summaryrefslogtreecommitdiff
path: root/puppet/modules/site_shorewall
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2013-03-17 13:15:51 -0700
committerelijah <elijah@riseup.net>2013-03-17 13:15:51 -0700
commitad62cfdad04c8f8ed9d6454f716c92e850ac53ba (patch)
treec4321297d2b60edc37ca10501340cb865d95bfa5 /puppet/modules/site_shorewall
parent4ec32a1f773918b2c7a42c117fbad110c07df458 (diff)
added support for "limited" service levels (although vpn is not yet actually rate limited).
Diffstat (limited to 'puppet/modules/site_shorewall')
-rw-r--r--puppet/modules/site_shorewall/manifests/dnat_rule.pp40
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp61
2 files changed, 51 insertions, 50 deletions
diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
index 0b4370df..e1ea86ec 100644
--- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp
+++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp
@@ -2,30 +2,32 @@ define site_shorewall::dnat_rule {
$port = $name
if $port != 1194 {
- shorewall::rule {
- "dnat_tcp_port_$port":
- action => 'DNAT',
- source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
- proto => 'tcp',
- destinationport => $port,
- order => 100;
- }
- shorewall::rule {
- "dnat_udp_port_$port":
- action => 'DNAT',
- source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194",
- proto => 'udp',
- destinationport => $port,
- order => 100;
+ if $site_openvpn::openvpn_allow_paid {
+ shorewall::rule {
+ "dnat_tcp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::paid_gateway_address}:1194",
+ proto => 'tcp',
+ destinationport => $port,
+ order => 100;
+ }
+ shorewall::rule {
+ "dnat_udp_port_$port":
+ action => 'DNAT',
+ source => 'net',
+ destination => "\$FW:${site_openvpn::paid_gateway_address}:1194",
+ proto => 'udp',
+ destinationport => $port,
+ order => 100;
+ }
}
if $site_openvpn::openvpn_allow_free {
shorewall::rule {
"dnat_free_tcp_port_$port":
action => 'DNAT',
source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194",
+ destination => "\$FW:${site_openvpn::free_gateway_address}:1194",
proto => 'tcp',
destinationport => $port,
order => 100;
@@ -34,7 +36,7 @@ define site_shorewall::dnat_rule {
"dnat_free_udp_port_$port":
action => 'DNAT',
source => 'net',
- destination => "\$FW:${site_openvpn::openvpn_free_gateway_address}:1194",
+ destination => "\$FW:${site_openvpn::free_gateway_address}:1194",
proto => 'udp',
destinationport => $port,
order => 100;
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index d2bf3c4c..95c3920e 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -3,10 +3,6 @@ class site_shorewall::eip {
include site_shorewall::defaults
include site_shorewall::ip_forward
- $openvpn_config = hiera('openvpn')
- $openvpn_ports = $openvpn_config['ports']
- $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address
-
# define macro for incoming services
file { '/etc/shorewall/macro.leap_eip':
content => "PARAM - - tcp 1194
@@ -16,41 +12,45 @@ PARAM - - udp 1194
require => Package['shorewall']
}
-
shorewall::interface {
'tun0':
zone => 'eip',
options => 'tcpflags,blacklist,nosmurfs';
'tun1':
zone => 'eip',
- options => 'tcpflags,blacklist,nosmurfs'
+ options => 'tcpflags,blacklist,nosmurfs';
+ 'tun2':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs';
+ 'tun3':
+ zone => 'eip',
+ options => 'tcpflags,blacklist,nosmurfs';
}
+ shorewall::zone {
+ 'eip':
+ type => 'ipv4';
+ }
- shorewall::zone {'eip':
- type => 'ipv4'; }
-
- case $::virtual {
- 'virtualbox': {
- shorewall::masq {
- 'eth0_tcp':
- interface => 'eth0',
- source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
- 'eth0_udp':
- interface => 'eth0',
- source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
- }
- default: {
- $interface = $site_shorewall::defaults::interface
- shorewall::masq {
- "${interface}_tcp":
- interface => $interface,
- source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}";
+ if $::virtual == 'virtualbox' {
+ $interface = 'eth0'
+ } else {
+ $interface = $site_shorewall::defaults::interface
+ }
- "${interface}_udp":
- interface => $interface,
- source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; }
- }
+ shorewall::masq {
+ "${interface}_unlimited_tcp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}";
+ "${interface}_unlimited_udp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}";
+ "${interface}_limited_tcp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}";
+ "${interface}_limited_udp":
+ interface => $interface,
+ source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}";
}
shorewall::policy {
@@ -70,7 +70,6 @@ PARAM - - udp 1194
}
# create dnat rule for each port
- #create_resources('site_shorewall::dnat_rule', $openvpn_ports)
- site_shorewall::dnat_rule { $openvpn_ports: }
+ site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: }
}