Merge branch 'master' of https://github.com/duritong/puppet-shorewall

Conflicts:
	manifests/debian.pp
	manifests/managed_file.pp

13 files changed, 117 insertions, 59 deletions

diff --git a/README b/README
index 3a84b3b..0e61035 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x
+modules/shorewall/manifests/init.pp - manage firewalling with shorewall
 
 Puppet Module for Shorewall
 ---------------------------
@@ -7,8 +7,8 @@ This module manages the configuration of Shorewall (http://www.shorewall.net/)
 Requirements
 ------------
 
-This module requires the augeas module, you can find that here:
-https://labs.riseup.net/code/projects/shared-augeas
+This module requires the concat module, you can find that here:
+https://github.com/puppetlabs/puppetlabs-concat.git
 
 Copyright
 ---------
diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header
index 2027523..663e436 100644
--- a/files/boilerplate/interfaces.header
+++ b/files/boilerplate/interfaces.header
@@ -1,10 +1,10 @@
 #
-# Shorewall version 3.4 - Interfaces File
+# Shorewall version 4 - Interfaces File
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE   INTERFACE       BROADCAST       OPTIONS
diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header
index a0c5d5d..cc9781f 100644
--- a/files/boilerplate/policy.header
+++ b/files/boilerplate/policy.header
@@ -1,9 +1,11 @@
 #
-# Shorewall version 3.4 - Policy File
+# Shorewall version 4 - Policy File
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
-#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
+#SOURCE DEST  POLICY    LOG LIMIT:    CONNLIMIT:
+#       LEVEL BURST   MASK
diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnels.footer
index 5e12d1d..5e12d1d 100644
--- a/files/boilerplate/tunnel.footer
+++ b/files/boilerplate/tunnels.footer
diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnels.header
index 638fd56..638fd56 100644
--- a/files/boilerplate/tunnel.header
+++ b/files/boilerplate/tunnels.header
diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header
index 8b82c2e..5dada52 100644
--- a/files/boilerplate/zones.header
+++ b/files/boilerplate/zones.header
@@ -1,11 +1,12 @@
 #
-# Shorewall version 3.4 - Zones File
+# Shorewall version 4 - Zones File
 #
 # For information about this file, type "man shorewall-zones"
 #
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
-#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS
-fw      firewall
+#ZONE TYPE    OPTIONS   IN      OUT
+#         OPTIONS     OPTIONS
+fw  firewall
diff --git a/manifests/base.pp b/manifests/base.pp
index 4ee8747..12b8c34 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -10,14 +10,14 @@ class shorewall::base {
     '/etc/shorewall/shorewall.conf':
       require => Package[shorewall],
       notify  => Service[shorewall],
-      owner   => root,
-      group   => 0,
+      owner   => 'root',
+      group   => 'root',
       mode    => '0644';
     '/etc/shorewall/puppet':
       ensure  => directory,
       require => Package[shorewall],
-      owner   => root,
-      group   => 0,
+      owner   => 'root',
+      group   => 'root',
       mode    => '0644';
   }
 
@@ -27,15 +27,13 @@ class shorewall::base {
     }
   } else {
 
-  require augeas
-
-  augeas { 'shorewall_module_config_path':
-    changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
-    lens    => 'Shellvars.lns',
-    incl    => '/etc/shorewall/shorewall.conf',
-    notify  => Service['shorewall'],
-    require => Package['shorewall'];
-  }
+    augeas { 'shorewall_module_config_path':
+      changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
+      lens    => 'Shellvars.lns',
+      incl    => '/etc/shorewall/shorewall.conf',
+      notify  => Service['shorewall'],
+      require => Package['shorewall'];
+    }
   }
 
   service{'shorewall':
diff --git a/manifests/debian.pp b/manifests/debian.pp
index c439871..01d108f 100644
--- a/manifests/debian.pp
+++ b/manifests/debian.pp
@@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base {
     content => template("shorewall/debian_default.erb"),
     require => Package['shorewall'],
     notify => Service['shorewall'],
-    owner => root, group => '0', mode => '0644';
+    owner => 'root', group => 'root', mode => '0644';
   }
   Service['shorewall']{
     status => '/sbin/shorewall status'
diff --git a/manifests/init.pp b/manifests/init.pp
index cd6488b..5966bed 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -8,22 +8,49 @@ class shorewall(
   $tor_user                   = $::operatingsystem ? {
     'Debian' => 'debian-tor',
     default  => 'tor'
-  }
+  },
+  $zones                      = {},
+  $zones_defaults             = {},
+  $interfaces                 = {},
+  $interfaces_defaults        = {},
+  $hosts                      = {},
+  $hosts_defaults             = {},
+  $policy                     = {},
+  $policy_defaults            = {},
+  $rules                      = {},
+  $rules_defaults             = {},
+  $rulesections               = {},
+  $rulesections_defaults      = {},
+  $masq                       = {},
+  $masq_defaults              = {},
+  $proxyarp                   = {},
+  $proxyarp_defaults          = {},
+  $nat                        = {},
+  $nat_defaults               = {},
+  $blacklist                  = {},
+  $blacklist_defaults         = {},
+  $rfc1918                    = {},
+  $rfc1918_defaults           = {},
+  $routestopped               = {},
+  $routestopped_defaults      = {},
+  $params                     = {},
+  $params_defaults            = {},
+  $tcdevices                  = {},
+  $tcdevices_defaults         = {},
+  $tcrules                    = {},
+  $tcrules_defaults           = {},
+  $tcclasses                  = {},
+  $tcclasses_defaults         = {},
+  $tunnels                    = {},
+  $tunnels_defaults           = {},
+  $rtrules                    = {},
+  $rtrules_defaults           = {},
 ) {
 
