kwadronaut [Fri, 9 Nov 2018 09:03:32 +0000 (10:03 +0100)]
Merge remote-tracking branch 'shared/master'
Jérôme Charaoui [Wed, 2 May 2018 20:28:50 +0000 (20:28 +0000)]
Add missing parameter in host.pp
Jérôme Charaoui [Wed, 2 May 2018 20:28:09 +0000 (20:28 +0000)]
Merge branch 'libvirt-puppet4' into 'master'
Puppet 4 compatibility.
See merge request shared-puppet-modules-group/shorewall!15
intrigeri [Thu, 5 Apr 2018 14:50:47 +0000 (14:50 +0000)]
Puppet 4 compatibility.
intrigeri [Thu, 5 Apr 2018 09:13:13 +0000 (09:13 +0000)]
Merge branch 'SECTION' into 'master'
This fixes the ?SECTION change.
See merge request shared-puppet-modules-group/shorewall!14
intrigeri [Thu, 5 Apr 2018 09:12:31 +0000 (09:12 +0000)]
Merge branch 'routefilter' into 'master'
routefilter is also not an ipv6 possible option
See merge request shared-puppet-modules-group/shorewall!13
Micah Anderson [Sat, 24 Mar 2018 15:39:33 +0000 (16:39 +0100)]
This fixes the ?SECTION change.
The change requiring ? before SECTION happened in 4.6.0. Our check was only
looking at the major version to see if it was 4, and if so, it would not add the
?. This was too imprecise and would not add the ? in versions of shorewall 4.6
and greater. So this commit will change that check to be more specific.
Micah Anderson [Sat, 24 Mar 2018 15:20:29 +0000 (16:20 +0100)]
The blacklist option should not be set by default, it should only be added when
you are actually going to blacklist things. Otherwise you get this warning from
shorewall_check each day:
WARNING: There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size
Also, the README for this module notes that this option is deprecated upstream,
and so we should remove it.
Micah Anderson [Fri, 23 Mar 2018 21:47:43 +0000 (17:47 -0400)]
routefilter is also not a valid ipv6 option
Micah [Fri, 23 Mar 2018 14:07:23 +0000 (14:07 +0000)]
Merge branch 'fix_8' into 'master'
Remove $puppetserver_signport, fixes #8
Closes #8
See merge request shared-puppet-modules-group/shorewall!12
Jerome Charaoui [Fri, 16 Feb 2018 20:11:22 +0000 (15:11 -0500)]
Remove $puppetserver_signport, fixes #8
ng lavamind: this is an acient relict, where there was a problem signing through apache
ng and then we had a mongrel running on that port
Micah Anderson [Sat, 13 Jan 2018 16:17:52 +0000 (11:17 -0500)]
Merge remote-tracking branch 'origin/master' into immerda_merge
Micah Anderson [Sat, 13 Jan 2018 16:13:23 +0000 (11:13 -0500)]
Merge remote-tracking branch 'immerda/master' into immerda_merge
Jérôme Charaoui [Tue, 9 Jan 2018 21:47:28 +0000 (21:47 +0000)]
Merge branch 'concat_update' into 'master'
Concat update
See merge request shared-puppet-modules-group/shorewall!11
intrigeri [Tue, 9 Jan 2018 21:36:59 +0000 (21:36 +0000)]
Don't transitively pass $ensure parameter to concat::fragment
Follow up on commit
851c51659961724a1457e3de1bbe9591390b1e82.
Jerome Charaoui [Wed, 22 Nov 2017 22:01:00 +0000 (17:01 -0500)]
Don't pass $ensure parameter to concat::fragment
It has been removed in the latest version of puppetlabs-concat
mh [Thu, 2 Nov 2017 15:27:01 +0000 (16:27 +0100)]
switch to the new facts hash
mh [Sun, 24 Sep 2017 10:01:09 +0000 (12:01 +0200)]
linting
mh [Sun, 24 Sep 2017 09:59:03 +0000 (11:59 +0200)]
make sure shorewall6 is started after shorewall
as inserting fw rules into iptables can't be properly serialized.
