summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarcel Haerry <haerry@puzzle.ch>2009-09-16 17:51:56 +0200
committerMicah Anderson <micah@riseup.net>2009-12-07 11:33:26 -0500
commit69ffd72ce9e5217ae7d205e04716c40d8c862315 (patch)
tree36dfb4eb635bd065396b6a4595df217a2d9c1a3b
parente972b9abde01a6d89579e20fe4b038c7cbfe0c45 (diff)
factored everything out in its own file
-rw-r--r--manifests/README23
-rw-r--r--manifests/base.pp46
-rw-r--r--manifests/blacklist.pp9
-rw-r--r--manifests/debian.pp11
-rw-r--r--manifests/entry.pp11
-rw-r--r--manifests/gentoo.pp5
-rw-r--r--manifests/host.pp10
-rw-r--r--manifests/init.pp286
-rw-r--r--manifests/interface.pp27
-rw-r--r--manifests/managed_file.pp17
-rw-r--r--manifests/masq.pp17
-rw-r--r--manifests/nat.pp11
-rw-r--r--manifests/params.pp5
-rw-r--r--manifests/policy.pp12
-rw-r--r--manifests/proxyarp.pp11
-rw-r--r--manifests/rfc1918.pp8
-rw-r--r--manifests/routestopped.pp14
-rw-r--r--manifests/rule.pp18
-rw-r--r--manifests/rule_section.pp7
-rw-r--r--manifests/zone.pp14
20 files changed, 305 insertions, 257 deletions
diff --git a/manifests/README b/manifests/README
new file mode 100644
index 0000000..08832b2
--- /dev/null
+++ b/manifests/README
@@ -0,0 +1,23 @@
+Shorewall
+---------
+
+manage firewalling with shorewall 3.x
+
+Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
+See LICENSE for the full license granted to you.
+
+Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
+at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
+
+Changes:
+ * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and
+ adjust CONFIG_PATH
+ * remove shorewall- prefix from defines in the shorewall namespace
+ * refactor the whole define structure
+ * manage all shorewall files
+ * add 000-header and 999-footer files for all managed_files
+ * added rule_section define and a few more parameters for rules
+ * add managing for masq, proxyarp, blacklist, nat, rfc1918
+
+adapted by immerda project group - admin+puppet(at)immerda.ch
+adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
diff --git a/manifests/base.pp b/manifests/base.pp
new file mode 100644
index 0000000..268815b
--- /dev/null
+++ b/manifests/base.pp
@@ -0,0 +1,46 @@
+class shorewall::base {
+
+ package { 'shorewall':
+ ensure => present,
+ }
+
+ # This file has to be managed in place, so shorewall can find it
+ file { "/etc/shorewall/shorewall.conf":
+ # use OS specific defaults, but use Default if no other is found
+ source => [
+ "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem",
+ "puppet://$server/files/shorewall/${fqdn}/shorewall.conf",
+ "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
+ "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem",
+ "puppet://$server/files/shorewall/shorewall.conf",
+ "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
+ "puppet://$server/shorewall/shorewall.conf.$operatingsystem",
+ "puppet://$server/shorewall/shorewall.conf.Default"
+ ],
+ mode => 0644, owner => root, group => 0,
+ require => Package[shorewall],
+ notify => Service[shorewall],
+ }
+
+ service{shorewall:
+ ensure => running,
+ enable => true,
+ hasstatus => true,
+ hasrestart => true,
+ subscribe => [
+ Exec["concat_/var/lib/puppet/modules/shorewall/zones"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/hosts"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/policy"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/rules"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/masq"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/nat"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"],
+ Exec["concat_/var/lib/puppet/modules/shorewall/params"]
+ ],
+ require => Package[shorewall],
+ }
+}
diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp
new file mode 100644
index 0000000..3700ace
--- /dev/null
+++ b/manifests/blacklist.pp
@@ -0,0 +1,9 @@
+define shorewall::blacklist(
+ $proto = '-',
+ $port = '-',
+ $order='100'
+){
+ shorewall::entry{"blacklist.d/${order}-${name}":
+ line => "${name} ${proto} ${port}",
+ }
+}
