diff options
| author | Micah Anderson <micah@riseup.net> | 2013-01-24 16:11:31 -0500 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2013-01-24 16:11:31 -0500 |
| commit | 614ee152c39bbc66c82a52022e2c05aa7856cd4b (patch) | |
| tree | 117fc0f3f61b4362be5dc1f32ab30db445efceb1 /manifests | |
| parent | d3d58a60bb582875a63e78245fb697d18a10877e (diff) | |
| parent | 9e79c7c55755e4cff5097d34c14396fdb0f15f85 (diff) | |
Merge remote-tracking branch 'riseup/master'
Conflicts:
manifests/base.pp
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/base.pp | 3 | ||||
| -rw-r--r-- | manifests/init.pp | 28 | ||||
| -rw-r--r-- | manifests/providers.pp | 26 | ||||
| -rw-r--r-- | manifests/rtrules.pp | 11 | ||||
| -rw-r--r-- | manifests/rules/ipsec.pp | 12 | ||||
| -rw-r--r-- | manifests/rules/ipsec_nat.pp | 18 | ||||
| -rw-r--r-- | manifests/rules/libvirt/host.pp | 46 | ||||
| -rw-r--r-- | manifests/tunnel.pp | 11 |
8 files changed, 122 insertions, 33 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index ccb528f..894b225 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,6 +1,7 @@ class shorewall::base { + package { 'shorewall': - ensure => $shorewall_ensure_version, + ensure => $shorewall::ensure_version, } # This file has to be managed in place, so shorewall can find it diff --git a/manifests/init.pp b/manifests/init.pp index 3b4b3b2..5a7f740 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,13 @@ class shorewall( - $startup = '1' + $startup = '1', + $conf_source = false, + $ensure_version = 'present', + $tor_transparent_proxy_host = '127.0.0.1', + $tor_transparent_proxy_port = '9040', + $tor_user = $::operatingsystem ? { + 'Debian' => 'debian-tor', + default => 'tor' + } ) { case $::operatingsystem { @@ -21,19 +29,6 @@ class shorewall( } } - case $tor_transparent_proxy_host { - '': { $tor_transparent_proxy_host = '127.0.0.1' } - } - case $tor_transparent_proxy_port { - '': { $tor_transparent_proxy_port = '9040' } - } - if $tor_user == '' { - $tor_user = $dist_tor_user ? { - '' => 'tor', - default => $dist_tor_user, - } - } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces @@ -66,4 +61,9 @@ class shorewall( shorewall::managed_file { tcclasses: } # http://www.shorewall.net/manpages/shorewall-providers.html shorewall::managed_file { providers: } + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + shorewall::managed_file { tunnel: } + # See http://www.shorewall.net/MultiISP.html + shorewall::managed_file { rtrules: } + } diff --git a/manifests/providers.pp b/manifests/providers.pp index a02a494..a1f8726 100644 --- a/manifests/providers.pp +++ b/manifests/providers.pp @@ -1,16 +1,16 @@ +# manage providers define shorewall::providers( - $provider, - $number = '', - $mark = '', - $duplicate = 'main', - $interface = '', - $gateway = '', - $options = '', - $copy = '', - $order='100' + $provider = $name, + $number = '', + $mark = '', + $duplicate = 'main', + $interface = '', + $gateway = '', + $options = '', + $copy = '', + $order = '100' ){ - shorewall::entry{"providers-${order}-${name}": - line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" - } + shorewall::entry{"providers-${order}-${name}": + line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" + } } - diff --git a/manifests/rtrules.pp b/manifests/rtrules.pp new file mode 100644 index 0000000..34e12b4 --- /dev/null +++ b/manifests/rtrules.pp @@ -0,0 +1,11 @@ +define shorewall::rtrules( + $source = '-', + $destination = '-', + $provider, + $priority = '10000', + $mark, +){ + shorewall::entry { "rtrules.d/${mark}-${title}": + line => "# ${name}\n${source} ${destination} ${provider} ${priority} ${mark}", + } +} diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 3e9db55..82adff0 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,7 +1,9 @@ -class shorewall::rules::ipsec { +class shorewall::rules::ipsec( + $source = 'net' +) { shorewall::rule { 'net-me-ipsec-udp': - source => 'net', + source => $shorewall::rules::ipsec::source, destination => '$FW', proto => 'udp', destinationport => '500', @@ -9,20 +11,20 @@ class shorewall::rules::ipsec { action => 'ACCEPT'; 'me-net-ipsec-udp': source => '$FW', - destination => 'net', + destination => $shorewall::rules::ipsec::source, proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; 'net-me-ipsec': - source => 'net', + source => $shorewall::rules::ipsec::source, destination => '$FW', proto => 'esp', order => 240, action => 'ACCEPT'; 'me-net-ipsec': source => '$FW', - destination => 'net', + destination => $shorewall::rules::ipsec::source, proto => 'esp', order => 240, action => 'ACCEPT'; diff --git a/manifests/rules/ipsec_nat.pp b/manifests/rules/ipsec_nat.pp new file mode 100644 index 0000000..6c0d507 --- /dev/null +++ b/manifests/rules/ipsec_nat.pp @@ -0,0 +1,18 @@ +class shorewall::rules::ipsec_nat { + shorewall::rule { + 'net-me-ipsec-nat-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + 'me-net-ipsec-nat-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + } +} diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp new file mode 100644 index 0000000..aaecd9d --- /dev/null +++ b/manifests/rules/libvirt/host.pp @@ -0,0 +1,46 @@ +class shorewall::rules::libvirt::host ( + $vmz = 'vmz', + $masq_iface = 'eth0', + ) { + + define shorewall::rule::accept::from_vmz ( + $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) { + shorewall::rule { "$name": + source => $vmz, destination => '$FW', order => 300, + proto => $proto, destinationport => $destinationport, action => $action; + } + } + + shorewall::policy { + 'fw-to-vmz': + sourcezone => '$FW', + destinationzone => $vmz, + policy => 'ACCEPT', + order => 110; + 'vmz-to-net': + sourcezone => $vmz, + destinationzone => 'net', + policy => 'ACCEPT', + order => 200; + 'vmz-to-all': + sourcezone => $vmz, + destinationzone => 'all', + policy => 'DROP', + shloglevel => 'info', + order => 800; + } + + shorewall::rule::accept::from_vmz { + 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; + 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; + 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; + 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; + } + + shorewall::masq { + "masq-${masq_iface}": + interface => "$masq_iface", + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + } + +} diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp new file mode 100644 index 0000000..e0c71e7 --- /dev/null +++ b/manifests/tunnel.pp @@ -0,0 +1,11 @@ +define shorewall::tunnel( + $tunnel_type, + $zone, + $gateway = '0.0.0.0/0', + $gateway_zones = '', + $order = '1' +) { + shorewall::entry { "tunnel.d/${order}-${title}": + line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", + } +} |