===============================================
Example Salt state – custom firewall for space
===============================================

The configurations in this document offer an end-to-end example of a
variety of Salt topics. They show how Salt can be used to customize the
environment-wide firewall script on bonders that are members of a space.
The list of bonders in the space must be maintained manually.

Configuring Salt states
------------------------

There is a single firewall configuration file for the whole
SD-WAN environment. This file is downloaded as
``/etc/bonding/nftables/filter-input-99-trusted-networks.nft`` to all bonders, aggregators, and
PWAN-routers, and is stored at
``/etc/bondingadmin/salt-config/states/node/filter-input-99-trusted-networks.nft`` on management
servers. However, the file need not be copied verbatim from the
management server to nodes—it can be structured to include data that
changes for each node. We use this capability to issue the standard
``filter-input-99-trusted-networks.nft`` file to some nodes, while adding additional IPs for nodes
in a certain space.

.. note::

  Nodes version 6.5 and lower use ``known_ips`` configuration file

To add the capability to include per-node information in the
``filter-input-99-trusted-networks.nft`` file, insert this line in the {} section of the ip saddr line ( ensure there are no blank lines within the brackets {} ) within the file located at
``/etc/bondingadmin/salt-config/states/node/filter-input-99-trusted-networks.nft``:

::

    {% for ip in pillar.get('space_known_ips', []) %}{{ip}}, {% endfor %}}

This is a Salt template command that fetches a list, called
``space_known_ips``, which for some nodes will be empty and for some
nodes will include one or more additional IPs. Each IP in the list,
is added to the ``nftables`` command that is written to the file.

Configuring Salt pillars
-------------------------

"Pillars" are Salt's way of assigning specific configuration data to
specific minions. For example, sensitive passwords could be provided
only to the hosts that Salt knows require access to the passwords, and
not to any other hosts.

To make a new list of IP addresses, you need to make a new directory in
``/etc/bondingadmin/salt-config/pillars/``. You can name the directory
anything you want, but we recommend you name it by the space key of the
space to which you will assign the list. For example, if the space key
is ``granvi``, you might do:

::

    mkdir /etc/bondingadmin/salt-config/pillars/granvi

Then create a file in that directory called ``known-ips.sls``:

**/etc/bondingadmin/salt-config/pillars/granvi/known-ips.sls**

::

     space_known_ips:
      - 198.51.100.0/24
      - 203.0.113.0

This list specifies the IPs to assign to the special bonds. You can
specify single IPs, which are interpreted as /32s, or you can specify
the CIDR mask size as in the example above. The file uses YAML
formatting, so add each new IP on its own line after two spaces and a
dash, as in the example. The name of the list ("space_known_ips" in
the example) must match the name of the pillar being retrieved in
``/etc/bondingadmin/salt-config/states/node/known_ips``.

Finally, you need to assign the appropriate pillar to the appropriate
nodes. This is done in the pillar top file at
``/etc/bondingadmin/salt-config/pillars/top.sls``, which is common to
the entire environment. Since this list is managed manually, you can mix
and match nodes from different spaces, or omit some nodes from a space
(for example, include only bonders, not aggregators).

**/etc/bondingadmin/salt-config/pillars/top.sls**

::

     base:
      'L@node-3,node-5,node-10':
        - granvi.known-ips

The line containing "L@" defines a list of nodes by their minion ID. The
above example includes nodes 3, 5, and 10 in the list.

.. note::

    The list of minions must be maintained manually. It does not
    automatically update if a bond or aggregator is added to a space.

The node/minion IDs are found as follows:

Bonders
++++++++

The node ID of a bonder is found in the "advanced" section of the
Details pane on the bond details page:

|image0|

For example, the bond in the above image is bond 87, but the bonder ID
is 146, meaning the minion ID is "node-146".

Aggregators and PWAN routers
+++++++++++++++++++++++++++++

The node ID is simply the aggregator ID or PWAN router ID. For example,
the minion ID of aggregator 2 is "node-2".

Testing
--------

To verify the configuration, create an SSH session to one of the nodes
targeted by the top.sls file. Then update the Salt configuration by
running this command on the node:

::

    salt-call state.apply

This command should return without errors. If an error message is shown,
review it and address the issue.

Then run this command on the node:

::

    nft list table inet filter

You should see the new IP addresses at the bottom of the list of accepted
IPs. If you don't see the new IPs, review the various files described
above to ensure the changes have been made appropriately.

Finally, tell all the nodes to update their configuration by running
this command on the management server:

::

    salt '*' state.apply

If you have questions, please contact `tech
support <../../spaces/technical-support.html>`__.

.. |image0| image:: /attachments/11669117/11669119.png
