enhance firewalld modules and states with ipset, zone_absent, service_absent by remijouannet · Pull Request #67790 · saltstack/salt

remijouannet · 2025-03-06T13:07:46Z

enhance firewalld modules and states with ipset, zone_absent, service_absent

What does this PR do?

Add service_absent and service_present, service become an alias to service_present
Add zone_absent and zone_present, present become an alias to zone_present
Add ipset_absent and ipset_present with necessary functions in firewalld module
add option to some functions to skip check in order to speed up executions
Add target option to zone_present

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Docs
Changelog - https://docs.saltproject.io/en/master/topics/development/changelog.html
Tests written/updated

Commits signed with GPG?

No

remijouannet · 2025-03-06T13:11:01Z

states that i've used to test my changes

firewalld:
  pkg.installed

firewalld_service:
  service.running:
    - name: firewalld
    - enable: True

service_http0:
  firewalld.service_present:
    - name: http0
    - ports:
      - 8000/tcp

service_http1:
  firewalld.service_present:
    - name: http1
    - ports:
      - 8000/tcp

service_http2:
  firewalld.service:
    - name: http2
    - ports:
      - 8000/tcp

ipset_adm:
  firewalld.ipset_present:
    - name: adm
    - ipset_type: hash:net
    - entries:
      - 10.0.0.0/24

ipset_svc1:
  firewalld.ipset_present:
    - name: svc1
    - ipset_type: hash:net
    - entries:
      - 10.0.1.0/24

ipset_svc2:
  firewalld.ipset_present:
    - name: svc2
    - ipset_type: hash:net
    - entries:
      - 10.0.2.0/24

ipset_svc3:
  firewalld.ipset_present:
    - name: svc3
    - ipset_type: hash:net
    - entries:
      - 10.0.3.0/24

zone_svc1:
  firewalld.zone_present:
    - name: test1
    - target: DROP
    - interfaces:
      - eth0
    - prune_rich_rules: True
    - rich_rules:
      - rule protocol value="icmp" accept
      - rule service name="ssh" accept
      - rule family="ipv4" source ipset="adm" accept
      - rule family="ipv4" source ipset="svc1" accept
      - rule family="ipv4" source ipset="svc3" service name="http0" accept

test_ipset:
  firewalld.ipset_absent:
    - name: test1

firewalld:
  pkg.installed

firewalld_service:
  service.running:
    - name: firewalld
    - enable: True

zone_svc4:
  firewalld.zone_absent:
    - name: test2

zone_svc1:
  firewalld.zone_absent:
    - name: test1

service_http0:
  firewalld.service_absent:
    - name: http0

service_http1:
  firewalld.service_absent:
    - name: http0

service_http2:
  firewalld.service_absent:
    - name: http0

ipset_adm:
  firewalld.ipset_absent:
    - name: adm

ipset_svc1:
  firewalld.ipset_absent:
    - name: svc1

ipset_svc2:
  firewalld.ipset_absent:
    - name: svc2

ipset_svc3:
  firewalld.ipset_absent:
    - name: svc3

test_ipset:
  firewalld.ipset_absent:
    - name: test1


firewalld:
  pkg.installed

firewalld_service:
  service.running:
    - name: firewalld
    - enable: True

service_http0:
  firewalld.service_present:
    - name: http0
    - ports:
      - 8000/tcp

service_http1:
  firewalld.service_absent:
    - name: http1

service_http2:
  firewalld.service:
    - name: http2
    - ports:
      - 8001/tcp

ipset_adm:
  firewalld.ipset_present:
    - name: adm
    - ipset_type: hash:net
    - entries:
      - 10.0.0.0/24
      - 10.2.0.0/24

ipset_svc1:
  firewalld.ipset_present:
    - name: svc1
    - ipset_type: hash:net
    - entries:
      - 10.0.1.0/24

ipset_svc2:
  firewalld.ipset_absent:
    - name: svc2

ipset_svc3:
  firewalld.ipset_present:
    - name: svc3
    - ipset_type: hash:net
    - entries:
      - 10.0.3.0/24

zone_svc1:
  firewalld.zone_present:
    - name: test2
    - target: DROP
    - interfaces:
      - eth0
    - prune_rich_rules: True
    - rich_rules:
      - rule protocol value="icmp" accept
      - rule service name="ssh" accept
      - rule family="ipv4" source ipset="adm" accept
      - rule family="ipv4" source ipset="svc1" accept
      - rule family="ipv4" source ipset="svc3" service name="http0" accept

twangboy

This will also need a changelog and some tests for the module and the state.

twangboy · 2025-05-14T21:22:05Z

+
+    .. code-block:: bash
+
+        salt '*' firewalld.get_ipsets


firewalld.info_ipset

twangboy · 2025-05-14T21:23:00Z

+
+def get_target(zone):
+    """
+    Get zone's target


Please document the arguments as well.

