diff options
| author | Micah Anderson <micah@riseup.net> | 2013-06-14 13:52:52 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2013-06-14 13:52:52 -0400 |
| commit | 3749a297cd979dc234194d1887e3b46a789b3b1a (patch) | |
| tree | 280b09cbadeb2fe2de163112bc2f64d1fce651d0 | |
| parent | dd8491acea7fdd2324ec6db853ff0fd438d9b54a (diff) | |
| parent | 06c5058752f7c1856380766784f48e077c3194ed (diff) | |
Merge branch 'master' into leap
Conflicts:
manifests/base.pp
| -rw-r--r-- | README | 6 | ||||
| -rw-r--r-- | manifests/base.pp | 68 | ||||
| -rw-r--r-- | manifests/centos.pp | 17 | ||||
| -rw-r--r-- | manifests/init.pp | 82 | ||||
| -rw-r--r-- | manifests/rules/libvirt/host.pp | 50 |
5 files changed, 134 insertions, 89 deletions
@@ -4,6 +4,12 @@ Puppet Module for Shorewall --------------------------- This module manages the configuration of Shorewall (http://www.shorewall.net/) +Requirements +------------ + +This module requires the augeas module, you can find that here: +https://labs.riseup.net/code/projects/shared-augeas + Copyright --------- diff --git a/manifests/base.pp b/manifests/base.pp index a39029f..4ee8747 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,36 +1,48 @@ +# base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + package { 'shorewall': + ensure => $shorewall::ensure_version, + } + + # This file has to be managed in place, so shorewall can find it + file { + '/etc/shorewall/shorewall.conf': + require => Package[shorewall], + notify => Service[shorewall], + owner => root, + group => 0, + mode => '0644'; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, + group => 0, + mode => '0644'; + } - # This file has to be managed in place, so shorewall can find it - file { - '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], - owner => root, group => 0, mode => 0644; - '/etc/shorewall/puppet': - ensure => directory, - require => Package[shorewall], - owner => root, group => 0, mode => 0644; + if $shorewall::conf_source { + File['/etc/shorewall/shorewall.conf']{ + source => $shorewall::conf_source, } + } else { - include augeas + require augeas - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => [ Package['shorewall'], Class[augeas] ]; - } + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } + } - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package[shorewall], - } + service{'shorewall': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], + } } diff --git a/manifests/centos.pp b/manifests/centos.pp index 7968b69..f671bc9 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,12 +1,13 @@ +# things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease == '6' { - # workaround for - # http://comments.gmane.org/gmane.comp.security.shorewall/26991 - file{'/etc/shorewall/params': - ensure => link, - target => '/etc/shorewall/puppet/params', - before => Service['shorewall'], - require => File['/etc/shorewall/puppet'] + if $::lsbmajdistrelease > 5 { + augeas{'enable_shorewall': + context => '/files/etc/sysconfig/shorewall', + changes => 'set startup 1', + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/shorewall', + require => Package['shorewall'], + notify => Service['shorewall'], } } } diff --git a/manifests/init.pp b/manifests/init.pp index 5a7f740..cd6488b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,3 +1,4 @@ +# Manage shorewall on your system class shorewall( $startup = '1', $conf_source = false, @@ -16,7 +17,7 @@ class shorewall( include shorewall::debian $dist_tor_user = 'debian-tor' } - centos: { include shorewall::base } + centos: { include shorewall::centos } ubuntu: { case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } @@ -24,46 +25,49 @@ class shorewall( } } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - shorewall::managed_file{ zones: } - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - shorewall::managed_file{ interfaces: } - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - shorewall::managed_file { hosts: } - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - shorewall::managed_file { policy: } - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - shorewall::managed_file { rules: } - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - shorewall::managed_file{ masq: } - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - shorewall::managed_file { proxyarp: } - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - shorewall::managed_file { nat: } - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - shorewall::managed_file { blacklist: } - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - shorewall::managed_file { rfc1918: } - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - shorewall::managed_file { params: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcdevices: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcrules: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcclasses: } - # http://www.shorewall.net/manpages/shorewall-providers.html - shorewall::managed_file { providers: } - # See http://www.shorewall.net/manpages/shorewall-tunnels.html - shorewall::managed_file { tunnel: } - # See http://www.shorewall.net/MultiISP.html - shorewall::managed_file { rtrules: } - + shorewall::managed_file{ + [ + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + 'zones', + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + 'interfaces', + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + 'hosts', + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + 'policy', + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + 'rules', + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + 'masq', + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + 'proxyarp', + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + 'nat', + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + 'blacklist', + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + 'rfc1918', + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + 'routestopped', + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + 'params', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcdevices', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcrules', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcclasses', + # http://www.shorewall.net/manpages/shorewall-providers.html + 'providers', + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + 'tunnel', + # See http://www.shorewall.net/MultiISP.html + 'rtrules', + ]:; + } } diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index aaecd9d..dfb753c 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -1,13 +1,21 @@ class shorewall::rules::libvirt::host ( - $vmz = 'vmz', - $masq_iface = 'eth0', + $vmz = 'vmz', + $masq_iface = 'eth0', + $debproxy_port = 8000, ) { define shorewall::rule::accept::from_vmz ( - $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) { - shorewall::rule { "$name": - source => $vmz, destination => '$FW', order => 300, - proto => $proto, destinationport => $destinationport, action => $action; + $proto = '-', + $destinationport = '-', + $action = 'ACCEPT' + ) { + shorewall::rule { $name: + source => $shorewall::rules::libvirt::host::vmz, + destination => '$FW', + order => 300, + proto => $proto, + destinationport => $destinationport, + action => $action; } } @@ -31,16 +39,30 @@ class shorewall::rules::libvirt::host ( } shorewall::rule::accept::from_vmz { - 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; - 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; - 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; - 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; + 'accept_dns_from_vmz': + action => 'DNS(ACCEPT)'; + 'accept_tftp_from_vmz': + action => 'TFTP(ACCEPT)'; + 'accept_puppet_from_vmz': + proto => 'tcp', + destinationport => '8140', + action => 'ACCEPT'; } - shorewall::masq { - "masq-${masq_iface}": - interface => "$masq_iface", - source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + if $debproxy_port { + shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': + proto => 'tcp', + destinationport => $debproxy_port, + action => 'ACCEPT'; + } + } + + if $masq_iface { + shorewall::masq { + "masq-${masq_iface}": + interface => $masq_iface, + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + } } } |