Merge remote-tracking branch 'immerda/master' into riseup

author: Micah Anderson <micah@riseup.net> 2017-02-01 21:27:04 -0500
committer: Micah Anderson <micah@riseup.net> 2017-02-01 21:27:04 -0500
commit: b140aabf7c4e0a0ded0a69368c4fce354c1f96e8 (patch)
tree: e82163207cb81a4215508e6c90229c0245609ab0
parent: 2b75a0321bc9e65f4e9e6cf34b708a3d40318731 (diff)
parent: 85b6e3820fa614eeafb99b85846172553461398e (diff)
18 files changed, 179 insertions, 22 deletions
diff --git a/files/boilerplate/conntrack.footer b/files/boilerplate/conntrack.footer
new file mode 100644
index 0000000..8648c65
--- /dev/null
+++ b/files/boilerplate/conntrack.footer
@@ -0,0 +1,3 @@
+
+?endif
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
diff --git a/files/boilerplate/conntrack.header b/files/boilerplate/conntrack.header
new file mode 100644
index 0000000..2db7bda
--- /dev/null
+++ b/files/boilerplate/conntrack.header
@@ -0,0 +1,10 @@
+#
+# Shorewall -- /etc/shorewall/conntrack
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+?FORMAT 3
+######################################################################################################
+#ACTION     SOURCE    DEST    PROTO DPORT   SPORT USER  SWITCH
+
+?if $AUTOHELPERS && __CT_TARGET
diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnels.footer
index 5e12d1d..5e12d1d 100644
--- a/files/boilerplate/tunnel.footer
+++ b/files/boilerplate/tunnels.footer
diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnels.header
index 638fd56..638fd56 100644
--- a/files/boilerplate/tunnel.header
+++ b/files/boilerplate/tunnels.header
diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb
new file mode 100644
index 0000000..0068b48
--- /dev/null
+++ b/lib/facter/shorewall_major_version.rb
@@ -0,0 +1,5 @@
+Facter.add("shorewall_major_version") do
+  setcode do
+    Facter::Util::Resolution.exec('shorewall version').split('.').first || nil
+  end
+end
diff --git a/manifests/base.pp b/manifests/base.pp
index 9d65b7b..22ef555 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -27,16 +27,21 @@ class shorewall::base {
     }
   } else {
 
-    # riseup commented due to redeclare
-    #include ::augeas
-    Class['augeas'] -> Class['shorewall::base']
-
-    augeas { 'shorewall_module_config_path':
-      changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
-      lens    => 'Shellvars.lns',
-      incl    => '/etc/shorewall/shorewall.conf',
-      notify  => Exec['shorewall_check'],
-      require => Package['shorewall'];
+    if str2bool($shorewall::startup) {
+      $startup_str = 'Yes'
+    } else {
+      $startup_str = 'No'
+    }
+    shorewall::config_setting{
+      'CONFIG_PATH':
+        value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\"";
+      'STARTUP_ENABLED':
+        value => $startup_str;
+    }
+    $cfs =  keys($shorewall::settings)
+    shorewall::config_settings{
+      $cfs:
+        settings => $shorewall::settings;
     }
   }
 
diff --git a/manifests/blrules.pp b/manifests/blrules.pp
new file mode 100644
index 0000000..7f3953b
--- /dev/null
+++ b/manifests/blrules.pp
@@ -0,0 +1,34 @@
+# Manage blrules. For additional information type "man shorewall-blrules"
+#
+# Sample Usage:
+#
+#  shorewall::interface { 'br0':
+#    zone    => 'net',
+#    rfc1918  => true,
+#    options => 'tcpflags,blacklist,nosmurfs,routeback,bridge';
+#  }
+#
+#  class { 'shorewall::blrules':
+#    options         => 'tcpflags,blacklist,nosmurfs,routeback,bridge',
+#    whitelists    =>  [
+#                          "net:10.0.0.1,192.168.0.1 all",
+#                        ],
+#
+#    drops           => [
+#                          'net  all tcp 22', #ssh
+#                       ],
+#  }
+#
+class shorewall::blrules (
+  $whitelists,
+  $drops,
+) {
+  file{'/etc/shorewall/puppet/blrules':
+    content => template('shorewall/blrules.erb'),
+    require => Package['shorewall'],
+    notify  => Service['shorewall'],
+    owner   => root,
+    group   => 0,
+    mode    => '0644';
+  }
+}
diff --git a/manifests/centos.pp b/manifests/centos.pp
index 1f8b37d..ff8c6ad 100644
--- a/manifests/centos.pp
+++ b/manifests/centos.pp
@@ -1,6 +1,6 @@
 # things needed on centos
 class shorewall::centos inherits shorewall::base {
-  if versioncmp($::operatingsystemmajrelease,'5') > 0 {
+  if $::operatingsystemmajrelease == '6' {
     augeas{'enable_shorewall':
       context => '/files/etc/sysconfig/shorewall',
       changes => 'set startup 1',
diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp
new file mode 100644
index 0000000..5eecf42
--- /dev/null
+++ b/manifests/config_setting.pp
@@ -0,0 +1,18 @@
+# set a particular config option
+#
+#  e.g.
+#  shorewall::config_setting{
+#    'CONFIG_PATH':
+#      value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"'
+#  }
+define shorewall::config_setting(
+  $value,
+){
+  augeas { "shorewall_module_${name}":
+    changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}",
+    lens    => 'Shellvars.lns',
+    incl    => '/etc/shorewall/shorewall.conf',
+    notify  => Exec['shorewall_check'],
+    require => Package['shorewall'];
+  }
+}
diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp
new file mode 100644
index 0000000..69eb380
--- /dev/null
+++ b/manifests/config_settings.pp
@@ -0,0 +1,10 @@
+# a nice wrapper to make hiera config
+# a bit easier
+define shorewall::config_settings(
+  $settings,
+){
+  shorewall::config_setting{
+    $name:
+      value => $settings[$name],
+  }
+}
diff --git a/manifests/conntrack/helper.pp b/manifests/conntrack/helper.pp
new file mode 100644
index 0000000..ea7fb2e
--- /dev/null
+++ b/manifests/conntrack/helper.pp
@@ -0,0 +1,32 @@
+# Class for managing conntrack file: Helpers
+#
+# See http://shorewall.net/manpages/shorewall-conntrack.html for more info.
+# The $name defines the helper, so this needs to match one of the helpers
+# in the documentation.
+define shorewall::conntrack::helper(
+  $ensure = present,
+  $options = '',
+  $source = '-',
+  $destination = '-',
+  $proto,
+  $destinationport,
+  $sourceport = '',
+  $user = '',
+  $switch = '',
+  $chain = 'PO',
+  $order
+) {
+
+  $_helper = sprintf("__%s_HELPER", upcase($name))
+  $_chain = ":${chain}"
+  $_options = ''
+
+  if ($options != '') {
+    $_options = "(${options})"
+  }
+
+  shorewall::entry{"conntrack-${order}-${name}":
+    ensure => $ensure,
+    line => "?if ${_helper}\nCT:helper:${name}${_options}${_chain} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${$user} ${switch}\n?endif"
+  }
+}
diff --git a/manifests/host.pp b/manifests/host.pp
index f400223..d2a73ce 100644
--- a/manifests/host.pp
+++ b/manifests/host.pp
@@ -1,10 +1,11 @@
 define shorewall::host(
     $zone,
+    $host = $name,
     $options = 'tcpflags,blacklist,norfc1918',
-    $order='100'
+    $order ='100'
 ){
+
     shorewall::entry{"hosts-${order}-${name}":
-        line => "${zone} ${name} ${options}"
