diff options
| author | Micah Anderson <micah@riseup.net> | 2017-06-23 10:50:25 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2017-06-23 10:50:25 -0400 |
| commit | 65c3fe2d6084a50e5b0e189d982afe4cbde3f14b (patch) | |
| tree | e3c1c3683407ba493b90e28af2ddf6ecbe766873 | |
| parent | e0248f504ada8efb5184f43cbaf61097ce1ddd65 (diff) | |
| parent | 837fd3f29f09727d5a20514d7549837b8d8b4997 (diff) | |
Merge branch 'master' into puppet4
36 files changed, 175 insertions, 185 deletions
@@ -74,6 +74,23 @@ module will not work: CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" +Warnings +-------- +There are some features that have been deprecated upstream that may still be +supported by this module on certain shorewall major version. Please note +the following: + +* the blacklist file and option is deprecated and replaced by blrules +* the rfc1918 file and norfc1918 option are deprecated +* the tcrules file is deprecated, replaced by mangled +* the routestopped file is deprecated and replaced by stoppedrules +* as of shorewall 4.6.0, SECTION headers need a leading '?' + +You should migrate your own calls to this module to move to the currently +supported methods, we will be dropping support for deprecated features as +the available distribution version permit it. +For more details see http://www.shorewall.net/upgrade_issues.htm + Documentation ------------- @@ -186,8 +203,7 @@ Example from node.pp: shorewall::interface { 'eth0': zone => 'net', - rfc1918 => true, - options => 'tcpflags,blacklist,nosmurfs'; + options => 'tcpflags,nosmurfs'; } shorewall::policy { diff --git a/files/boilerplate/blacklist.header b/files/boilerplate/blacklist.header deleted file mode 100644 index 2392e17..0000000 --- a/files/boilerplate/blacklist.header +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 3.4 - Blacklist File -# -# For information about entries in this file, type "man shorewall-blacklist" -# -# Please see http://shorewall.net/blacklisting_support.htm for additional -# information. -# -############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT diff --git a/files/boilerplate/clear.header b/files/boilerplate/clear.header index 6a39b0b..8bf025c 100644 --- a/files/boilerplate/clear.header +++ b/files/boilerplate/clear.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Clear +# Shorewall -- /etc/shorewall/clear # -# /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. +# Add commands below that you want to be executed after Shorewall has +# processed the 'clear' command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/hosts.header b/files/boilerplate/hosts.header index e39d614..99bfa02 100644 --- a/files/boilerplate/hosts.header +++ b/files/boilerplate/hosts.header @@ -1,9 +1,10 @@ # -# Shorewall version 3.4 - Hosts file +# Shorewall -- /etc/shorewall/hosts # # For information about entries in this file, type "man shorewall-hosts" # -# For additional information, see http://shorewall.net/Documentation.htm#Hosts +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-hosts.html # ############################################################################### -#ZONE HOST(S) OPTIONS +#ZONE HOSTS OPTIONS diff --git a/files/boilerplate/init.header b/files/boilerplate/init.header index cbb0393..417c3f2 100644 --- a/files/boilerplate/init.header +++ b/files/boilerplate/init.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Init File +# Shorewall -- /etc/shorewall/init # -# /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. +# Add commands below that you want to be executed at the beginning of +# a "shorewall start", "shorewall-reload" or "shorewall restart" command. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### - diff --git a/files/boilerplate/initdone.header b/files/boilerplate/initdone.header index 9252a3b..5ad859a 100644 --- a/files/boilerplate/initdone.header +++ b/files/boilerplate/initdone.header @@ -1,14 +1,12 @@ # -# Shorewall version 4 - Initdone File +# Shorewall -- /etc/shorewall/initdone # -# /etc/shorewall/initdone -# -# Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any perminent rules to the builtin chains. +# Add commands below that you want to be executed during +# "shorewall start", "shorewall reload" or "shorewall restart" commands +# at the point where Shorewall has not yet added any permanent rules to +# the builtin chains. