diff options
author | elijah <elijah@riseup.net> | 2013-03-17 13:15:51 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2013-03-17 13:15:51 -0700 |
commit | ad62cfdad04c8f8ed9d6454f716c92e850ac53ba (patch) | |
tree | c4321297d2b60edc37ca10501340cb865d95bfa5 /puppet/modules/site_shorewall | |
parent | 4ec32a1f773918b2c7a42c117fbad110c07df458 (diff) |
added support for "limited" service levels (although vpn is not yet actually rate limited).
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r-- | puppet/modules/site_shorewall/manifests/dnat_rule.pp | 40 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 61 |
2 files changed, 51 insertions, 50 deletions
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 0b4370df..e1ea86ec 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -2,30 +2,32 @@ define site_shorewall::dnat_rule { $port = $name if $port != 1194 { - shorewall::rule { - "dnat_tcp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'tcp', - destinationport => $port, - order => 100; - } - shorewall::rule { - "dnat_udp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'udp', - destinationport => $port, - order => 100; + if $site_openvpn::openvpn_allow_paid { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::paid_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } } if $site_openvpn::openvpn_allow_free { shorewall::rule { "dnat_free_tcp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'tcp', destinationport => $port, order => 100; @@ -34,7 +36,7 @@ define site_shorewall::dnat_rule { "dnat_free_udp_port_$port": action => 'DNAT', source => 'net', - destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194", + destination => "\$FW:${site_openvpn::free_gateway_address}:1194", proto => 'udp', destinationport => $port, order => 100; diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index d2bf3c4c..95c3920e 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -3,10 +3,6 @@ class site_shorewall::eip { include site_shorewall::defaults include site_shorewall::ip_forward - $openvpn_config = hiera('openvpn') - $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address - # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194 @@ -16,41 +12,45 @@ PARAM - - udp 1194 require => Package['shorewall'] } - shorewall::interface { 'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; 'tun1': zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs' + options => 'tcpflags,blacklist,nosmurfs'; + 'tun2': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun3': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone { + 'eip': + type => 'ipv4'; + } - shorewall::zone {'eip': - type => 'ipv4'; } - - case $::virtual { - 'virtualbox': { - shorewall::masq { - 'eth0_tcp': - interface => 'eth0', - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; - 'eth0_udp': - interface => 'eth0', - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } - default: { - $interface = $site_shorewall::defaults::interface - shorewall::masq { - "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; + if $::virtual == 'virtualbox' { + $interface = 'eth0' + } else { + $interface = $site_shorewall::defaults::interface + } - "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } + shorewall::masq { + "${interface}_unlimited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; + "${interface}_unlimited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; + "${interface}_limited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + "${interface}_limited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; } shorewall::policy { @@ -70,7 +70,6 @@ PARAM - - udp 1194 } # create dnat rule for each port - #create_resources('site_shorewall::dnat_rule', $openvpn_ports) - site_shorewall::dnat_rule { $openvpn_ports: } + site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: } } |