diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2021-06-30 11:21:26 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2021-07-06 19:58:31 -0700 |
commit | 957c59641dd76c857f175acc4c33e84bd8dbbde4 (patch) | |
tree | f70a4eb5b0dadfbbde6eea2b833df35c253fc8c5 /src/property/firewalld.lisp | |
parent | 29d7ea56ac1864210fbbea32ee2f4692124665f4 (diff) | |
download | consfigurator-957c59641dd76c857f175acc4c33e84bd8dbbde4.tar.gz |
add FIREWALLD:{POLICY,ZONE} and rename incremental zone properties
Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>
Diffstat (limited to 'src/property/firewalld.lisp')
-rw-r--r-- | src/property/firewalld.lisp | 116 |
1 files changed, 73 insertions, 43 deletions
diff --git a/src/property/firewalld.lisp b/src/property/firewalld.lisp index 82e0a40..aad7fb5 100644 --- a/src/property/firewalld.lisp +++ b/src/property/firewalld.lisp @@ -18,29 +18,11 @@ (in-package :consfigurator.property.firewalld) (named-readtables:in-readtable :consfigurator) -;; Setting the whole XML for the zone means that firewall configuration has to -;; be in one place in the consfig, which is awkward when we might want -;; different properties to be able to interact with the firewall depending on -;; whether or not they are applied. So we take the approach of issuing single -;; firewall-cmd(1) commands to set the permanent zone configuration. -;; -;; By contrast, for defining services, it should be fine to set the whole XML. - (defproplist installed :posix () (:desc "firewalld installed") (os:etypecase (debianlike (apt:installed "firewalld")))) -(defproplist %setxml :posix (type name xml) - (installed) - (on-change - (file:exists-with-content #?"/etc/firewalld/${type}/${name}.xml" xml) - (cmd:single "firewall-cmd" "--reload"))) - -(defproplist service :posix (name xml) - (:desc #?"firewalld knows service ${name}") - (%setxml "services" name xml)) - (defprop %firewall-cmd :posix (file warning &rest args) (:apply ;; --add-service will always tell us ALREADY_ENABLED if nothing was @@ -63,20 +45,55 @@ (mrun "firewall-cmd" "--reload")) result)))) + +;;;; Setting contents of XML configuration files + +(defproplist %setxml :posix (type name xml) + (installed) + (on-change + (file:exists-with-content #?"/etc/firewalld/${type}/${name}.xml" xml) + (cmd:single "firewall-cmd" "--reload"))) + +(defproplist service :posix (service xml) + (:desc #?"firewalld knows service ${service}") + (%setxml "services" service xml)) + +(defproplist policy :posix (policy xml) + (:desc #?"firewalld has policy ${policy}") + (%setxml "policies" policy xml)) + +(defproplist zone :posix (zone xml) + "Set the whole XML configuration for zone ZONE. + +In preference to using this property, it is usually best to incrementally +build up the configuration for a zone using properties like +FIREWALLD:ZONE-HAS-SERVICE, FIREWALLD:ZONE-HAS-INTERFACE etc.. Using this +property forces most of your firewall configuration to be in a single place in +your consfig, but it is typically more readable and flexible to have +properties which set up the actual services and interfaces interact with the +firewall configuration themselves, to render the things that those properties +set up appropriately accessible and inaccessible. + +(By contrast, for defining services and policies we take the simpler approach +of just setting the whole XML configuration, using FIREWALLD:SERVICE and +FIREWALLD:POLICY.)" + (:desc #?"firewalld has zone configuration for ${zone}") + (%setxml "zones" zone xml)) + + +;;;; Incremental configuration of zones + (defprop has-zone :posix (zone) + "Ensure that the zone ZONE exists. + +You will not usually need to call this property directly; it is applied by +properties which add services, interfaces etc. to zones." (:desc #?"firewalld zone ${zone} exists") (:check (zerop (mrun :for-exit "firewall-cmd" "--permanent" #?"