adding ability to assign hostgroup to single minion - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

files/firewall/hostgroups.local.yaml

@@ -20,6 +20,7 @@ firewall:
       ips:
         delete:
         insert:
+          - 10.10.10.10
     minion:
       ips:
         delete:

salt/firewall/init.sls

@@ -1,7 +1,6 @@
 # Firewall Magic for the grid
 {% from 'firewall/map.jinja' import hostgroups with context %}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context %}
-{% set role = grains.id.split('_') | last %}
 
 # Quick Fix for Docker being difficult
 iptables_fix_docker:
@@ -85,8 +84,8 @@ enable_docker_user_established:
     - match: conntrack
     - ctstate: 'RELATED,ESTABLISHED'
 
-{% for chain, hg in assigned_hostgroups.role[role].chain.items() %}
+{% for chain, hg in assigned_hostgroups.chain.items() %}
-  {% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %}
+  {% for hostgroup, portgroups in assigned_hostgroups.chain[chain].hostgroups.items() %}
     {% for action in ['insert', 'delete' ] %}
       {% if hostgroups[hostgroup].ips[action] %}
         {% for ip in hostgroups[hostgroup].ips[action] %}

salt/firewall/map.jinja

@@ -1,7 +1,31 @@
+{% set role = grains.id.split('_') | last %}
+
+{% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
+{% set default_portgroups = default_portgroups.firewall.aliases.ports %}
+{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
+{% set local_portgroups = local_portgroups.firewall.aliases.ports %}
+{% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
+{% set defined_portgroups = portgroups %}
+
 {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %}
 {% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %}
 {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %}
 
+{# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #}
+{% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %}
+  {% set translated_pillar_assigned_hostgroups = {} %}
+  {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %}
+    {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %}
+      {% do translated_pillar_assigned_hostgroups.update({"chain": {chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}}) %}
+      {% for pillar_portgroup in pillar_portgroups.portgroups %}
+        {% set pillar_portgroup = pillar_portgroup.split('.') | last %}
+        {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %}
+      {% endfor %}
+    {% endfor %}
+  {% endfor %}
+{% endif %}
+
 {% import_yaml 'firewall/assigned_hostgroups.map.yaml' as default_assigned_hostgroups %}
 {% import_yaml 'firewall/assigned_hostgroups.local.map.yaml' as local_assigned_hostgroups %}
-{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups, default_assigned_hostgroups, merge_lists=True, in_place=False) %}
+{% set assigned_hostgroups = salt['defaults.merge'](local_assigned_hostgroups.role[role], default_assigned_hostgroups.role[role], merge_lists=True, in_place=False) %}
+{% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %}