Support for firewalld zone attribute

jpSimkins commented 5 years ago

Description

This adds zone support to firewall_rule for firewalld as this is a core component of firewalld This also adds a new recipe named: firewalld...

Ideally, I would have liked to modify the default recipe but this seems a more proper route. I can update PR if it is decided a better route to include this in the default recipe. The issue is that I would have to duplicate every rule and have only_if firewalld checks. To prevent duplicate rules and to omit any confusion, I added the new recipe.

I used String as the value type for the new zones attribute instead of symbol due to that zones are easily customizable. I also thought about adding a zones resource but feel that is a bit more than what this cookbook needs.

Issues Resolved

https://github.com/chef-cookbooks/firewall/issues/205

Check List

[x] All tests pass. See https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/TESTING.MD
[x] New functionality includes testing.
[x] New functionality has been documented in the README if applicable
[x] All commits have been signed for the Developer Certificate of Origin. See https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

damacus commented 11 months ago

I don't know why this has gone quiet for so long.

This looks like something we do want, can you rebase the README and add a CHANGELOG entry please.

TeroPihlaja commented 7 months ago

Any plans to release this change soon?

TeroPihlaja commented 6 months ago

I tried this feature, but I'm getting the following error on redhat 9:

---- Begin output of firewall-cmd --zone=public --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT ----
STDOUT:
STDERR: usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page
--zone is an invalid option with --direct
---- End output of firewall-cmd --zone=public --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT ----
Ran firewall-cmd --zone=public --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT returned 2

I guess --direct should be removed if zone is defined?

jpSimkins commented 6 months ago

yes, --direct should no longer be used. Pretty sure it has been removed from iptables. I no longer use chef so didn't check that when I made the requested changes. Given this is already merged, I'll let them remove that.

--direct was used to add/remove chains in runtime.

sous-chefs / firewall