   case $::operatingsystem {
     gentoo: { include shorewall::gentoo }
-    debian: {
-      include shorewall::debian
-      $dist_tor_user = 'debian-tor'
-    }
+    debian,ubuntu: { include shorewall::debian }
     centos: { include shorewall::centos }
-    ubuntu: {
-    case $::lsbdistcodename {
-      karmic: { include shorewall::ubuntu::karmic }
-      default: { include shorewall::debian }
-      }
-    }
     default: {
       notice "unknown operatingsystem: ${::operatingsystem}"
       include shorewall::base
@@ -65,9 +92,29 @@ class shorewall(
       # http://www.shorewall.net/manpages/shorewall-providers.html
       'providers',
       # See http://www.shorewall.net/manpages/shorewall-tunnels.html
-      'tunnel',
+      'tunnels',
       # See http://www.shorewall.net/MultiISP.html
       'rtrules',
     ]:;
   }
+
+  create_resources('shorewall::zone',$zones,$zones_defaults)
+  create_resources('shorewall::interface',$interfaces,$interfaces_defaults)
+  create_resources('shorewall::host',$hosts,$hosts_defaults)
+  create_resources('shorewall::policy',$policy,$policy_defaults)
+  create_resources('shorewall::rule',$rules,$rules_defaults)
+  create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults)
+  create_resources('shorewall::masq',$masq,$masq_defaults)
+  create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
+  create_resources('shorewall::nat',$nat,$nat_defaults)
+  create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults)
+  create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults)
+  create_resources('shorewall::routestopped',$routestopped,
+    $routestopped_defaults)
+  create_resources('shorewall::params',$params,$params_defaults)
+  create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults)
+  create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults)
+  create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults)
+  create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults)
+  create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults)
 }
diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp
index 75326b8..7061721 100644
--- a/manifests/managed_file.pp
+++ b/manifests/managed_file.pp
@@ -2,7 +2,7 @@ define shorewall::managed_file () {
   concat{ "/etc/shorewall/puppet/${name}":
     notify => Service['shorewall'],
     require => File['/etc/shorewall/puppet'],
-    owner => root, group => '0', mode => '0600';
+    owner => 'root', group => 'root', mode => '0600';
   }
   concat::fragment {
     "${name}-header":
diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp
index 3b38b29..226d627 100644
--- a/manifests/rules/jabberserver.pp
+++ b/manifests/rules/jabberserver.pp
@@ -1,19 +1,34 @@
-class shorewall::rules::jabberserver {
+# open ports used by a jabberserver
+# in and outbound.
+class shorewall::rules::jabberserver(
+  $open_stun = true,
+) {
   shorewall::rule {
     'net-me-tcp_jabber':
-            source          => 'net',
-            destination     => '$FW',
-            proto           => 'tcp',
-            destinationport => '5222,5223,5269',
-            order           => 240,
-            action          => 'ACCEPT';
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'tcp',
+        destinationport => '5222,5223,5269',
+        order           => 240,
+        action          => 'ACCEPT';
     'me-net-tcp_jabber_s2s':
-            source          => '$FW',
-            destination     => 'net',
-            proto           => 'tcp',
-            destinationport => '5260,5269,5270,5271,5272',
-            order           => 240,
-            action          => 'ACCEPT';
+        source          => '$FW',
+        destination     => 'net',
+        proto           => 'tcp',
+        destinationport => '5260,5269,5270,5271,5272',
+        order           => 240,
+        action          => 'ACCEPT';
   }
 
+  if $open_stun {
+    shorewall::rule {
+      'net-me-udp_jabber_stun_server':
+        source          => 'net',
+        destination     => '$FW',
+        proto           => 'udp',
+        destinationport => '3478',
+        order           => 240,
+        action          => 'ACCEPT';
+    }
+  }
 }
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
index 2cac922..0e645c8 100644
--- a/manifests/tunnel.pp
+++ b/manifests/tunnel.pp
@@ -5,7 +5,7 @@ define shorewall::tunnel(
     $gateway_zones = '',
     $order = '1'
 ) {
-    shorewall::entry { "tunnel-${order}-${name}":
+    shorewall::entry { "tunnels-${order}-${name}":
         line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
     }
 }
diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp
deleted file mode 100644
index 0df3789..0000000
--- a/manifests/ubuntu/karmic.pp
+++ /dev/null
@@ -1,5 +0,0 @@
-class shorewall::ubuntu::karmic inherits shorewall::debian {
-  Package['shorewall']{
-    name => 'shorewall-shell',
-  }
-}