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### - diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header index 663e436..12855c7 100644 --- a/files/boilerplate/interfaces.header +++ b/files/boilerplate/interfaces.header @@ -1,10 +1,12 @@ # -# Shorewall version 4 - Interfaces File +# Shorewall -- /etc/shorewall/interfaces # # For information about entries in this file, type "man shorewall-interfaces" # -# For additional information, see +# The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # +# FIXME: need to switch to format 2 +#?FORMAT 2 ############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE OPTIONS diff --git a/files/boilerplate/mangle.header b/files/boilerplate/mangle.header index 7a7b12a..496e3f5 100644 --- a/files/boilerplate/mangle.header +++ b/files/boilerplate/mangle.header @@ -1,7 +1,14 @@ # -# Shorewall - Mangle File +# Shorewall -- /etc/shorewall/mangle # -# For additional information, see http://shorewall.net/manpages/shorewall-mangle.html +# For information about entries in this file, type "man shorewall-mangle" # -####################################################################################### -#ACTION SOURCE DESTINATION PROTO DSTPORT SRCPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +# +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH diff --git a/files/boilerplate/masq.header b/files/boilerplate/masq.header index f823321..2f7c22e 100644 --- a/files/boilerplate/masq.header +++ b/files/boilerplate/masq.header @@ -1,9 +1,10 @@ # -# Shorewall version 3.4 - Masq file +# Shorewall -- /etc/shorewall/masq # # For information about entries in this file, type "man shorewall-masq" # -# For additional information, see http://shorewall.net/Documentation.htm#Masq +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-masq.html # -############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK +################################################################################################################################### +#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY diff --git a/files/boilerplate/nat.header b/files/boilerplate/nat.header index c2e0d92..5d0871f 100644 --- a/files/boilerplate/nat.header +++ b/files/boilerplate/nat.header @@ -1,9 +1,9 @@ # -# Shorewall version 3.4 - Nat File +# Shorewall -- /etc/shorewall/nat # # For information about entries in this file, type "man shorewall-nat" # # For additional information, see http://shorewall.net/NAT.htm # ############################################################################### -#EXTERNAL INTERFACE INTERNAL ALL LOCAL +#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL diff --git a/files/boilerplate/params.header b/files/boilerplate/params.header index b258b0d..f07a916 100644 --- a/files/boilerplate/params.header +++ b/files/boilerplate/params.header @@ -1,26 +1,24 @@ # -# Shorewall version 3.4 - Params File +# Shorewall -- /etc/shorewall/params # -# /etc/shorewall/params +# Assign any variables that you need here. # -# Assign any variables that you need here. +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs # -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs +# Example: # -# Example: +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter # -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 +# Example (/etc/shorewall/interfaces record): # -# Example (/etc/shorewall/interfaces record): +# net $NET_IF $NET_BCAST $NET_OPTIONS # -# net $NET_IF $NET_BCAST $NET_OPTIONS +# The result will be the same as if the record had been written # -# The result will be the same as if the record had been written -# -# net eth0 130.252.100.255 routefilter,norfc1918 +# net eth0 130.252.100.255 routefilter # ############################################################################### diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header index cc9781f..8e9d032 100644 --- a/files/boilerplate/policy.header +++ b/files/boilerplate/policy.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Policy File +# Shorewall -- /etc/shorewall/policy # # For information about entries in this file, type "man shorewall-policy" # @@ -7,5 +7,4 @@ # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### -#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: -# LEVEL BURST MASK +#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header index b4a5990..0dfb950 100644 --- a/files/boilerplate/providers.header +++ b/files/boilerplate/providers.