This is a backport of a fix that went into shorewall 5.1.6
by commit
0603f8e355b19ca88d2a7ad6f181767092e02e00 in the shorewall
repository.
mh [Tue, 29 Aug 2017 22:39:26 +0000 (00:39 +0200)]
make ipv6 tuneable
mh [Tue, 29 Aug 2017 20:14:33 +0000 (22:14 +0200)]
correctly set shorewall6 option for puppetserver config
mh [Tue, 29 Aug 2017 10:52:56 +0000 (12:52 +0200)]
fix param name
mh [Tue, 29 Aug 2017 10:50:31 +0000 (12:50 +0200)]
there is no ipv6 support there yet
mh [Thu, 24 Aug 2017 19:14:20 +0000 (21:14 +0200)]
make sure we also en/disable it based on the right setting
mh [Thu, 24 Aug 2017 18:29:56 +0000 (20:29 +0200)]
delete the old way
mh [Thu, 24 Aug 2017 17:15:12 +0000 (19:15 +0200)]
workaround a bug in facter that sets ipaddress6 to ipv4 addresses
mh [Thu, 3 Aug 2017 08:17:00 +0000 (10:17 +0200)]
make it possible to set v6 and v6 puppetserver
mh [Wed, 19 Jul 2017 15:05:48 +0000 (17:05 +0200)]
add mosh support
mh [Thu, 6 Jul 2017 06:07:08 +0000 (08:07 +0200)]
to make the previous commit work, we should also remove the ensure from fragment
mh [Wed, 5 Jul 2017 12:04:01 +0000 (14:04 +0200)]
linting
mh [Wed, 5 Jul 2017 12:03:24 +0000 (14:03 +0200)]
make ensure a noop for concat::framet, as from puppetlabs-concat 4.0.1 on this is removed and concat purges non-managed fragments
Micah Anderson [Fri, 23 Jun 2017 16:03:17 +0000 (12:03 -0400)]
fix filename rename
Micah Anderson [Fri, 23 Jun 2017 14:50:25 +0000 (10:50 -0400)]
Merge branch 'master' into puppet4
mh [Sun, 21 May 2017 11:14:56 +0000 (13:14 +0200)]
remove an unnecessary dep
mh [Mon, 8 May 2017 20:13:01 +0000 (22:13 +0200)]
try to be extra cautious when restarting and do it with the try, so nothing breaks if something is broken that is not connected at compile time
mh [Mon, 8 May 2017 20:12:02 +0000 (22:12 +0200)]
don't notify the service
mh [Mon, 1 May 2017 19:08:58 +0000 (21:08 +0200)]
correct snippet
mh [Mon, 1 May 2017 15:37:55 +0000 (17:37 +0200)]
this is IPv4 only so far
mh [Mon, 1 May 2017 15:37:05 +0000 (17:37 +0200)]
also support EL6 style files
mh [Mon, 1 May 2017 15:33:25 +0000 (17:33 +0200)]
add missing package for EL6
mh [Tue, 25 Apr 2017 15:24:50 +0000 (17:24 +0200)]
add missing file
mh [Tue, 25 Apr 2017 15:18:18 +0000 (17:18 +0200)]
we should start managing also that file
mh [Tue, 25 Apr 2017 15:12:59 +0000 (17:12 +0200)]
manage policies for shorewall6
mh [Tue, 25 Apr 2017 13:28:26 +0000 (15:28 +0200)]
make it possibble to disable ipv6 for these rules
mh [Tue, 25 Apr 2017 13:16:08 +0000 (15:16 +0200)]
enable shorewall6 rules by default
mh [Tue, 25 Apr 2017 12:54:00 +0000 (14:54 +0200)]
suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall
mh [Tue, 25 Apr 2017 12:28:18 +0000 (14:28 +0200)]
suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall
mh [Sat, 15 Apr 2017 11:33:39 +0000 (13:33 +0200)]
linting
mh [Sun, 9 Apr 2017 17:11:37 +0000 (19:11 +0200)]
minor linting
mh [Sun, 9 Apr 2017 16:57:53 +0000 (18:57 +0200)]
make it possible to manage rules for ipv4 & ipv6 + add some more modern headers for certain versions
mh [Sun, 9 Apr 2017 10:43:08 +0000 (12:43 +0200)]
make output nicer
