puppet_shorewall.git
12 months agoMerge remote-tracking branch 'shared/master' master
kwadronaut [Fri, 9 Nov 2018 09:03:32 +0000 (10:03 +0100)]
Merge remote-tracking branch 'shared/master'

18 months agoAdd missing parameter in host.pp
Jérôme Charaoui [Wed, 2 May 2018 20:28:50 +0000 (20:28 +0000)]
Add missing parameter in host.pp

18 months agoMerge branch 'libvirt-puppet4' into 'master'
Jérôme Charaoui [Wed, 2 May 2018 20:28:09 +0000 (20:28 +0000)]
Merge branch 'libvirt-puppet4' into 'master'

Puppet 4 compatibility.

See merge request shared-puppet-modules-group/shorewall!15

19 months agoPuppet 4 compatibility.
intrigeri [Thu, 5 Apr 2018 14:50:47 +0000 (14:50 +0000)]
Puppet 4 compatibility.

19 months agoMerge branch 'SECTION' into 'master'
intrigeri [Thu, 5 Apr 2018 09:13:13 +0000 (09:13 +0000)]
Merge branch 'SECTION' into 'master'

This fixes the ?SECTION change.

See merge request shared-puppet-modules-group/shorewall!14

19 months agoMerge branch 'routefilter' into 'master'
intrigeri [Thu, 5 Apr 2018 09:12:31 +0000 (09:12 +0000)]
Merge branch 'routefilter' into 'master'

routefilter is also not an ipv6 possible option

See merge request shared-puppet-modules-group/shorewall!13

19 months agoThis fixes the ?SECTION change.
Micah Anderson [Sat, 24 Mar 2018 15:39:33 +0000 (16:39 +0100)]
This fixes the ?SECTION change.

The change requiring ? before SECTION happened in 4.6.0. Our check was only
looking at the major version to see if it was 4, and if so, it would not add the
?. This was too imprecise and would not add the ? in versions of shorewall 4.6
and greater. So this commit will change that check to be more specific.

19 months agoThe blacklist option should not be set by default, it should only be added when
Micah Anderson [Sat, 24 Mar 2018 15:20:29 +0000 (16:20 +0100)]
The blacklist option should not be set by default, it should only be added when
you are actually going to blacklist things. Otherwise you get this warning from
shorewall_check each day:

WARNING: There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size

Also, the README for this module notes that this option is deprecated upstream,
and so we should remove it.

19 months agoroutefilter is also not a valid ipv6 option
Micah Anderson [Fri, 23 Mar 2018 21:47:43 +0000 (17:47 -0400)]
routefilter is also not a valid ipv6 option

19 months agoMerge branch 'fix_8' into 'master'
Micah [Fri, 23 Mar 2018 14:07:23 +0000 (14:07 +0000)]
Merge branch 'fix_8' into 'master'

Remove $puppetserver_signport, fixes #8

Closes #8

See merge request shared-puppet-modules-group/shorewall!12

20 months agoRemove $puppetserver_signport, fixes #8
Jerome Charaoui [Fri, 16 Feb 2018 20:11:22 +0000 (15:11 -0500)]
Remove $puppetserver_signport, fixes #8

ng  lavamind: this is an acient relict, where there was a problem signing through apache
ng  and then we had a mongrel running on that port

21 months agoMerge remote-tracking branch 'origin/master' into immerda_merge
Micah Anderson [Sat, 13 Jan 2018 16:17:52 +0000 (11:17 -0500)]
Merge remote-tracking branch 'origin/master' into immerda_merge

21 months agoMerge remote-tracking branch 'immerda/master' into immerda_merge
Micah Anderson [Sat, 13 Jan 2018 16:13:23 +0000 (11:13 -0500)]
Merge remote-tracking branch 'immerda/master' into immerda_merge

22 months agoMerge branch 'concat_update' into 'master'
Jérôme Charaoui [Tue, 9 Jan 2018 21:47:28 +0000 (21:47 +0000)]
Merge branch 'concat_update' into 'master'

Concat update

See merge request shared-puppet-modules-group/shorewall!11

22 months agoDon't transitively pass $ensure parameter to concat::fragment
intrigeri [Tue, 9 Jan 2018 21:36:59 +0000 (21:36 +0000)]
Don't transitively pass $ensure parameter to concat::fragment

Follow up on commit 851c51659961724a1457e3de1bbe9591390b1e82.

