Extend firewall stage to set the default zone

Extend the firewall stage to allow setting the default firewall zone. Modify the stage unit test accordingly. Signed-off-by: Tomas Hozza <thozza@redhat.com>
2022-02-28 16:39:34 +01:00 · 2022-02-28 16:39:34 +01:00 · e71a91f5d0
commit e71a91f5d0
parent 3eb91401cf
4 changed files with 21 additions and 5 deletions
--- a/stages/org.osbuild.firewall
+++ b/stages/org.osbuild.firewall
@ -59,6 +59,10 @@ SCHEMA = """
      "type": "string",
      "description": "Service name (from /{lib,etc}/firewalld/services/*.xml)"
    }
+  },
+  "default_zone": {
+    "description": "Set default zone for connections and interfaces where no zone has been selected.",
+    "type": "string"
  }
 }
 """
@ -72,7 +76,14 @@ def main(tree, options):
    enabled_services = options.get("enabled_services", [])
    disabled_services = options.get("disabled_services", [])

+    default_zone = options.get("default_zone", "")
+
    # firewall-offline-cmd does not implement --root option so we must chroot it
+    if default_zone:
+        subprocess.run(["chroot", tree, "firewall-offline-cmd", f"--set-default-zone={default_zone}"], check=True)
+
+    # The options below are "lokkit" compatibility options and can not be used
+    # with other options.
    subprocess.run(["chroot",
                    tree,
                    "firewall-offline-cmd"] +