--zone=${zone}" "--get-target"))) (:apply (mrun "firewall-cmd" "--permanent" #?"--new-zone=${zone}")) (:unapply (mrun "firewall-cmd" "--permanent" #?"--delete-zone=${zone}"))) -(defproplist default-zone :posix (zone) - (:desc #?"firewalld default zone is ${zone}") - (installed) - (has-zone zone) - (%firewall-cmd "firewalld.conf" "ZONE_ALREADY_SET" - #?"--set-default-zone=${zone}")) - (defproplist zone-target :posix (zone target) (:desc #?"firewalld zone ${zone} has target ${target}") (:check (string= target @@ -87,20 +104,6 @@ (%firewall-cmd #?"zones/${zone}.xml" nil "--permanent" #?"--zone=${zone}" #?"--set-target=${target}")) -(defproplist has-service :posix (zone service) - (:desc #?"firewalld zone ${zone} has service ${service}") - (:check (zerop (mrun :for-exit "firewall-cmd" "--permanent" - #?"--zone=${zone}" #?"--query-service=${service}"))) - (with-unapply - (installed) - (has-zone zone) - (%firewall-cmd #?"zones/${zone}.xml" "ALREADY_ENABLED" - "--permanent" #?"--zone=${zone}" - #?"--add-service=${service}") - :unapply (%firewall-cmd #?"zones/${zone}.xml" "NOT_ENABLED" - "--permanent" #?"--zone=${zone}" - #?"--remove-service=${service}"))) - (defprop %default-route-zoned :posix (zone) (:apply (if-let ((default-route-interface @@ -136,7 +139,7 @@ only FIREWALLD:DEFAULT-ZONE." (has-zone zone) (%default-route-zoned zone))) -(defproplist has-interface :posix (zone interface) +(defproplist zone-has-interface :posix (zone interface) (:desc #?"firewalld zone ${zone} has interface ${interface}") (:check (zerop (mrun :for-exit "firewall-cmd" "--permanent" #?"--zone=${zone}" @@ -151,7 +154,21 @@ only FIREWALLD:DEFAULT-ZONE." "--permanent" #?"--zone=${zone}" #?"--remove-interface=${interface}"))) -(defproplist masquerade :posix (zone) +(defproplist zone-has-service :posix (zone service) + (:desc #?"firewalld zone ${zone} has service ${service}") + (:check (zerop (mrun :for-exit "firewall-cmd" "--permanent" + #?"--zone=${zone}" #?"--query-service=${service}"))) + (with-unapply + (installed) + (has-zone zone) + (%firewall-cmd #?"zones/${zone}.xml" "ALREADY_ENABLED" + "--permanent" #?"--zone=${zone}" + #?"--add-service=${service}") + :unapply (%firewall-cmd #?"zones/${zone}.xml" "NOT_ENABLED" + "--permanent" #?"--zone=${zone}" + #?"--remove-service=${service}"))) + +(defproplist zone-masquerade :posix (zone) (:desc #?"firewalld zone ${zone} has masquerade") (:check (zerop (mrun :for-exit "firewall-cmd" "--permanent" #?"--zone=${zone}" "--query-masquerade"))) @@ -165,7 +182,7 @@ only FIREWALLD:DEFAULT-ZONE." "--permanent" #?"--zone=${zone}" "--remove-masquerade"))) -(defproplist rich-rule :posix (zone rule) +(defproplist zone-rich-rule :posix (zone rule) (:desc #?"firewalld zone ${zone} has rich rule \"${rule}\"") (:check (zerop (mrun :for-exit "firewall-cmd" "--permanent" #?"--zone=${zone}" @@ -181,7 +198,10 @@ only FIREWALLD:DEFAULT-ZONE." "--permanent" #?"--zone=${zone}" (strcat "--remove-rich-rule=" (escape-sh-token rule))))) -(defpropspec direct-rule :posix (&rest rule-args) +;; Note that direct rules will be deprecated as of firewalld 1.0.0, as +;; policies and rich rules should be able to cover all uses of direct rules. +;; <https://firewalld.org/2021/06/the-upcoming-1-0-0> +(defpropspec zone-direct-rule :posix (&rest rule-args) (:desc #?"firewalld has direct rule \"@{rule-args}\"") (:check (zerop (mrun :for-exit "firewall-cmd" "--permanent" "--direct" "--query-rule" rule-args))) @@ -192,3 +212,13 @@ only FIREWALLD:DEFAULT-ZONE." :unapply (%firewall-cmd "direct.xml" "NOT_ENABLED" "--permanent" "--direct" "--remove-rule" ,@rule-args))) + + +;;;; Daemon configuration + +(defproplist default-zone :posix (zone) + (:desc #?"firewalld default zone is ${zone}") + (installed) + (has-zone zone) + (%firewall-cmd "firewalld.conf" "ZONE_ALREADY_SET" + #?"--set-default-zone=${zone}")) |