Error: INVALID_RULE: unknown element OrderedDict([(family,
2020-12-04 13:17:05,160 [salt.loaded.int.module.cmdmod:845 ][ERROR ][47193] Command '['/usr/bin/firewall-cmd', '--zone=public', '--add-rich-rule=OrderedDict([(family, ipv4), (destination, OrderedDict([(address, 10.208.4.5)])), (forward-port, OrderedDict([(port, 443), (protocol, tcp), (to-port, 5089)]))])', '--permanent']' failed with return code: 122
what am i doing wrong?
Thanks
Vaarlion
Dec 7, 2020, 2:09:11 AM12/7/20
to Salt-users
Without testing, i would say that your syntax is of
firstly you are missing a '-' in front of `rich_rules`
Then because salt jinja is ... not very jinja, i have never seen a list of hash like you did.
firstly you are missing a '-' in front of `rich_rules`
Then because salt jinja is ... not very jinja, i have never seen a list of hash like you did.
I haven't found example for rich_rules, but if i had to guess i would look for single line config.
- rich_rules:
- '"ipv4" destination address="10.208.108.212" forward-port port="80" protocol="tcp" to-port="8089"'
- '"ipv4" destination address="10.208.108.212" forward-port port="80" protocol="tcp" to-port="8089"'
- 'Some other rules'
Give it a try ;)
Give it a try ;)
Marcello Percoco
Dec 9, 2020, 2:33:17 AM12/9/20
to Salt-users
Interesting.
Every example i've found was only with family: "ipv4", so i've tinked that every subseguent piesce of rule should be another piece of dictionary.
Soon i wil try with your hint.
Thanks
Marcello Percoco
Dec 9, 2020, 2:38:37 AM12/9/20
to Salt-users
Marcello Percoco
Dec 9, 2020, 3:10:34 AM12/9/20
to Salt-users
Finaly i did'it
Thanks Vaarlion for the int, the examples i've found pointed me in the wrong direction, the correct way is:
{% for rule,data in salt['grains.get']('fwd_rules').items() %}
{% for type,port in data['ports'].items() %}
{% for ip in data['ips'] %}
{% for type,port in data['ports'].items() %}
{% for ip in data['ips'] %}
{{ ip }}-{{ port['fromport'] }}-{{ port['toport'] }}:
firewalld.present:
- name: public
- prune_services: False
rich_rules:
- rule family="ipv4" destination address="{{ ip }}" forward-port port="{{ port['fromport'] }}" protocol="tcp" to-port="{{ port['toport'] }}"
{% endfor %}
{% endfor %}
{% endfor %}
{% endfor %}
{% endfor %}
{% endfor %}
Which surely could be optimized.
Vaarlion
Dec 9, 2020, 5:44:03 AM12/9/20
to Salt-users
Glad it worked,
Might want to add some doc on this. i have no idea where salt doc is stored but i would guess in a git somewhere.
If you can't i'll try to think about if when i have some time
Might want to add some doc on this. i have no idea where salt doc is stored but i would guess in a git somewhere.
If you can't i'll try to think about if when i have some time
Marcello Percoco
Dec 9, 2020, 5:47:03 AM12/9/20
to Salt-users
Surely i cant't direcly add it, i think the correct way is to open a documentation issue on salktstack github
Phipps, Thomas
Dec 9, 2020, 11:15:40 AM12/9/20
to salt-...@googlegroups.com
Welcome to opensource. Yes, you can directly add it.
Or at least you can create a Pull Request to have the changes reviewed and then pulled in.
And the location for the documentation is in the code for the software. for firewalld state module that would be https://github.com/saltstack/salt/blob/master/salt/states/firewalld.py
you may want to read the following.
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/4ab2b01c-c8e8-4e94-a3a7-2c2218999136n%40googlegroups.com.
Marcello Percoco
Dec 9, 2020, 11:21:55 AM12/9/20
to Salt-users
Reply all
Reply to author
Forward
0 new messages