Vendor the external cookbooks

Knife-Zero doesn't include Berkshelf support, so vendoring everything in
the repo is convenient again

cookbooks/firewall/libraries/helpers_firewalld.rb

@@ -0,0 +1,116 @@
+module FirewallCookbook
+  module Helpers
+    module Firewalld
+      include FirewallCookbook::Helpers
+      include Chef::Mixin::ShellOut
+
+      def firewalld_rules_filename
+        '/etc/sysconfig/firewalld-chef.rules'
+      end
+
+      def firewalld_rule!(cmd)
+        shell_out!(cmd, input: 'yes')
+      end
+
+      def firewalld_active?
+        cmd = shell_out('firewall-cmd', '--state')
+        cmd.stdout =~ /^running$/
+      end
+
+      def firewalld_default_zone?(z)
+        return false unless firewalld_active?
+
+        cmd = shell_out('firewall-cmd', '--get-default-zone')
+        cmd.stdout =~ /^#{z.to_s}$/
+      end
+
+      def firewalld_default_zone!(z)
+        raise 'firewalld not active' unless firewalld_active?
+
+        shell_out!('firewall-cmd', "--set-default-zone=#{z}")
+      end
+
+      def log_current_firewalld
+        shell_out!('firewall-cmd --direct --get-all-rules')
+      end
+
+      def firewalld_flush!
+        raise 'firewall not active' unless firewalld_active?
+
+        shell_out!('firewall-cmd', '--direct', '--remove-rules', 'ipv4', 'filter', 'INPUT')
+        shell_out!('firewall-cmd', '--direct', '--remove-rules', 'ipv4', 'filter', 'OUTPUT')
+        shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'INPUT')
+        shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'OUTPUT')
+      end
+
+      def firewalld_all_rules_permanent!
+        raise 'firewall not active' unless firewalld_active?
+
+        rules = shell_out!('firewall-cmd', '--direct', '--get-all-rules').stdout
+        perm_rules = shell_out!('firewall-cmd', '--direct', '--permanent', '--get-all-rules').stdout
+        rules == perm_rules
+      end
+
+      def firewalld_save!
+        raise 'firewall not active' unless firewalld_active?
+
+        shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'INPUT')
+        shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'OUTPUT')
+        shell_out!('firewall-cmd', '--direct', '--get-all-rules').stdout.lines do |line|
+          shell_out!("firewall-cmd --direct --permanent --add-rule #{line}")
+        end
+      end
+
+      def ip_versions(resource)
+        if ipv4_rule?(resource)
+          %w(ipv4)
+        elsif ipv6_rule?(resource)
+          %w(ipv6)
+        else # no source or destination address, add rules for both ipv4 and ipv6
+          %w(ipv4 ipv6)
+        end
+      end
+
+      CHAIN = { in: 'INPUT', out: 'OUTPUT', pre: 'PREROUTING', post: 'POSTROUTING' }.freeze unless defined? CHAIN # , nil => "FORWARD"}
+      TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix \'iptables: \' --log-level 7' }.freeze unless defined? TARGET
+
+      def build_firewall_rule(new_resource, ip_version = 'ipv4')
+        return new_resource.raw.strip if new_resource.raw
+
+        type = new_resource.command
+        firewall_rule = if new_resource.direction
+                          "#{ip_version} filter #{CHAIN[new_resource.direction.to_sym]} "
+                        else
+                          "#{ip_version} filter FORWARD "
+                        end
+        firewall_rule << "#{new_resource.position} "
+
+        if [:pre, :post].include?(new_resource.direction)
+          firewall_rule << '-t nat '
+        end
+
+        # Firewalld order of prameters is important here see example output below:
+        # ipv4 filter INPUT 1 -s 1.2.3.4/32 -d 5.6.7.8/32 -i lo -p tcp -m tcp -m state --state NEW -m comment --comment "hello" -j DROP
+        firewall_rule << "-s #{ip_with_mask(new_resource, new_resource.source)} " if new_resource.source && new_resource.source != '0.0.0.0/0'
+        firewall_rule << "-d #{new_resource.destination} " if new_resource.destination
+
+        firewall_rule << "-i #{new_resource.interface} " if new_resource.interface
+        firewall_rule << "-o #{new_resource.dest_interface} " if new_resource.dest_interface
+
+        firewall_rule << "-p #{new_resource.protocol} " if new_resource.protocol && new_resource.protocol.to_s.to_sym != :none
+        firewall_rule << '-m tcp ' if new_resource.protocol && new_resource.protocol.to_s.to_sym == :tcp
+
+        # using multiport here allows us to simplify our greps and rule building
+        firewall_rule << "-m multiport --sports #{port_to_s(new_resource.source_port)} " if new_resource.source_port
+        firewall_rule << "-m multiport --dports #{port_to_s(dport_calc(new_resource))} " if dport_calc(new_resource)
+
+        firewall_rule << "-m state --state #{new_resource.stateful.is_a?(Array) ? new_resource.stateful.join(',').upcase : new_resource.stateful.to_s.upcase} " if new_resource.stateful
+        firewall_rule << "-m comment --comment '#{new_resource.description}' " if new_resource.include_comment
+        firewall_rule << "-j #{TARGET[type]} "
+        firewall_rule << "--to-ports #{new_resource.redirect_port} " if type == :redirect
+        firewall_rule.strip!
+        firewall_rule
+      end
+    end
+  end
+end