(#47) Made purge parameters for the 99_simp zone toggle-able (#48)

* (#47) Made purge parameters for the 99_simp zone toggle-able Fixes #47 * Updated the metadata and CHANGELOG * Fixed metadata.json to the correct updated version * updated REFERENCE.md * Fixed CHANGELOG entry
simp · Jan 18, 2024 · 6836cea · 6836cea
1 parent 9e0a731
commit 6836cea
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 27 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,6 @@
+* Thu Jan 18 2024 Mike Riddle <[email protected]> - 0.10.0
+- Made the 99_simp zone purge parameters toggle-able
+
 * Thu Nov 30 2023 Sean Peterson <[email protected]> - 0.9.0
 - Add $simp_zone_masquerade parameter
 

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -62,6 +62,9 @@ The following parameters are available in the `simp_firewalld` class:
 * [`tidy_dirs`](#-simp_firewalld--tidy_dirs)
 * [`tidy_prefix`](#-simp_firewalld--tidy_prefix)
 * [`tidy_minutes`](#-simp_firewalld--tidy_minutes)
+* [`simp_zone_purge_rich_rules`](#-simp_firewalld--simp_zone_purge_rich_rules)
+* [`simp_zone_purge_services`](#-simp_firewalld--simp_zone_purge_services)
+* [`simp_zone_purge_ports`](#-simp_firewalld--simp_zone_purge_ports)
 * [`simp_zone_interfaces`](#-simp_firewalld--simp_zone_interfaces)
 * [`simp_zone_target`](#-simp_firewalld--simp_zone_target)
 * [`simp_zone_masquerade`](#-simp_firewalld--simp_zone_masquerade)
@@ -158,10 +161,10 @@ Default value:
 
 ```puppet
 [
-                                                                                 '/etc/firewalld/icmptypes',
-                                                                                 '/etc/firewalld/ipsets',
-                                                                                 '/etc/firewalld/services',
-                                                                               ]
+                                                                                      '/etc/firewalld/icmptypes',
+                                                                                      '/etc/firewalld/ipsets',
+                                                                                      '/etc/firewalld/services',
+                                                                                    ]
 ```
 
 ##### <a name="-simp_firewalld--tidy_prefix"></a>`tidy_prefix`
@@ -181,6 +184,30 @@ purposes of tidying.
 
 Default value: `10`
 
+##### <a name="-simp_firewalld--simp_zone_purge_rich_rules"></a>`simp_zone_purge_rich_rules`
+
+Data type: `Boolean`
+
+If true, any unmanaged rich rules will be removed from the zone
+
+Default value: `true`
+
+##### <a name="-simp_firewalld--simp_zone_purge_services"></a>`simp_zone_purge_services`
+
+Data type: `Boolean`
+
+If true, any unmanaged services will be removed from the zone
+
+Default value: `true`
+
+##### <a name="-simp_firewalld--simp_zone_purge_ports"></a>`simp_zone_purge_ports`
+
+Data type: `Boolean`
+
+If true, any unmanaged ports will be removed from the zone
+
+Default value: `true`
+
 ##### <a name="-simp_firewalld--simp_zone_interfaces"></a>`simp_zone_interfaces`
 
 Data type: `Array[Optional[String[1]]]`

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -70,6 +70,15 @@
 #   Number of **minutes** to consider a configuration file 'stale' for the
 #   purposes of tidying.
 #
+# @param simp_zone_purge_rich_rules
+#   If true, any unmanaged rich rules will be removed from the zone
+#
+# @param simp_zone_purge_services
+#   If true, any unmanaged services will be removed from the zone
+#
+# @param simp_zone_purge_ports
+#   If true, any unmanaged ports will be removed from the zone
+#
 # @param simp_zone_interfaces
 #   The network interfaces to which the underlying 99_simp zone should apply
 #
@@ -82,27 +91,30 @@
 # @param package_ensure
 #   The 'ensure' value for package resources
 class simp_firewalld (
-  Hash                                                 $rules,               # data in module
-  Enum['iptables','nftables']                          $firewall_backend,    # data in module
-  Boolean                                              $enable               = 'firewalld' in pick($facts['simplib__firewalls'], 'none'),
-  Boolean                                              $complete_reload      = false,
-  Boolean                                              $lockdown             = true,
-  String[1]                                            $default_zone         = '99_simp',
-  Enum['off', 'all','unicast','broadcast','multicast'] $log_denied           = 'unicast',
-  Boolean                                              $enable_tidy          = true,
+  Hash                                                 $rules,                     # data in module
+  Enum['iptables','nftables']                          $firewall_backend,          # data in module
+  Boolean                                              $enable                     = 'firewalld' in pick($facts['simplib__firewalls'], 'none'),
+  Boolean                                              $complete_reload            = false,
+  Boolean                                              $lockdown                   = true,
+  String[1]                                            $default_zone               = '99_simp',
+  Enum['off', 'all','unicast','broadcast','multicast'] $log_denied                 = 'unicast',
+  Boolean                                              $enable_tidy                = true,
   # lint:ignore:2sp_soft_tabs
-  Array[Stdlib::Absolutepath]                          $tidy_dirs            = [
-                                                                                 '/etc/firewalld/icmptypes',
-                                                                                 '/etc/firewalld/ipsets',
-                                                                                 '/etc/firewalld/services',
-                                                                               ],
+  Array[Stdlib::Absolutepath]                          $tidy_dirs                  = [
+                                                                                      '/etc/firewalld/icmptypes',
+                                                                                      '/etc/firewalld/ipsets',
+                                                                                      '/etc/firewalld/services',
+                                                                                    ],
   # lint:endignore
-  String[1]                                            $tidy_prefix          = 'simp_',
-  Integer[1]                                           $tidy_minutes         = 10,
-  Array[Optional[String[1]]]                           $simp_zone_interfaces = [],
-  Enum['default', 'ACCEPT', 'REJECT', 'DROP']          $simp_zone_target     = 'DROP',
-  Boolean                                              $simp_zone_masquerade = false,
-  String[1]                                            $package_ensure       = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
+  String[1]                                            $tidy_prefix                = 'simp_',
+  Integer[1]                                           $tidy_minutes               = 10,
+  Boolean                                              $simp_zone_purge_rich_rules = true,
+  Boolean                                              $simp_zone_purge_services   = true,
+  Boolean                                              $simp_zone_purge_ports      = true,
+  Array[Optional[String[1]]]                           $simp_zone_interfaces       = [],
+  Enum['default', 'ACCEPT', 'REJECT', 'DROP']          $simp_zone_target           = 'DROP',
+  Boolean                                              $simp_zone_masquerade       = false,
+  String[1]                                            $package_ensure             = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
 ) {
   if $enable {
     Exec { path => '/usr/bin:/bin' }
@@ -135,9 +147,9 @@
 
     firewalld_zone { '99_simp':
       ensure           => 'present',
-      purge_rich_rules => true,
-      purge_services   => true,
-      purge_ports      => true,
+      purge_rich_rules => $simp_zone_purge_rich_rules,
+      purge_services   => $simp_zone_purge_services,
+      purge_ports      => $simp_zone_purge_ports,
       interfaces       => $simp_zone_interfaces,
       target           => $simp_zone_target,
       masquerade       => $simp_zone_masquerade,

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "simp-simp_firewalld",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "author": "SIMP Team",
   "summary": "SIMP-oriented firewalld management",
   "license": "Apache-2.0",