feat(zone.xml): allow to rate limit 'accept' in rich rules

The current rich_rule macro is supporting to set if the connection should be accepted or rejected or dropped but doesn't support setting rate limiting in the 'accept' case. Add code for that. Signed-off-by: Arnaud Patard <apatard@hupstream.com>
saltstack-formulas · Jan 21, 2021 · a2f4f3b · a2f4f3b
1 parent 4d797fc
commit a2f4f3b
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/firewalld/files/zone.xml b/firewalld/files/zone.xml
@@ -60,7 +60,7 @@
     <audit>{%- if 'limit' in rule.audit %} <limit value="{{ rule.audit.limit }}"/>{%- endif %}</audit>
   {%- endif %}
   {%- if 'accept' in rule %}
-    <accept/>
+    <accept>{%- if rule.accept is mapping and 'limit' in rule.accept %} <limit value="{{ rule.accept.limit }}"/>{%- endif %}</accept>
   {%- endif %}
   {%- if 'reject' in rule %}
     <reject{%- if 'type' in rule.reject %} type="{{ rule.reject.type }}"{%- endif %} />

diff --git a/test/integration/default/controls/zones_spec.rb b/test/integration/default/controls/zones_spec.rb
@@ -31,7 +31,7 @@
           <source-port port="4444" protocol="tcp" />
           <rule family="ipv4">
             <source address="8.8.8.8/24" />
-            <accept/>
+            <accept></accept>
           </rule>
           <rule family="ipv4">
             <source ipset="fail2ban-ssh" />
@@ -59,12 +59,12 @@
           <rule>
             <source ipset="fail2ban-ssh" />
             <service name="ssh" />
-            <accept/>
+            <accept></accept>
           </rule>
           <rule>
             <source ipset="other-ipset" />
             <service name="ssh" />
-            <accept/>
+            <accept></accept>
           </rule>
         </zone>
       ZONE_XML