23 months agoDon't pass $ensure parameter to concat::fragment
Jerome Charaoui [Wed, 22 Nov 2017 22:01:00 +0000 (17:01 -0500)]
Don't pass $ensure parameter to concat::fragment

It has been removed in the latest version of puppetlabs-concat

2 years agoswitch to the new facts hash
mh [Thu, 2 Nov 2017 15:27:01 +0000 (16:27 +0100)]
switch to the new facts hash

2 years agolinting
mh [Sun, 24 Sep 2017 10:01:09 +0000 (12:01 +0200)]
linting

2 years agomake sure shorewall6 is started after shorewall
mh [Sun, 24 Sep 2017 09:59:03 +0000 (11:59 +0200)]
make sure shorewall6 is started after shorewall

as inserting fw rules into iptables can't be properly serialized.
This is a backport of a fix that went into shorewall 5.1.6
by commit 0603f8e355b19ca88d2a7ad6f181767092e02e00 in the shorewall
repository.

2 years agomake ipv6 tuneable
mh [Tue, 29 Aug 2017 22:39:26 +0000 (00:39 +0200)]
make ipv6 tuneable

2 years agocorrectly set shorewall6 option for puppetserver config
mh [Tue, 29 Aug 2017 20:14:33 +0000 (22:14 +0200)]
correctly set shorewall6 option for puppetserver config

2 years agofix param name
mh [Tue, 29 Aug 2017 10:52:56 +0000 (12:52 +0200)]
fix param name

2 years agothere is no ipv6 support there yet
mh [Tue, 29 Aug 2017 10:50:31 +0000 (12:50 +0200)]
there is no ipv6 support there yet

2 years agomake sure we also en/disable it based on the right setting
mh [Thu, 24 Aug 2017 19:14:20 +0000 (21:14 +0200)]
make sure we also en/disable it based on the right setting

2 years agodelete the old way
mh [Thu, 24 Aug 2017 18:29:56 +0000 (20:29 +0200)]
delete the old way

2 years agoworkaround a bug in facter that sets ipaddress6 to ipv4 addresses
mh [Thu, 24 Aug 2017 17:15:12 +0000 (19:15 +0200)]
workaround a bug in facter that sets ipaddress6 to ipv4 addresses

2 years agomake it possible to set v6 and v6 puppetserver
mh [Thu, 3 Aug 2017 08:17:00 +0000 (10:17 +0200)]
make it possible to set v6 and v6 puppetserver

2 years agoadd mosh support
mh [Wed, 19 Jul 2017 15:05:48 +0000 (17:05 +0200)]
add mosh support

2 years agoto make the previous commit work, we should also remove the ensure from fragment
mh [Thu, 6 Jul 2017 06:07:08 +0000 (08:07 +0200)]
to make the previous commit work, we should also remove the ensure from fragment

2 years agolinting
mh [Wed, 5 Jul 2017 12:04:01 +0000 (14:04 +0200)]
linting

2 years agomake ensure a noop for concat::framet, as from puppetlabs-concat 4.0.1 on this is...
mh [Wed, 5 Jul 2017 12:03:24 +0000 (14:03 +0200)]
make ensure a noop for concat::framet, as from puppetlabs-concat 4.0.1 on this is removed and concat purges non-managed fragments

2 years agofix filename rename
Micah Anderson [Fri, 23 Jun 2017 16:03:17 +0000 (12:03 -0400)]
fix filename rename