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Providers File +# Shorewall -- /etc/shorewall/providers # # For information about entries in this file, type "man shorewall-providers" # diff --git a/files/boilerplate/proxyarp.header b/files/boilerplate/proxyarp.header index 1e16853..4249e03 100644 --- a/files/boilerplate/proxyarp.header +++ b/files/boilerplate/proxyarp.header @@ -1,9 +1,9 @@ # -# Shorewall version 3.4 - Proxyarp File +# Shorewall -- /etc/shorewall/proxyarp # # For information about entries in this file, type "man shorewall-proxyarp" # # See http://shorewall.net/ProxyARP.htm for additional information. # ############################################################################### -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT +#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT diff --git a/files/boilerplate/rtrules.header b/files/boilerplate/rtrules.header index fd9b2f4..7700816 100644 --- a/files/boilerplate/rtrules.header +++ b/files/boilerplate/rtrules.header @@ -1,8 +1,9 @@ # -# Shorewall version 4 - route rules File +# Shorewall -- /etc/shorewall/rtrules # # For information about entries in this file, type "man shorewall-rtrules" # # For additional information, see http://www.shorewall.net/MultiISP.html +# #################################################################################### -# SOURCE DEST PROVIDER PRIORITY MASK +#SOURCE DEST PROVIDER PRIORITY MASK diff --git a/files/boilerplate/rules.header b/files/boilerplate/rules.header index 764358a..1ebf187 100644 --- a/files/boilerplate/rules.header +++ b/files/boilerplate/rules.header @@ -1,10 +1,11 @@ # -# Shorewall version 3.4 - Rules File +# Shorewall -- /etc/shorewall/rules # # For information on the settings in this file, type "man shorewall-rules" # -# See http://shorewall.net/Documentation.htm#Rules for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-rules.html # -############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK -# PORT PORT(S) DEST LIMIT GROUP +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + diff --git a/files/boilerplate/start.header b/files/boilerplate/start.header index 689dff1..881cdfd 100644 --- a/files/boilerplate/start.header +++ b/files/boilerplate/start.header @@ -1,10 +1,8 @@ # -# Shorewall version 4 - Start File +# Shorewall -- /etc/shorewall/start # -# /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. +# Add commands below that you want to be executed after shorewall has +# been started, reloaded or restarted. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. diff --git a/files/boilerplate/started.header b/files/boilerplate/started.header index b7704db..4adc4b9 100644 --- a/files/boilerplate/started.header +++ b/files/boilerplate/started.header @@ -1,20 +1,18 @@ # -# Shorewall version 4 - Started File +# Shorewall -- /etc/shorewall/started # -# /etc/shorewall/started +# Add commands below that you want to be executed after shorewall has +# been completely started, reloaded or restarted. The difference between +# this extension script and /etc/shorewall/start is that this one is +# invoked after the 'shorewall' chain has been created (thus +# signaling that the firewall is completely up). # -# Add commands below that you want to be executed after shorewall has -# been completely started or restarted. The difference between this -# extension script and /etc/shorewall/start is that this one is invoked -# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and -# after the 'shorewall' chain has been created (thus signaling that the -# firewall is completely up). -# -# This script should not change the firewall configuration directly but -# may do so indirectly by running /sbin/shorewall with the 'nolock' -# option. +# This script should not change the firewall configuration directly but +# may do so indirectly by running /sbin/shorewall with the 'nolock' +# option. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### + diff --git a/files/boilerplate/stop.header b/files/boilerplate/stop.header index 0088abe..27a993b 100644 --- a/files/boilerplate/stop.header +++ b/files/boilerplate/stop.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Stop File +# Shorewall -- /etc/shorewall/stop # -# /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/stopped.header b/files/boilerplate/stopped.header index 438e5e0..8cc6bc6 100644 --- a/files/boilerplate/stopped.header +++ b/files/boilerplate/stopped.