diff --git a/manifests/debian.pp b/manifests/debian.pp
new file mode 100644
index 0000000..b25d2d5
--- /dev/null
+++ b/manifests/debian.pp
@@ -0,0 +1,11 @@
+class shorewall::debian inherits shorewall::base {
+ file{'/etc/default/shorewall':
+ source => "puppet://$server/shorewall/debian/default",
+ require => Package['shorewall'],
+ notify => Service['shorewall'],
+ owner => root, group => 0, mode => 0644;
+ }
+ Service['shorewall']{
+ status => '/sbin/shorewall status'
+ }
+}
diff --git a/manifests/entry.pp b/manifests/entry.pp
new file mode 100644
index 0000000..bd59a88
--- /dev/null
+++ b/manifests/entry.pp
@@ -0,0 +1,11 @@
+define shorewall::entry(
+ $line
+){
+ $target = "/var/lib/puppet/modules/shorewall/${name}"
+ $dir = dirname($target)
+ file { $target:
+ content => "${line}\n",
+ mode => 0600, owner => root, group => 0,
+ notify => Exec["concat_${dir}"],
+ }
+}
diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp
new file mode 100644
index 0000000..7b307a4
--- /dev/null
+++ b/manifests/gentoo.pp
@@ -0,0 +1,5 @@
+class shorewall::gentoo inherits shorewall::base {
+ Package[shorewall]{
+ category => 'net-firewall',
+ }
+}
diff --git a/manifests/host.pp b/manifests/host.pp
new file mode 100644
index 0000000..b431efe
--- /dev/null
+++ b/manifests/host.pp
@@ -0,0 +1,10 @@
+define shorewall::host(
+ $zone,
+ $options = 'tcpflags,blacklist,norfc1918',
+ $order='100'
+){
+ shorewall::entry{"hosts.d/${order}-${name}":
+ line => "${zone} ${name} ${options}"
+ }
+}
+
diff --git a/manifests/init.pp b/manifests/init.pp
index 7c3089b..d05504e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,24 +1,3 @@
-#
-# modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
-# Copyright (C) 2007 David Schmitt <david@schmitt.edv-bus.at>
-# See LICENSE for the full license granted to you.
-#
-# Based on the work of ADNET Ghislain <gadnet@aqueos.com> from AQUEOS
-# at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall
-#
-# Changes:
-# * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and
-# adjust CONFIG_PATH
-# * remove shorewall- prefix from defines in the shorewall namespace
-# * refactor the whole define structure
-# * manage all shorewall files
-# * add 000-header and 999-footer files for all managed_files
-# * added rule_section define and a few more parameters for rules
-# * add managing for masq, proxyarp, blacklist, nat, rfc1918
-# adapted by immerda project group - admin+puppet(at)immerda.ch
-# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch
-#
-
modules_dir { "shorewall": }
class shorewall {
@@ -29,241 +8,34 @@ class shorewall {
default: { include shorewall::base }
}
- file {
- "/var/lib/puppet/modules/shorewall":
- ensure => directory,
- force => true,
- mode => 0755, owner => root, group => 0;
- }
-
- # private
- define managed_file () {
- $dir = "/var/lib/puppet/modules/shorewall/${name}.d"
- concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
- dir => $dir,
- mode => 0600,
- }
- file {
- "${dir}/000-header":
- source => "puppet://$server/shorewall/boilerplate/${name}.header",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- "${dir}/999-footer":
- source => "puppet://$server/shorewall/boilerplate/${name}.footer",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"];
- }
- }
-
- # private
- define entry ($line) {
- $target = "/var/lib/puppet/modules/shorewall/${name}"
- $dir = dirname($target)
- file { $target:
- content => "${line}\n",
- mode => 0600, owner => root, group => 0,
- notify => Exec["concat_${dir}"],
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Zones
- managed_file{ zones: }
- define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) {
- $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
- entry { "zones.d/${order}-${name}":
- line => "${real_name} ${type} ${options} ${in} ${out}"
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
- managed_file{ interfaces: }
- define interface(
- $zone,
- $broadcast = 'detect',
- $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
- $rfc1918 = false,
- $dhcp = false,
- $order = 100
- )
- {
