Browse Source

fucken firewall

master
Sean Johnson 1 year ago
parent
commit
7e882b106b
  1. 86
      _modules/nodemeta.py
  2. 24
      fwrules/init.sls
  3. 1
      fwrules/templates/firewall.nft.j2
  4. 16
      fwrules/templates/fwrules.service.j2

86
_modules/nodemeta.py

@ -0,0 +1,86 @@ @@ -0,0 +1,86 @@
#!/usr/bin/env python
from __future__ import absolute_import, print_function, unicode_literals
import logging
import platform
import re
import socket
_regex = re.compile(r"""
^ # beginning of string
(?P<app>[a-z_-]+) # matches the app name
- # separator between app name and node num
n(?P<node>\d{2,}) # match node num w/o leading `n`
\. # next domain part
(?P<datacenter> # capture region + datacenter num
(?P<region>[a-z]{3}) # nested capture region only
\d?) # capture optional datacenter num
\. # next domain part
(?P<domain>.+) # capture remaining chunk of domain
$ # end of string
""", re.VERBOSE)
_VALID_SOURCES = ["hostname", "nodename", "fqdn"]
log = logging.getLogger(__name__)
def __virtual__():
""" Checks if the system's hostname can be matched by this module.
"""
cfg = _get_config()
hostname = _get_hostname(cfg)
results = _regex.findall(hostname)
if results is not None and len(results) > 0:
return __virtualname__
return False, "from_node_name grain generator refuses to load: hostname format mismatch"
def _get_config(opts=None):
if opts is None:
opts = __opts__
cfg = opts.get("from_node_name", {})
cfg = {
"source": "nodename",
}
log.debug("from_node_name configuration: %s", cfg)
return cfg
def _get_hostname(cfg):
switch = {
"hostname": lambda: socket.gethostname(),
"fqdn": lambda: socket.getfqdn(),
"nodename": lambda: platform.uname()[1],
}
fetcher = switch.get(cfg.get("source", "nodename").lower())
return fetcher()
def _grains_from_name(cfg):
""" Parses out name to variables
"""
hostname = _get_hostname(cfg)
rematch = _regex.search(hostname)
return {
"app": rematch.group("app"),
"node": rematch.group("node"),
"datacenter": rematch.group("datacenter"),
"region": rematch.group("region"),
"parent_domain": rematch.group("domain"),
}
def current_node():
cfg = _get_config()
return _grains_from_name(cfg)

24
fwrules/init.sls

@ -51,12 +51,24 @@ nftables firewall table: @@ -51,12 +51,24 @@ nftables firewall table:
- backup: minion
- check_cmd: /usr/sbin/nft -c -f
{{ "nft"|which }} -f /etc/firewall/firewall.nft:
cmd.run:
- onchanges:
/lib/systemd/system/fwrules.service:
file.managed:
- source: salt://fwrules/templates/fwrules.service.j2
- mode: "0750"
- user: root
- group: root
- template: jinja
- require:
- file: /etc/firewall/firewall.nft
- file: /etc/firewall/chains.nft
- file: /etc/firewall/sets.nft
cron.present:
{% if ("nft"|which) is not none %}
{{ "nft"|which }} -f /etc/firewall/firewall.nft:
cron.absent:
- user: root
- special: "@reboot"
{% endif %}
None -f /etc/firewall/firewall.nft:
cron.absent:
- user: root
- special: "@reboot"

1
fwrules/templates/firewall.nft.j2

@ -4,7 +4,6 @@ @@ -4,7 +4,6 @@
#!/usr/sbin/nft -f
flush table inet firewall
table inet firewall {
include "/etc/firewall/sets.nft";
include "/etc/firewall/chains.nft";

16
fwrules/templates/fwrules.service.j2

@ -0,0 +1,16 @@ @@ -0,0 +1,16 @@
[Unit]
Description=Lifecycle management for system firewall fules.
DefaultDependencies=no
Wants=network-pre.target systemd-modules-load.service local-fs.target
Before=network-pre.target shutdown.target
After=systemd-modules-load.service local-fs.target
Conflicts=shutdown.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart={{ "nft"|which }} -f /etc/firewall/firewall.nft
ExecStop={{ "nft"|which }} flush table inet firewall
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save