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Stopped File +# Shorewall -- /etc/shorewall/stopped # -# /etc/shorewall/stopped -# -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/blacklist.footer b/files/boilerplate/stoppedrules.footer index 5e12d1d..5e12d1d 100644 --- a/files/boilerplate/blacklist.footer +++ b/files/boilerplate/stoppedrules.footer diff --git a/files/boilerplate/stoppedrules.header b/files/boilerplate/stoppedrules.header new file mode 100644 index 0000000..94f4d0c --- /dev/null +++ b/files/boilerplate/stoppedrules.header @@ -0,0 +1,13 @@ +# +# Shorewall -- /etc/shorewall/stoppedrules +# +# For information about entries in this file, type "man shorewall-stoppedrules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-stoppedrules.html +# +# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT diff --git a/files/boilerplate/tcclasses.header b/files/boilerplate/tcclasses.header index 025415b..b31b684 100644 --- a/files/boilerplate/tcclasses.header +++ b/files/boilerplate/tcclasses.header @@ -1,9 +1,9 @@ # -# Shorewall version 4 - Tcclasses File +# Shorewall -- /etc/shorewall/tcclasses # # For information about entries in this file, type "man shorewall-tcclasses" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### -#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS +#INTERFACE MARK RATE CEIL PRIO OPTIONS diff --git a/files/boilerplate/tcdevices.header b/files/boilerplate/tcdevices.header index fe7c3d1..226192e 100644 --- a/files/boilerplate/tcdevices.header +++ b/files/boilerplate/tcdevices.header @@ -1,10 +1,9 @@ # -# Shorewall version 4 - Tcdevices File +# Shorewall -- /etc/shorewall/tcdevices # # For information about entries in this file, type "man shorewall-tcdevices" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### -#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED -#INTERFACE INTERFACES +#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT diff --git a/files/boilerplate/tunnels.header b/files/boilerplate/tunnels.header index 638fd56..7bfd966 100644 --- a/files/boilerplate/tunnels.header +++ b/files/boilerplate/tunnels.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Tunnels File +# Shorewall -- /etc/shorewall/tunnels # # For information about entries in this file, type "man shorewall-tunnels" # @@ -7,5 +7,4 @@ # http://www.shorewall.net/manpages/shorewall-tunnels.html # ############################################################################### -#TYPE ZONE GATEWAY GATEWAY -# ZONE +#TYPE ZONE GATEWAY GATEWAY_ZONE diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header index 5dada52..d4b8cbc 100644 --- a/files/boilerplate/zones.header +++ b/files/boilerplate/zones.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Zones File +# Shorewall -- /etc/shorewall/zones # # For information about this file, type "man shorewall-zones" # @@ -7,6 +7,6 @@ # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall +#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS + +fw firewall diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb new file mode 100644 index 0000000..9b4c9a2 --- /dev/null +++ b/lib/facter/shorewall_major_version.rb @@ -0,0 +1,6 @@ +Facter.add("shorewall_major_version") do + confine :shorewall_version => /\d/ + setcode do + Facter.value(:shorewall_version).split('.').first + end +end diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb index 9c53ec2..3c1cc67 100644 --- a/lib/facter/shorewall_version.rb +++ b/lib/facter/shorewall_version.rb @@ -1,10 +1,3 @@ -Facter.add("shorewall_major_version") do - setcode do - shorewall_version = Facter::Util::Resolution.exec('shorewall version') - if shorewall_version != nil - shorewall_major_version = shorewall_version.split('.').first - else - shorewall_major_version = '-1' - end - end +Facter.add("shorewall_version") do + setcode 'shorewall version' end diff --git a/manifests/base.pp b/manifests/base.pp index 22ef555..57f1685 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,9 +1,7 @@ # base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + ensure_packages({ 'shorewall' => { ensure => $shorewall::ensure_version }}) # This file has to be managed in place, so shorewall can find it file { diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp deleted file mode 100644 index afbe216..0000000 --- a/manifests/blacklist.pp +++ /dev/null @@ -1,9 +0,0 @@ -define shorewall::blacklist( - $proto = '-', - $port = '-', - $order='100' -){ - shorewall::entry{"blacklist-${order}-${name}": - line => "${name} ${proto} ${port}", - } -} diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..abf7508 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -4,12 +4,11 @@ # # shorewall::interface { 'br0': # zone => 'net', -# rfc1918 => true, -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# options => 'tcpflags,nosmurfs,routeback,bridge'; # } # # class { 