saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Support for Advanced Policy Firewall (APF) (#33134)

Browse source 
* Add Support for CSF

* Add Support for APF

* add new apf module to docs

* add blank line to match salt lint rules

* adding deny/remove host functions

* using python instead of bash while finding out if APF is running

* add error handling if iptc is missing

* remove trailing space
This commit is contained in:
Mostafa Hussein 2016-05-16 17:42:26 +03:00 committed by Mike Place
parent 3b50a7b98d
commit d1b114bdae
3 changed files with 157 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/ref/modules/all/index.rst
View file

@ -20,6 +20,7 @@ Full list of builtin execution modules
aliases
alternatives
apache
apf
aptpkg
archive
artifactory

6
doc/ref/modules/all/salt.modules.apf.rst Normal file
View file

@ -0,0 +1,6 @@
================
salt.modules.apf
================
.. automodule:: salt.modules.apf
:members:

150
salt/modules/apf.py Normal file
View file

@ -0,0 +1,150 @@
# -*- coding: utf-8 -*-
'''
Support for Advanced Policy Firewall (APF)
==========================================
:maintainer: Mostafa Hussein <mostafa.hussein91@gmail.com>
:maturity: new
:depends: python-iptables
:platform: Linux
'''
# Import Python Libs
from __future__ import absolute_import
try:
import iptc
IPTC_IMPORTED = True
except ImportError:
IPTC_IMPORTED = False
# Import Salt Libs
from salt.exceptions import CommandExecutionError
import salt.utils
def __virtual__():
'''
Only load if apf exists on the system
'''
if salt.utils.which('apf') is None:
return (False,
'The apf execution module cannot be loaded: apf unavailable.')
elif not IPTC_IMPORTED:
return (False,
'The apf execution module cannot be loaded: python-iptables is missing.')
else:
return True
def __apf_cmd(cmd):
'''
Return the apf location
'''
apf_cmd = '{0} {1}'.format(salt.utils.which('apf'), cmd)
out = __salt__['cmd.run_all'](apf_cmd)
if out['retcode'] != 0:
if not out['stderr']:
msg = out['stdout']
else:
msg = out['stderr']
raise CommandExecutionError(
'apf failed: {0}'.format(msg)
)
return out['stdout']
def _status_apf():
'''
Return True if apf is running otherwise return False
'''
status = 0
table = iptc.Table(iptc.Table.FILTER)
for chain in table.chains:
if 'sanity' in chain.name.lower():
status = 1
return True if status else False
def running():
'''
Check apf status
CLI Example:
.. code-block:: bash
salt '*' apf.running
'''
return True if _status_apf() else False
def disable():
'''
Stop (flush) all firewall rules
CLI Example:
.. code-block:: bash
salt '*' apf.disable
'''
if _status_apf():
return __apf_cmd('-f')
def enable():
'''
Load all firewall rules
CLI Example:
.. code-block:: bash
salt '*' apf.enable
'''
if not _status_apf():
return __apf_cmd('-s')
def reload():
'''
Stop (flush) & reload firewall rules
CLI Example:
.. code-block:: bash
salt '*' apf.reload
'''
if not _status_apf():
return __apf_cmd('-r')
def refresh():
'''
Refresh & resolve dns names in trust rules
CLI Example:
.. code-block:: bash
salt '*' apf.refresh
'''
return __apf_cmd('-e')
def allow(ip, port=None):
'''
Add host (IP/FQDN) to allow_hosts.rules and immediately load new rule into firewall
CLI Example:
.. code-block:: bash
salt '*' apf.allow 127.0.0.1
'''
if port is None:
return __apf_cmd('-a {0}'.format(ip))
def deny(ip):
'''
Add host (IP/FQDN) to deny_hosts.rules and immediately load new rule into firewall
CLI Example:
.. code-block:: bash
salt '*' apf.deny 1.2.3.4
'''
return __apf_cmd('-d {0}'.format(ip))
def remove(ip):
'''
Remove host from [glob]*_hosts.rules and immediately remove rule from firewall
CLI Example:
.. code-block:: bash
salt '*' apf.remove 1.2.3.4
'''
return __apf_cmd('-u {0}'.format(ip))