- if $rfc1918 {
- if $dhcp {
- $options_real = "${options},dhcp"
- } else {
- $options_real = $options
- }
- } else {
- if $dhcp {
- $options_real = "${options},norfc1918,dhcp"
- } else {
- $options_real = "${options},norfc1918"
- }
- }
-
- entry { "interfaces.d/${order}-${name}":
- line => "${zone} ${name} ${broadcast} ${options_real}",
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Hosts
- managed_file { hosts: }
- define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') {
- entry { "hosts.d/${order}-${name}":
- line => "${zone} ${name} ${options}"
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Policy
- managed_file { policy: }
- define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) {
- entry { "policy.d/${order}-${name}":
- line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Rules
- managed_file { rules: }
- define rule_section($order) {
- entry { "rules.d/${order}-${name}":
- line => "SECTION ${name}",
- }
- }
- # mark is new in 3.4.4
- define rule($action, $source, $destination, $proto = '-',
- $destinationport = '-', $sourceport = '-', $originaldest = '-',
- $ratelimit = '-', $user = '-', $mark = '', $order)
- {
- entry { "rules.d/${order}-${name}":
- line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Masq
- managed_file{ masq: }
- # mark is new in 3.4.4
- # source (= subnet) = Set of hosts that you wish to masquerade.
- # address = If you specify an address here, SNAT will be used and this will be the source address.
- define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) {
- entry { "masq.d/${order}-${name}":
- line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
- managed_file { proxyarp: }
- define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') {
- entry { "proxyarp.d/${order}-${name}":
- line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#NAT
- managed_file { nat: }
- define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') {
- entry { "nat.d/${order}-${name}":
- line => "${name} ${interface} ${internal} ${all} ${local}"
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
- managed_file { blacklist: }
- define blacklist($proto = '-', $port = '-', $order='100') {
- entry { "blacklist.d/${order}-${name}":
- line => "${name} ${proto} ${port}",
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
- managed_file { rfc1918: }
- define rfc1918($action = 'logdrop', $order='100') {
- entry { "rfc1918.d/${order}-${name}":
- line => "${name} ${action}"
- }
- }
-
- # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
- managed_file { routestopped: }
- define routestopped($interface = '', $host = '-', $options = '', $order='100') {
- $real_interface = $interface ? {
- '' => $name,
- default => $interface,
- }
- entry { "routestopped.d/${order}-${name}":
- line => "${real_interface} ${host} ${options}",
- }
- }
-
+ file {"/var/lib/puppet/modules/shorewall":
+ ensure => directory,
+ force => true,
+ owner => root, group => 0, mode => 0755;
+ }
+
+ # See http://www.shorewall.net/3.0/Documentation.htm#Zones
+ shorewall::managed_file{ zones: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
+ shorewall::managed_file{ interfaces: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#Hosts
+ shorewall::managed_file { hosts: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#Policy
+ shorewall::managed_file { policy: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#Rules
+ shorewall::managed_file { rules: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#Masq
+ shorewall::managed_file{ masq: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
+ shorewall::managed_file { proxyarp: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#NAT
+ shorewall::managed_file { nat: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist
+ shorewall::managed_file { blacklist: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918
+ shorewall::managed_file { rfc1918: }
+ # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
+ shorewall::managed_file { routestopped: }
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