+        line => "#${name}\n${zone} ${host} ${options}"
     }
 }
-
diff --git a/manifests/init.pp b/manifests/init.pp
index d6b2d2a..aac1520 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,7 +1,11 @@
 # Manage shorewall on your system
 class shorewall(
-  $startup                    = '1',
+  $startup                    = true,
   $conf_source                = false,
+  $settings                   = {
+    'LOG_MARTIANS' => 'No',
+    'DISABLE_IPV6' => 'Yes',
+  },
   $ensure_version             = 'present',
   $tor_transparent_proxy_host = '127.0.0.1',
   $tor_transparent_proxy_port = '9040',
@@ -93,9 +97,11 @@ class shorewall(
       # http://www.shorewall.net/manpages/shorewall-providers.html
       'providers',
       # See http://www.shorewall.net/manpages/shorewall-tunnels.html
-      'tunnel',
+      'tunnels',
       # See http://www.shorewall.net/MultiISP.html
       'rtrules',
+      # See http://shorewall.net/manpages/shorewall-conntrack.html
+      'conntrack',
       # See http://www.shorewall.net/manpages/shorewall-mangle.html
       'mangle',
     ]:;
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
index 82984ca..0a8b4bb 100644
--- a/manifests/rule_section.pp
+++ b/manifests/rule_section.pp
@@ -1,7 +1,14 @@
+# a rule section marker
 define shorewall::rule_section(
-    $order
+  $order,
 ){
-    shorewall::entry{"rules-${order}-${name}":
-        line => "SECTION ${name}",
-    }       
+  if versioncmp($shorewall_major_version,'4') > 0 {
+    $rule_section_prefix = '?'
+  } else {
+    $rule_section_prefix = ''
+  }
+
+  shorewall::entry{"rules-${order}-${name}":
+    line => "${rule_section_prefix}SECTION ${name}",
+  }
 }
diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp
new file mode 100644
index 0000000..b4128d0
--- /dev/null
+++ b/manifests/rules/out/tor.pp
@@ -0,0 +1,11 @@
+# open outgoing port to connect to the network
+class shorewall::rules::out::tor {
+  shorewall::rule{'me-net-tor-tcp':
+    source          => '$FW',
+    destination     => 'net',
+    proto           => 'tcp',
+    destinationport => '9001',
+    order           => 240,
+    action          => 'ACCEPT';
+  }
+}
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
index 2cac922..0e645c8 100644
--- a/manifests/tunnel.pp
+++ b/manifests/tunnel.pp
@@ -5,7 +5,7 @@ define shorewall::tunnel(
     $gateway_zones = '',
     $order = '1'
 ) {
-    shorewall::entry { "tunnel-${order}-${name}":
+    shorewall::entry { "tunnels-${order}-${name}":
         line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
     }
 }
diff --git a/templates/blrules.erb b/templates/blrules.erb
new file mode 100644
index 0000000..4c9af79
--- /dev/null
+++ b/templates/blrules.erb
@@ -0,0 +1,15 @@
+#
+# Shorewall version 4.4 - Rule-based Blacklisting
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###############################################################################
+<% @whitelists.each do |value| -%>
+WHITELIST       <%= value %>
+<% end -%>
+<% @drops.each do |value| -%>
+REJECT <%= value %>
+<% end -%>
diff --git a/templates/debian_default.erb b/templates/debian_default.erb
index ec64cbe..8a9e328 100644
--- a/templates/debian_default.erb
+++ b/templates/debian_default.erb
@@ -3,7 +3,7 @@
 
 # This file is brought to you by puppet
 
-startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %>
+startup=<%= ['0',false].include?(scope['shorewall::startup']) ? '0' : '1' %>
 
 # if your Shorewall configuration requires detection of the ip address of a ppp
 # interface, you must list such interfaces in "wait_interface" to get Shorewall to
author	Micah Anderson <micah@riseup.net>	2017-02-01 21:27:04 -0500
committer	Micah Anderson <micah@riseup.net>	2017-02-01 21:27:04 -0500
commit	b140aabf7c4e0a0ded0a69368c4fce354c1f96e8 (patch)
tree	e82163207cb81a4215508e6c90229c0245609ab0
parent	2b75a0321bc9e65f4e9e6cf34b708a3d40318731 (diff)
parent	85b6e3820fa614eeafb99b85846172553461398e (diff)