## {{ salt['pillar.get']('salt_managed', default='Salt Managed') }} {%- from "npf/map.jinja" import net with context %} {%- macro set_log() %} apply "log"{%- endmacro %} ## Macros ## {%- for key, value in net.interfaces.items() %} ${{ key }} = "{{ value.id }}" {%- endfor %} {% set my_net4=[] -%} {%- for key, value in net.ipv4_networks.items() -%} {%- do my_net4.append( value.ip + "/" + value.mask ) -%} {%- endfor -%} {%- set my_net6=[] -%} {%- for key, value in net.ipv6_networks.items() -%} {%- do my_net6.append( value.ip + "/" + value.mask ) -%} {%- endfor -%} {%- set work_net4=[] -%} {%- for key, value in net.work_ipv4_networks.items() -%} {%- do work_net4.append( value.ip + "/" + value.mask ) -%} {%- endfor -%} {%- set public_ports_tcp=[] -%} {%- set public_ports_udp=[] -%} {%- for key, value in net.public_ports.items() -%} {%- if value.proto == 'tcp' -%} {%- do public_ports_tcp.append(value.port) -%} {%- elif value.proto == 'udp' -%} {%- do public_ports_udp.append(value.port) -%} {%- endif -%} {%- endfor -%} $mynet4 = { {{ my_net4|join(', ') }} } $mynet6 = { {{ my_net6|join(', ') }} } $public_ports_tcp = { {{ public_ports_tcp|join(', ') }} } $public_ports_udp = { {{ public_ports_udp|join(', ') }} } ## Tables ## {%- if net.tables is defined %} {%- for key, value in net.tables.items() %} table <{{ key }}> type ipset file "{{ value.filename }}" #table <{{ key }}> type cdb file "{{ value.filename }}" {%- endfor %} {%- endif %} ## Translations ## {%- for key, value in net.nats.items() %} #map $ext dynamic {{ value.ip }}/{{ value.mask }} -> inet4({{ net.interfaces.ext.id }}) {%- endfor %} map $ext dynamic 10.99.99.0/24 -> inet4({{ net.interfaces.ext.id }}) map $ext dynamic 192.168.50.0/26 -> inet4({{ net.interfaces.ext.id }}) alg "icmp" {%- if net.log is defined and net.log.enabled %} ## Procedures ## procedure "log" { log: {{ net.log.interface }} normalize: {{ net.log.normalize }} } {%- endif %} ## Rules ## {%- for key, value in net.interfaces.items() %} {%- if value.type == 'lan' %} group "{{ key }}" on ${{ key }} { {%- for family, net in [('inet4','mynet4'), ('inet6','mynet6')] %} pass stateful out final family {{ family }} all {%- endfor %} {%- for family, net in [('inet4','mynet4'), ('inet6','mynet6')] %} pass stateful in final family {{ family }} from ${{ net }} to any {%- endfor %} block in all apply "log" block in final from apply "log" pass stateful in final family inet4 proto icmp all pass stateful in final family inet6 proto ipv6-icmp all pass stateful in family inet4 proto tcp from any to any port $public_ports_tcp pass stateful in family inet6 proto tcp from any to any port $public_ports_tcp pass stateful in family inet4 proto udp from any to any port $public_ports_udp pass stateful in family inet6 proto udp from any to any port $public_ports_udp } {%- endif %} {%- endfor %} group default { block all {%- if net.log is defined and net.log.enabled %}{{ set_log() }}{%- endif %} {%- for key, value in net.interfaces.items() %} {%- if value.skip is defined and value.skip %} pass on ${{ key }} all {%- endif %} {%- endfor %} }