diff options
| author | Micah <micah@riseup.net> | 2017-02-10 19:58:46 +0000 |
|---|---|---|
| committer | Micah <micah@riseup.net> | 2017-02-10 19:58:46 +0000 |
| commit | 054ccc9e8ee0a03e98165ee44f113ce7ccf3bc5c (patch) | |
| tree | a3effe5ee95ba858740d8d1b7e9c2f2e1007e0ff | |
| parent | f560a426885f0982cae39495321222158a69e895 (diff) | |
| parent | 50acce5dee1b76746f81d7c300913dd7d58021d4 (diff) | |
Merge branch '5.x' into 'master'
changes needed for 5.x
See merge request !7
| -rw-r--r-- | lib/facter/shorewall_major_version.rb | 5 | ||||
| -rw-r--r-- | manifests/blrules.pp | 35 | ||||
| -rw-r--r-- | manifests/rule_section.pp | 8 | ||||
| -rw-r--r-- | templates/blrules.erb | 15 |
4 files changed, 62 insertions, 1 deletions
diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb new file mode 100644 index 0000000..0068b48 --- /dev/null +++ b/lib/facter/shorewall_major_version.rb @@ -0,0 +1,5 @@ +Facter.add("shorewall_major_version") do + setcode do + Facter::Util::Resolution.exec('shorewall version').split('.').first || nil + end +end diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..b8fe73f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,35 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template('shorewall/blrules.erb'), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => '0644'; + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..f5fa785 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,13 @@ define shorewall::rule_section( $order ){ + if versioncmp($shorewall_major_version,'4') > 0 { + $rule_section_prefix = '?' + } else { + $rule_section_prefix = '' + } + shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } diff --git a/templates/blrules.erb b/templates/blrules.erb new file mode 100644 index 0000000..4c9af79 --- /dev/null +++ b/templates/blrules.erb @@ -0,0 +1,15 @@ +# +# Shorewall version 4.4 - Rule-based Blacklisting +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +<% @whitelists.each do |value| -%> +WHITELIST <%= value %> +<% end -%> +<% @drops.each do |value| -%> +REJECT <%= value %> +<% end -%> |