diff options
| author | duritong <peter.meier+github@immerda.ch> | 2016-08-03 00:55:47 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-08-03 00:55:47 +0200 |
| commit | 6d78d6c7b5c7617077260c94d7158b61f430494e (patch) | |
| tree | 05a44f1ae387a2cdee74a11d91af1b4826597292 | |
| parent | eaba8159fcfc38dbc72e2476e753b05ea7554d55 (diff) | |
| parent | 3b623df1f88adf2a177829dacae822dec2c3c7d0 (diff) | |
Merge pull request #5 from abraham1901/master
* Add shorewall-blrules support
| -rw-r--r-- | lib/facter/shorewall_major_version.rb | 5 | ||||
| -rw-r--r-- | manifests/blrules.pp | 35 | ||||
| -rw-r--r-- | manifests/rule_section.pp | 6 | ||||
| -rw-r--r-- | templates/blrules.erb | 15 |
4 files changed, 60 insertions, 1 deletions
diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb new file mode 100644 index 0000000..a733842 --- /dev/null +++ b/lib/facter/shorewall_major_version.rb @@ -0,0 +1,5 @@ +Facter.add("shorewall_major_version") do + setcode do + Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + end +end diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..b8fe73f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,35 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template('shorewall/blrules.erb'), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => '0644'; + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..3f2ecc5 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,11 @@ define shorewall::rule_section( $order ){ + $rule_section_prefix = $shorewall_major_version ? { + '5' => '?' + } + shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } diff --git a/templates/blrules.erb b/templates/blrules.erb new file mode 100644 index 0000000..4c9af79 --- /dev/null +++ b/templates/blrules.erb @@ -0,0 +1,15 @@ +# +# Shorewall version 4.4 - Rule-based Blacklisting +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +<% @whitelists.each do |value| -%> +WHITELIST <%= value %> +<% end -%> +<% @drops.each do |value| -%> +REJECT <%= value %> +<% end -%> |