- managed_file { params: }
- define params($value, $order='100'){
- entry { "params.d/${order}-${name}":
- line => "${name}=${value}",
- }
- }
-
-}
-
-class shorewall::base {
-
- package { 'shorewall':
- ensure => present,
- }
-
- # This file has to be managed in place, so shorewall can find it
- file { "/etc/shorewall/shorewall.conf":
- # use OS specific defaults, but use Default if no other is found
- source => [
- "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem",
- "puppet://$server/files/shorewall/${fqdn}/shorewall.conf",
- "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem",
- "puppet://$server/files/shorewall/shorewall.conf",
- "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
- "puppet://$server/shorewall/shorewall.conf.$operatingsystem",
- "puppet://$server/shorewall/shorewall.conf.Default"
- ],
- mode => 0644, owner => root, group => 0,
- require => Package[shorewall],
- notify => Service[shorewall],
- }
-
- service{shorewall:
- ensure => running,
- enable => true,
- hasstatus => true,
- hasrestart => true,
- subscribe => [
- Exec["concat_/var/lib/puppet/modules/shorewall/zones"],
- Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"],
- Exec["concat_/var/lib/puppet/modules/shorewall/hosts"],
- Exec["concat_/var/lib/puppet/modules/shorewall/policy"],
- Exec["concat_/var/lib/puppet/modules/shorewall/rules"],
- Exec["concat_/var/lib/puppet/modules/shorewall/masq"],
- Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"],
- Exec["concat_/var/lib/puppet/modules/shorewall/nat"],
- Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"],
- Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"],
- Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"],
- Exec["concat_/var/lib/puppet/modules/shorewall/params"]
- ],
- require => Package[shorewall],
- }
-}
-
-class shorewall::gentoo inherits shorewall::base {
- Package[shorewall]{
- category => 'net-firewall',
- }
-}
-
-class shorewall::debian inherits shorewall::base {
- file{'/etc/default/shorewall':
- source => "puppet://$server/shorewall/debian/default",
- require => Package['shorewall'],
- notify => Service['shorewall'],
- owner => root, group => 0, mode => 0644;
- }
- Service['shorewall']{
- status => '/sbin/shorewall status'
- }
+ shorewall::managed_file { params: }
}
diff --git a/manifests/interface.pp b/manifests/interface.pp
new file mode 100644
index 0000000..1cb5042
--- /dev/null
+++ b/manifests/interface.pp
@@ -0,0 +1,27 @@
+define shorewall::interface(
+ $zone,
+ $broadcast = 'detect',
+ $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+ $rfc1918 = false,
+ $dhcp = false,
+ $order = 100
+){
+ if $rfc1918 {
+ if $dhcp {
+ $options_real = "${options},dhcp"
+ } else {
+ $options_real = $options
+ }
+ } else {
+ if $dhcp {
+ $options_real = "${options},norfc1918,dhcp"
+ } else {
+ $options_real = "${options},norfc1918"
+ }
+ }
+
+ shorewall::entry { "interfaces.d/${order}-${name}":
+ line => "${zone} ${name} ${broadcast} ${options_real}",
+ }
+}
+
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
new file mode 100644
index 0000000..6ade6c9
--- /dev/null
+++ b/manifests/managed_file.pp
@@ -0,0 +1,17 @@
+define shorewall::managed_file () {
+ $dir = "/var/lib/puppet/modules/shorewall/${name}.d"
+ concatenated_file { "/var/lib/puppet/modules/shorewall/$name":
+ dir => $dir,
+ mode => 0600,
+ }
+ file {
+ "${dir}/000-header":
+ source => "puppet://$server/shorewall/boilerplate/${name}.header",
+ mode => 0600, owner => root, group => 0,
+ notify => Exec["concat_${dir}"];
+ "${dir}/999-footer":
+ source => "puppet://$server/shorewall/boilerplate/${name}.footer",
+ mode => 0600, owner => root, group => 0,
+ notify => Exec["concat_${dir}"];
+ }
+}
diff --git a/manifests/masq.pp b/manifests/masq.pp
new file mode 100644
index 0000000..a9c9840
--- /dev/null
+++ b/manifests/masq.pp
@@ -0,0 +1,17 @@
+# mark is new in 3.4.4
+# source (= subnet) = Set of hosts that you wish to masquerade.
+# address = If you specify an address here, SNAT will be used and this will be the source address.