'shorewall::blrules': -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# options => 'tcpflags,nosmurfs,routeback,bridge', # whitelists => [ # "net:10.0.0.1,192.168.0.1 all", # ], diff --git a/manifests/host.pp b/manifests/host.pp index d2a73ce..2a088ac 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,8 +1,7 @@ define shorewall::host( $zone, - $host = $name, - $options = 'tcpflags,blacklist,norfc1918', - $order ='100' + $options = 'tcpflags', + $order='100' ){ shorewall::entry{"hosts-${order}-${name}": diff --git a/manifests/init.pp b/manifests/init.pp index aac1520..9cbc1e9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -31,12 +31,10 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $blacklist = {}, - $blacklist_defaults = {}, - $rfc1918 = {}, - $rfc1918_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, + $stoppedrules = {}, + $stoppedrules_defaults = {}, $params = {}, $params_defaults = {}, $tcdevices = {}, @@ -64,41 +62,39 @@ class shorewall( shorewall::managed_file{ [ - # See http://www.shorewall.net/3.0/Documentation.htm#Zones + # See http://www.shorewall.net/manpages/shorewall-zones.html 'zones', - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + # See http://www.shorewall.net/manpages/shorewall-interfaces.html 'interfaces', - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + # See http://www.shorewall.net/manpages/shorewall-hosts.html 'hosts', - # See http://www.shorewall.net/3.0/Documentation.htm#Policy + # See http://www.shorewall.net/manpages/shorewall-policy.html 'policy', - # See http://www.shorewall.net/3.0/Documentation.htm#Rules + # See http://www.shorewall.net/manpages/shorewall-rules.html 'rules', - # See http://www.shorewall.net/3.0/Documentation.htm#Masq + # See http://www.shorewall.net/manpages/shorewall-masq.html 'masq', - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + # See http://www.shorewall.net/manpages/shorewall-proxyarp.html 'proxyarp', - # See http://www.shorewall.net/3.0/Documentation.htm#NAT + # See http://www.shorewall.net/manpages/shorewall-nat.html 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - 'blacklist', - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - 'rfc1918', - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html + 'stoppedrules', + # Deprecated http://www.shorewall.net/4.2/manpages/shorewall-routestopped.html 'routestopped', - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/manpages/shorewall-params.html 'params', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcdevices.html 'tcdevices', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # Deprecated http://www.shorewall.net/4.6/manpages/shorewall-tcrules.htmle 'tcrules', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcclasses.html 'tcclasses', - # http://www.shorewall.net/manpages/shorewall-providers.html + # See http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html - 'tunnels', - # See http://www.shorewall.net/MultiISP.html + 'tunnel', + # See http://www.shorewall.net/manpages/shorewall-rtrules.html 'rtrules', # See http://shorewall.net/manpages/shorewall-conntrack.html 'conntrack', @@ -116,8 +112,8 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) - create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::stoppedrules',$stoppedrules, + $stoppedrules_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..670e477 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,9 +1,8 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', - $rfc1918 = false, $dhcp = false, $order = 100 ){ @@ -17,13 +16,8 @@ define shorewall::interface( default => ',dhcp', } - $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', - } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", + line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${added_opts}", } } diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp deleted file mode 100644 index 31dce5d..0000000 --- a/manifests/rfc1918.pp +++ /dev/null @@ -1,8 +0,0 @@ -define shorewall::rfc1918( - $action = 'logdrop', - $order='100' -){ - shorewall::entry{"rfc1918-${order}-${name}": - line => "${name} ${action}" - } -} diff --git a/manifests/stoppedrules.pp b/manifests/stoppedrules.pp new file mode 100644 index 0000000..2dff218 --- /dev/null +++ b/manifests/stoppedrules.pp @@ -0,0 +1,13 @@ +define shorewall::stoppedrules( + $action = 'ACCEPT', + $source = '-', + $destination = '-', + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $order = '100' +){ + shorewall::entry{"stoppedrules-${order}-${name}": + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport}" + } +} |