mh [Sat, 8 Apr 2017 12:07:07 +0000 (14:07 +0200)]
migrate to dedicated params
mh [Sat, 8 Apr 2017 12:04:39 +0000 (14:04 +0200)]
introduce params4 and params6 helper to more easily differentiate
mh [Sat, 8 Apr 2017 11:59:11 +0000 (13:59 +0200)]
add missing file
mh [Sat, 8 Apr 2017 11:54:50 +0000 (13:54 +0200)]
introduce params only for ipv6 and only for ipv4
mh [Sat, 8 Apr 2017 11:52:14 +0000 (13:52 +0200)]
introduce params for shorewall6, by default it's just a copy of the ones for shorewall
mh [Sat, 8 Apr 2017 11:31:00 +0000 (13:31 +0200)]
broadcast column is not needed for shorewall6
mh [Sat, 8 Apr 2017 11:25:56 +0000 (13:25 +0200)]
add missing file
mh [Sat, 8 Apr 2017 11:21:14 +0000 (13:21 +0200)]
manage interfaces for shorewall6
mh [Sat, 8 Apr 2017 11:06:43 +0000 (13:06 +0200)]
cleanup certain unsupported options
mh [Sat, 8 Apr 2017 10:55:24 +0000 (12:55 +0200)]
add a full version fact and derive the maj from that one and make the fact work, even if there is no shorewall installed
mh [Sat, 8 Apr 2017 10:41:58 +0000 (12:41 +0200)]
group that together
mh [Fri, 7 Apr 2017 16:14:03 +0000 (18:14 +0200)]
we need this
mh [Fri, 7 Apr 2017 16:09:37 +0000 (18:09 +0200)]
rename snippet
mh [Fri, 7 Apr 2017 16:07:44 +0000 (18:07 +0200)]
add mgmt of files for shorewall6
mh [Fri, 7 Apr 2017 15:46:01 +0000 (17:46 +0200)]
make zones also for ipv6
mh [Fri, 7 Apr 2017 15:34:55 +0000 (17:34 +0200)]
make dependencies a bit more clear
mh [Fri, 7 Apr 2017 15:21:50 +0000 (17:21 +0200)]
fix path
mh [Fri, 7 Apr 2017 15:15:08 +0000 (17:15 +0200)]
correct naming
mh [Fri, 7 Apr 2017 15:05:39 +0000 (17:05 +0200)]
first step towards shorewall6, basic service is running
mh [Fri, 7 Apr 2017 13:50:11 +0000 (15:50 +0200)]
calculate whether we want to disable ipv6 (if there is no public ipv6 address) or not
Micah [Fri, 24 Feb 2017 17:35:55 +0000 (17:35 +0000)]
Merge branch 'avoid-duplicate-package-definition' into 'master'
Use ensure_packages, to avoid duplicate definition in case Package['shorewall'] is defined elsewhere already.
See merge request !10
Micah [Wed, 22 Feb 2017 18:17:04 +0000 (18:17 +0000)]
Merge branch '5.x-3' into 'master'
5.x part 3
See merge request !9
Matt Taggart [Sat, 11 Feb 2017 01:30:28 +0000 (17:30 -0800)]
update config file headers to current upstream versions
Matt Taggart [Sat, 11 Feb 2017 00:43:25 +0000 (16:43 -0800)]
update URLs to new working upstream locations
Matt Taggart [Fri, 10 Feb 2017 23:53:28 +0000 (15:53 -0800)]
new stoppedrules, replaces routestopped
Matt Taggart [Fri, 10 Feb 2017 23:06:16 +0000 (15:06 -0800)]
add some notes about deprecated features
Matt Taggart [Fri, 10 Feb 2017 22:25:11 +0000 (14:25 -0800)]
new shorewall_version fact, switch shorewall_major_version to use it
from https://0xacab.org/riseup-puppet-recipes/shorewall/commit/
0cd2a305f7fd9ba830a1fa3de25428ffa71d39f7#note_92590
mh [Sun, 19 Feb 2017 21:56:44 +0000 (22:56 +0100)]
no need for openvpn outgoing
intrigeri [Tue, 14 Feb 2017 09:48:23 +0000 (09:48 +0000)]
Use ensure_packages, to avoid duplicate definition in case Package['shorewall'] is defined elsewhere already.
