summaryrefslogtreecommitdiff
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/base.pp24
-rw-r--r--manifests/centos.pp2
-rw-r--r--manifests/config_setting.pp18
-rw-r--r--manifests/config_settings.pp10
-rw-r--r--manifests/conntrack/helper.pp32
-rw-r--r--manifests/host.pp4
-rw-r--r--manifests/init.pp8
-rw-r--r--manifests/rule_section.pp3
-rw-r--r--manifests/rules/out/tor.pp11
-rw-r--r--manifests/tunnel.pp2
10 files changed, 99 insertions, 15 deletions
diff --git a/manifests/base.pp b/manifests/base.pp
index dddfcaa..57f1685 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -25,15 +25,21 @@ class shorewall::base {
}
} else {
- include ::augeas
- Class['augeas'] -> Class['shorewall::base']
-
- augeas { 'shorewall_module_config_path':
- changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'',
- lens => 'Shellvars.lns',
- incl => '/etc/shorewall/shorewall.conf',
- notify => Exec['shorewall_check'],
- require => Package['shorewall'];
+ if str2bool($shorewall::startup) {
+ $startup_str = 'Yes'
+ } else {
+ $startup_str = 'No'
+ }
+ shorewall::config_setting{
+ 'CONFIG_PATH':
+ value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\"";
+ 'STARTUP_ENABLED':
+ value => $startup_str;
+ }
+ $cfs = keys($shorewall::settings)
+ shorewall::config_settings{
+ $cfs:
+ settings => $shorewall::settings;
}
}
diff --git a/manifests/centos.pp b/manifests/centos.pp
index 1f8b37d..ff8c6ad 100644
--- a/manifests/centos.pp
+++ b/manifests/centos.pp
@@ -1,6 +1,6 @@
# things needed on centos
class shorewall::centos inherits shorewall::base {
- if versioncmp($::operatingsystemmajrelease,'5') > 0 {
+ if $::operatingsystemmajrelease == '6' {
augeas{'enable_shorewall':
context => '/files/etc/sysconfig/shorewall',
changes => 'set startup 1',
diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp
new file mode 100644
index 0000000..5eecf42
--- /dev/null
+++ b/manifests/config_setting.pp
@@ -0,0 +1,18 @@
+# set a particular config option
+#
+# e.g.
+# shorewall::config_setting{
+# 'CONFIG_PATH':
+# value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"'
+# }
+define shorewall::config_setting(
+ $value,
+){
+ augeas { "shorewall_module_${name}":
+ changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}",
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Exec['shorewall_check'],
+ require => Package['shorewall'];
+ }
+}
diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp
new file mode 100644
index 0000000..69eb380
--- /dev/null
+++ b/manifests/config_settings.pp
@@ -0,0 +1,10 @@
+# a nice wrapper to make hiera config
+# a bit easier
+define shorewall::config_settings(
+ $settings,
+){
+ shorewall::config_setting{
+ $name:
+ value => $settings[$name],
+ }
+}
diff --git a/manifests/conntrack/helper.pp b/manifests/conntrack/helper.pp
new file mode 100644
index 0000000..ea7fb2e
--- /dev/null
+++ b/manifests/conntrack/helper.pp
@@ -0,0 +1,32 @@
+# Class for managing conntrack file: Helpers
+#
+# See http://shorewall.net/manpages/shorewall-conntrack.html for more info.
+# The $name defines the helper, so this needs to match one of the helpers
+# in the documentation.
+define shorewall::conntrack::helper(
+ $ensure = present,
+ $options = '',
+ $source = '-',
+ $destination = '-',
+ $proto,
+ $destinationport,
+ $sourceport = '',
+ $user = '',
+ $switch = '',
+ $chain = 'PO',
+ $order
+) {
+
+ $_helper = sprintf("__%s_HELPER", upcase($name))
+ $_chain = ":${chain}"
+ $_options = ''
+
+ if ($options != '') {
+ $_options = "(${options})"
+ }
+
+ shorewall::entry{"conntrack-${order}-${name}":
+ ensure => $ensure,
+ line => "?if ${_helper}\nCT:helper:${name}${_options}${_chain} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${$user} ${switch}\n?endif"
+ }
+}
diff --git a/manifests/host.pp b/manifests/host.pp
index fe12247..2a088ac 100644
--- a/manifests/host.pp
+++ b/manifests/host.pp
@@ -3,8 +3,8 @@ define shorewall::host(
$options = 'tcpflags',
$order='100'
){
+
shorewall::entry{"hosts-${order}-${name}":
- line => "${zone} ${name} ${options}"
+ line => "#${name}\n${zone} ${host} ${options}"
}
}
-
diff --git a/manifests/init.pp b/manifests/init.pp
index 51f7c4d..9cbc1e9 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,7 +1,11 @@
# Manage shorewall on your system
class shorewall(
- $startup = '1',
+ $startup = true,
$conf_source = false,
+ $settings = {
+ 'LOG_MARTIANS' => 'No',
+ 'DISABLE_IPV6' => 'Yes',
+ },
$ensure_version = 'present',
$tor_transparent_proxy_host = '127.0.0.1',
$tor_transparent_proxy_port = '9040',
@@ -92,6 +96,8 @@ class shorewall(
'tunnel',
# See http://www.shorewall.net/manpages/shorewall-rtrules.html
'rtrules',
+ # See http://shorewall.net/manpages/shorewall-conntrack.html
+ 'conntrack',
# See http://www.shorewall.net/manpages/shorewall-mangle.html
'mangle',
]:;
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
index f5fa785..a576623 100644
--- a/manifests/rule_section.pp
+++ b/manifests/rule_section.pp
@@ -1,5 +1,6 @@
+# a rule section marker
define shorewall::rule_section(
- $order
+ $order,
){
if versioncmp($shorewall_major_version,'4') > 0 {
$rule_section_prefix = '?'
diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp
new file mode 100644
index 0000000..b4128d0
--- /dev/null
+++ b/manifests/rules/out/tor.pp
@@ -0,0 +1,11 @@
+# open outgoing port to connect to the network
+class shorewall::rules::out::tor {
+ shorewall::rule{'me-net-tor-tcp':
+ source => '$FW',
+ destination => 'net',
+ proto => 'tcp',
+ destinationport => '9001',
+ order => 240,
+ action => 'ACCEPT';
+ }
+}
diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp
index 2cac922..0e645c8 100644
--- a/manifests/tunnel.pp
+++ b/manifests/tunnel.pp
@@ -5,7 +5,7 @@ define shorewall::tunnel(
$gateway_zones = '',
$order = '1'
) {
- shorewall::entry { "tunnel-${order}-${name}":
+ shorewall::entry { "tunnels-${order}-${name}":
line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}",
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 01:50:08 +0000