twangboy · 2025-05-14T21:23:18Z

+
+def set_target(zone, target, permanent=True):
+    """
+    Set zone's target


These arguments also need to be documented

twangboy · 2025-05-14T21:23:39Z

+
+def get_ipsets(permanent=True):
+    """
+    Print predefined ipsets


permanent needs a docs entry

twangboy · 2025-05-14T21:23:55Z

+
+def info_ipset(ipset):
+    """
+    Print ipset info


document the argument please

twangboy · 2025-05-14T21:24:20Z

+
+def new_ipset(ipset, ipset_type, family=None, options=None, restart=False):
+    """
+    Add a new ipset


document these arguments

twangboy · 2025-05-14T21:25:18Z

+
+def delete_ipset(ipset, permanent=True, restart=True):
+    """
+    Delete an existing ipset


add some docs for these arguments

twangboy · 2025-05-14T21:25:33Z

+
+def add_ipset_entry(ipset, entry):
+    """
+    Add an new entry to the specified ipset.


here as well

twangboy · 2025-05-14T21:25:43Z

+
+def remove_ipset_entry(ipset, entry):
+    """
+    Remove an entry from the specified ipset.


remijouannet · 2026-06-26T13:03:16Z

hello @dwoz, do you need some help for my MR ? i saw you've pushed some change

service_absent

…ent, and target Add changelog/67790.added.md and unit tests for: - firewalld.zone_absent state (exists, absent, test mode) - firewalld.service_absent state (exists, absent) - firewalld.ipset_absent state (exists, absent) - firewalld.ipset_present state (create+entries, idempotent) - firewalld.zone_present with target option (change, idempotent) - firewalld module: get_target, set_target, get_ipsets, new_ipset, delete_ipset, add_ipset_entry, remove_ipset_entry, info_ipset

remijouannet requested a review from a team as a code owner March 6, 2025 13:07

remijouannet temporarily deployed to ci March 6, 2025 13:08 — with GitHub Actions Inactive

remijouannet temporarily deployed to ci March 6, 2025 13:20 — with GitHub Actions Inactive

remijouannet temporarily deployed to ci March 6, 2025 13:27 — with GitHub Actions Inactive

remijouannet temporarily deployed to ci March 6, 2025 13:39 — with GitHub Actions Inactive

remijouannet temporarily deployed to ci March 6, 2025 13:52 — with GitHub Actions Inactive

dmurphy18 added this to the Argon v3008.0 milestone Mar 13, 2025

twangboy requested changes May 14, 2025

View reviewed changes

twangboy added needs-testcase PR needs test cases written, or the issue is about a bug/feature that needs test cases needs-changelog test:full Run the full test suite labels Jul 2, 2025

twangboy temporarily deployed to ci July 2, 2025 15:11 — with GitHub Actions Inactive

twangboy temporarily deployed to ci July 2, 2025 15:12 — with GitHub Actions Inactive

twangboy temporarily deployed to ci July 2, 2025 15:41 — with GitHub Actions Inactive

twangboy modified the milestones: Argon v3008.0, Argon v3008.1 Jun 5, 2026

dwoz removed needs-testcase PR needs test cases written, or the issue is about a bug/feature that needs test cases needs-changelog labels Jun 19, 2026

dwoz had a problem deploying to ci June 19, 2026 10:01 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 10:01 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 10:01 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 10:29 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 10:49 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 10:49 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 10:49 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 10:49 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 11:12 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 11:12 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 11:12 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 11:12 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 11:12 — with GitHub Actions Failure

dwoz had a problem deploying to ci June 19, 2026 12:27 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 12:27 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 12:27 — with GitHub Actions Failure

dwoz temporarily deployed to ci June 19, 2026 12:27 — with GitHub Actions Inactive

dwoz had a problem deploying to ci June 19, 2026 13:09 — with GitHub Actions Failure

remijouannet and others added 4 commits June 28, 2026 14:44

enhance firewalld modules and states with ipset, zone_absent,

dabd8c8

service_absent

add docstring zone_absent

8b36ad4

f

2805c90

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

enhance firewalld modules and states with ipset, zone_absent, service_absent#67790

enhance firewalld modules and states with ipset, zone_absent, service_absent#67790
remijouannet wants to merge 4 commits into
saltstack:masterfrom
remijouannet:firewalld-ipset

remijouannet commented Mar 6, 2025 •

edited by twangboy

Loading

Uh oh!

remijouannet commented Mar 6, 2025

Uh oh!

twangboy left a comment

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

twangboy May 14, 2025

Uh oh!

remijouannet commented Jun 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

remijouannet commented Mar 6, 2025 • edited by twangboy Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What does this PR do?

Merge requirements satisfied?

Commits signed with GPG?

Uh oh!

remijouannet commented Mar 6, 2025

Uh oh!

twangboy left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

remijouannet commented Jun 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

remijouannet commented Mar 6, 2025 •

edited by twangboy

Loading