From b0e1e4c82db3c70ddc67639a9b983de89b415477 Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Tue, 24 May 2016 10:19:26 -0400
Subject: Squashed 'puppet/modules/shorewall/' content from commit 34fbca6

git-subtree-dir: puppet/modules/shorewall
git-subtree-split: 34fbca68d478c2edd5f13e74245cf675b5b53303
---
 manifests/rules/libvirt/host.pp | 79 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 manifests/rules/libvirt/host.pp

(limited to 'manifests/rules/libvirt/host.pp')

diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp
new file mode 100644
index 00000000..c2268659
--- /dev/null
+++ b/manifests/rules/libvirt/host.pp
@@ -0,0 +1,79 @@
+class shorewall::rules::libvirt::host (
+  $vmz           = 'vmz',
+  $masq_iface    = 'eth0',
+  $debproxy_port = 8000,
+  $accept_dhcp   = true,
+  $vmz_iface     = 'virbr0',
+  ) {
+
+  define shorewall::rule::accept::from_vmz (
+    $proto           = '-',
+    $destinationport = '-',
+    $action          = 'ACCEPT'
+    ) {
+      shorewall::rule { $name:
+        source          => $shorewall::rules::libvirt::host::vmz,
+        destination     => '$FW',
+        order           => 300,
+        proto           => $proto,
+        destinationport => $destinationport,
+        action          => $action;
+      }
+    }
+
+  shorewall::policy {
+    'fw-to-vmz':
+      sourcezone              =>      '$FW',
+      destinationzone         =>      $vmz,
+      policy                  =>      'ACCEPT',
+      order                   =>      110;
+    'vmz-to-net':
+      sourcezone              =>      $vmz,
+      destinationzone         =>      'net',
+      policy                  =>      'ACCEPT',
+      order                   =>      200;
+    'vmz-to-all':
+      sourcezone              =>      $vmz,
+      destinationzone         =>      'all',
+      policy                  =>      'DROP',
+      shloglevel              =>      'info',
+      order                   =>      800;
+  }
+
+  shorewall::rule::accept::from_vmz {
+    'accept_dns_from_vmz':
+      action          => 'DNS(ACCEPT)';
+    'accept_tftp_from_vmz':
+      action          => 'TFTP(ACCEPT)';
+    'accept_puppet_from_vmz':
+      proto           => 'tcp',
+      destinationport => '8140',
+      action          => 'ACCEPT';
+  }
+
+  if $accept_dhcp {
+    shorewall::mangle { 'CHECKSUM:T':
+      source          => '-',
+      destination     => $vmz_iface,
+      proto           => 'udp',
+      destinationport => '68';
+    }
+  }
+
+  if $debproxy_port {
+    shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz':
+      proto           => 'tcp',
+      destinationport => $debproxy_port,
+      action          => 'ACCEPT';
+    }
+  }
+
+  if $masq_iface {
+    shorewall::masq {
+      "masq-${masq_iface}":
+        interface => $masq_iface,
+        source    => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16';
+    }
+  }
+
+}
-- 
cgit v1.2.3