+define shorewall::masq(
+ $interface,
+ $source, $address = '-',
+ $proto = '-',
+ $port = '-',
+ $ipsec = '-',
+ $mark = '',
+ $order='100'
+){
+ shorewall::entry{"masq.d/${order}-${name}":
+ line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}"
+ }
+}
+
diff --git a/manifests/nat.pp b/manifests/nat.pp
new file mode 100644
index 0000000..e69c1c0
--- /dev/null
+++ b/manifests/nat.pp
@@ -0,0 +1,11 @@
+define shorewall::nat(
+ $interface,
+ $internal,
+ $all = 'no',
+ $local = 'yes',
+ $order='100'
+){
+ shorewall::entry{"nat.d/${order}-${name}":
+ line => "${name} ${interface} ${internal} ${all} ${local}"
+ }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
new file mode 100644
index 0000000..0a1ae11
--- /dev/null
+++ b/manifests/params.pp
@@ -0,0 +1,5 @@
+define shorewall::params($value, $order='100'){
+ shorewall::entry{"params.d/${order}-${name}":
+ line => "${name}=${value}",
+ }
+}
diff --git a/manifests/policy.pp b/manifests/policy.pp
new file mode 100644
index 0000000..cdaab71
--- /dev/null
+++ b/manifests/policy.pp
@@ -0,0 +1,12 @@
+define shorewall::policy(
+ $sourcezone,
+ $destinationzone,
+ $policy, $shloglevel = '-',
+ $limitburst = '-',
+ $order
+){
+ shorewall::entry{"policy.d/${order}-${name}":
+ line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}",
+ }
+}
+
diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp
new file mode 100644
index 0000000..75c853b
--- /dev/null
+++ b/manifests/proxyarp.pp
@@ -0,0 +1,11 @@
+define shorewall::proxyarp(
+ $interface,
+ $external,
+ $haveroute = yes,
+ $persistent = no,
+ $order='100'
+ ){
+ shorewall::entry{"proxyarp.d/${order}-${name}":
+ line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}"
+ }
+}
diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp
new file mode 100644
index 0000000..6c2719c
--- /dev/null
+++ b/manifests/rfc1918.pp
@@ -0,0 +1,8 @@
+define shorewall::rfc1918(
+ $action = 'logdrop',
+ $order='100'
+){
+ shorewall::entry{"rfc1918.d/${order}-${name}":
+ line => "${name} ${action}"
+ }
+}
diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp
new file mode 100644
index 0000000..dab539c
--- /dev/null
+++ b/manifests/routestopped.pp
@@ -0,0 +1,14 @@
+define shorewall::routestopped(
+ $interface = '',
+ $host = '-',
+ $options = '',
+ $order='100'
+){
+ $real_interface = $interface ? {
+ '' => $name,
+ default => $interface,
+ }
+ shorewall::entry{"routestopped.d/${order}-${name}":
+ line => "${real_interface} ${host} ${options}",
+ }
+}
diff --git a/manifests/rule.pp b/manifests/rule.pp
new file mode 100644
index 0000000..0614e95
--- /dev/null
+++ b/manifests/rule.pp
@@ -0,0 +1,18 @@
+# mark is new in 3.4.4
+define shorewall::rule(
+ $action,
+ $source,
+ $destination,
+ $proto = '-',
+ $destinationport = '-',
+ $sourceport = '-',
+ $originaldest = '-',
+ $ratelimit = '-',
+ $user = '-',
+ $mark = '',
+ $order
+){
+ shorewall::entry{"rules.d/${order}-${name}":
+ line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
+ }
+}
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
new file mode 100644
index 0000000..a885eae
--- /dev/null
+++ b/manifests/rule_section.pp
@@ -0,0 +1,7 @@
+define shorewall::rule_section(
+ $order
+){
+ shorewall::entry{"rules.d/${order}-${name}":
+ line => "SECTION ${name}",
+ }
+}
diff --git a/manifests/zone.pp b/manifests/zone.pp
new file mode 100644
index 0000000..fa83b0b
--- /dev/null
+++ b/manifests/zone.pp
@@ -0,0 +1,14 @@
+define shorewall::zone(
+ $type,
+ $options = '-',
+ $in = '-',
+ $out = '-',
+ $parent = '-',
+ $order = 100
+){
+ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" }
+ shorewall::entry { "zones.d/${order}-${name}":
+ line => "${real_name} ${type} ${options} ${in} ${out}"
+ }
+}
+