Micah [Mon, 13 Feb 2017 15:37:50 +0000 (15:37 +0000)]
Merge branch '5.x-2' into 'master'
5.x changes part 2
See merge request !8
Matt Taggart [Fri, 10 Feb 2017 21:33:05 +0000 (13:33 -0800)]
remove deprecated rfc1918 file
this hasn't been supported since 3.x days
Matt Taggart [Fri, 10 Feb 2017 21:24:59 +0000 (13:24 -0800)]
remove deprecated norfc1918 option
It was deprecated in 4.2.0
http://www.shorewall.net/upgrade_issues.htm
Matt Taggart [Fri, 10 Feb 2017 21:08:12 +0000 (13:08 -0800)]
remove deprecated blacklist
the blacklist file was deprecated by upstream in 4.5.7, remove all
references to them. Debian wheezy shipped with 4.5.5.3-3 (but could
use a backport) and jessie has 4.6.4.3-2 currently.
Micah Anderson [Fri, 10 Feb 2017 20:10:09 +0000 (15:10 -0500)]
remove redundant fact
Micah Anderson [Fri, 10 Feb 2017 20:07:13 +0000 (15:07 -0500)]
Merge remote-tracking branch 'origin/master' into riseup
Micah Anderson [Fri, 10 Feb 2017 20:02:44 +0000 (15:02 -0500)]
Merge two facts: shorewall_version && shorewall_major_version. The first one would be line 1 and the second one would take the value of the first fact and do the stuff we see here.
Micah [Fri, 10 Feb 2017 19:58:46 +0000 (19:58 +0000)]
Merge branch '5.x' into 'master'
changes needed for 5.x
See merge request !7
mh [Fri, 13 Jan 2017 15:54:23 +0000 (16:54 +0100)]
correct decision
mh [Fri, 13 Jan 2017 15:42:22 +0000 (16:42 +0100)]
cherry pick fixes for 5.x
Conflicts:
manifests/rule_section.pp
mh [Fri, 13 Jan 2017 15:40:38 +0000 (16:40 +0100)]
mory rubyism
Lebedev Vadim [Tue, 18 Mar 2014 19:01:33 +0000 (23:01 +0400)]
* Fix typo
Lebedev Vadim [Tue, 18 Mar 2014 19:00:32 +0000 (23:00 +0400)]
* Add example
Lebedev Vadim [Sun, 16 Mar 2014 22:31:09 +0000 (02:31 +0400)]
* Add shorewall-blrules support
Lebedev Vadim [Wed, 29 Jun 2016 15:52:16 +0000 (18:52 +0300)]
* fix rule section
Lebedev Vadim [Wed, 29 Jun 2016 15:54:03 +0000 (18:54 +0300)]
* add shorewal version facter
mh [Fri, 3 Feb 2017 00:31:08 +0000 (01:31 +0100)]
Merge remote-tracking branch 'shared/master'
Micah Anderson [Thu, 2 Feb 2017 02:42:50 +0000 (21:42 -0500)]
Fix fact for when shorewall is not yet installed.
When a node has puppet run for the first time, shorewall may not be
installed. In that case there are a few problems that appear in puppet4:
1. Warning: Facter: Could not retrieve fact='shorewall_major_version', resolution='<anonymous>': undefined method `split' for nil:NilClass
This is because running 'shorewall version' fails and so results in a
nil, and the split cannot be done on a nil. That is solved by first
running the 'shorewall version' and setting a variable. If that variable
is not nil, then we can split off of that
2. Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Evaluation Error: Error while evaluating a
Resource Statement, Evaluation Error: Error while evaluating a Function
Call, 'versioncmp' parameter 'a' expects a String value, got Undef
This happens because the shorewall_version is set to Undef, but we need
to have it set to a String. So we set the variable to '-1' if it is not
installed.
Micah Anderson [Thu, 2 Feb 2017 02:27:04 +0000 (21:27 -0500)]
Merge remote-tracking branch 'immerda/master' into riseup
Matt Taggart [Tue, 31 Jan 2017 20:16:33 +0000 (12:16 -0800)]
don't include augeas due to conflict with riseup_common