8 files changed, 61 insertions, 7 deletions

diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnels.footer
index 5e12d1d..5e12d1d 100644
--- a/files/boilerplate/tunnel.footer
+++ b/files/boilerplate/tunnels.footer
diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnels.header
index 638fd56..638fd56 100644
--- a/files/boilerplate/tunnel.header
+++ b/files/boilerplate/tunnels.header
diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb
new file mode 100644
index 0000000..a733842
--- /dev/null
+++ b/lib/facter/shorewall_major_version.rb
@@ -0,0 +1,5 @@
+Facter.add("shorewall_major_version") do
+  setcode do
+    Facter::Util::Resolution.exec('shorewall version').split('.')[0]    || nil
+  end
+end
diff --git a/manifests/blrules.pp b/manifests/blrules.pp
new file mode 100644
index 0000000..b8fe73f
--- /dev/null
+++ b/manifests/blrules.pp
@@ -0,0 +1,35 @@
+# Manage blrules. For additional information type "man shorewall-blrules"
+#
+# Sample Usage:
+#
+#  shorewall::interface { 'br0':
+#    zone    => 'net',
+#    rfc1918  => true,
+#    options => 'tcpflags,blacklist,nosmurfs,routeback,bridge';
+#  }
+#
+#  class { 'shorewall::blrules':
+#    options         => 'tcpflags,blacklist,nosmurfs,routeback,bridge',
+#    whitelists    =>  [
+#                          "net:10.0.0.1,192.168.0.1 all",
+#                        ],
+#
+#    drops           => [
+#                          'net  all tcp 22', #ssh
+#                       ],
+#  }
+
+
+class shorewall::blrules (
+  $whitelists,
+  $drops,
+) {
+  file{'/etc/shorewall/puppet/blrules':
+    content => template('shorewall/blrules.erb'),
+    require => Package['shorewall'],
+    notify  => Service['shorewall'],
+    owner   => root,
+    group   => 0,
+    mode    => '0644';
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index ede0be2..afdc7d7 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -97,7 +97,7 @@ class shorewall(
       # http://www.shorewall.net/manpages/shorewall-providers.html
       'providers',
       # See http://www.shorewall.net/manpages/shorewall-tunnels.html
-      'tunnel',
+      'tunnels',
       # See http://www.shorewall.net/MultiISP.html
       'rtrules',
       # See http://www.shorewall.net/manpages/shorewall-mangle.html
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
index d853f70..08e5708 100644
--- a/manifests/rule_section.pp
+++ b/manifests/rule_section.pp
@@ -2,12 +2,11 @@
 define shorewall::rule_section(
   $order
 ){
-  if $::operatingsystem == 'CentOS' and versioncmp($::operatingsystemmajrelease,'6') > 0 {
-    $prefix = '?SECTION'
-  } else {
-    $prefix = 'SECTION'
+  $rule_section_prefix = $shorewall_major_version ? {
+    '5' => '?'
   }
+
   shorewall::entry{"rules-${order}-${name}":
-    line => "${prefix} ${name}",
+    line => "${rule_section_prefix}SECTION ${name}",
   }
 }
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
index 2cac922..0e645c8 100644
--- a/manifests/tunnel.pp
+++ b/manifests/tunnel.pp
@@ -5,7 +5,7 @@ define shorewall::tunnel(
     $gateway_zones = '',
     $order = '1'
 ) {
-    shorewall::entry { "tunnel-${order}-${name}":
+    shorewall::entry { "tunnels-${order}-${name}":
         line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
     }
 }
diff --git a/templates/blrules.erb b/templates/blrules.erb
new file mode 100644
index 0000000..4c9af79
--- /dev/null
+++ b/templates/blrules.erb
@@ -0,0 +1,15 @@
+#
+# Shorewall version 4.4 - Rule-based Blacklisting
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###############################################################################
+<% @whitelists.each do |value| -%>
+WHITELIST       <%= value %>
+<% end -%>
+<% @drops.each do |value| -%>
+REJECT <%= value %>
+<% end -%>