2 years agoMerge branch 'master' into puppet4
Micah Anderson [Fri, 23 Jun 2017 14:50:25 +0000 (10:50 -0400)]
Merge branch 'master' into puppet4

2 years agoremove an unnecessary dep
mh [Sun, 21 May 2017 11:14:56 +0000 (13:14 +0200)]
remove an unnecessary dep

2 years agotry to be extra cautious when restarting and do it with the try, so nothing breaks...
mh [Mon, 8 May 2017 20:13:01 +0000 (22:13 +0200)]
try to be extra cautious when restarting and do it with the try, so nothing breaks if something is broken that is not connected at compile time

2 years agodon't notify the service
mh [Mon, 8 May 2017 20:12:02 +0000 (22:12 +0200)]
don't notify the service

2 years agocorrect snippet
mh [Mon, 1 May 2017 19:08:58 +0000 (21:08 +0200)]
correct snippet

2 years agothis is IPv4 only so far
mh [Mon, 1 May 2017 15:37:55 +0000 (17:37 +0200)]
this is IPv4 only so far

2 years agoalso support EL6 style files
mh [Mon, 1 May 2017 15:37:05 +0000 (17:37 +0200)]
also support EL6 style files

2 years agoadd missing package for EL6
mh [Mon, 1 May 2017 15:33:25 +0000 (17:33 +0200)]
add missing package for EL6

2 years agoadd missing file
mh [Tue, 25 Apr 2017 15:24:50 +0000 (17:24 +0200)]
add missing file

2 years agowe should start managing also that file
mh [Tue, 25 Apr 2017 15:18:18 +0000 (17:18 +0200)]
we should start managing also that file

2 years agomanage policies for shorewall6
mh [Tue, 25 Apr 2017 15:12:59 +0000 (17:12 +0200)]
manage policies for shorewall6

2 years agomake it possibble to disable ipv6 for these rules
mh [Tue, 25 Apr 2017 13:28:26 +0000 (15:28 +0200)]
make it possibble to disable ipv6 for these rules

2 years agoenable shorewall6 rules by default
mh [Tue, 25 Apr 2017 13:16:08 +0000 (15:16 +0200)]
enable shorewall6 rules by default

2 years agosuffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall
mh [Tue, 25 Apr 2017 12:54:00 +0000 (14:54 +0200)]
suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall

2 years agosuffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall
mh [Tue, 25 Apr 2017 12:28:18 +0000 (14:28 +0200)]
suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall

2 years agolinting
mh [Sat, 15 Apr 2017 11:33:39 +0000 (13:33 +0200)]
linting

2 years agominor linting
mh [Sun, 9 Apr 2017 17:11:37 +0000 (19:11 +0200)]
minor linting

2 years agomake it possible to manage rules for ipv4 & ipv6 + add some more modern headers for...
mh [Sun, 9 Apr 2017 16:57:53 +0000 (18:57 +0200)]
make it possible to manage rules for ipv4 & ipv6 + add some more modern headers for certain versions

2 years agomake output nicer
mh [Sun, 9 Apr 2017 10:43:08 +0000 (12:43 +0200)]
make output nicer

2 years agomigrate to dedicated params
mh [Sat, 8 Apr 2017 12:07:07 +0000 (14:07 +0200)]
migrate to dedicated params

2 years agointroduce params4 and params6 helper to more easily differentiate
mh [Sat, 8 Apr 2017 12:04:39 +0000 (14:04 +0200)]
introduce params4 and params6 helper to more easily differentiate

2 years agoadd missing file
mh [Sat, 8 Apr 2017 11:59:11 +0000 (13:59 +0200)]
add missing file

2 years agointroduce params only for ipv6 and only for ipv4
mh [Sat, 8 Apr 2017 11:54:50 +0000 (13:54 +0200)]
introduce params only for ipv6 and only for ipv4

2 years agointroduce params for shorewall6, by default it's just a copy of the ones for shorewall
mh [Sat, 8 Apr 2017 11:52:14 +0000 (13:52 +0200)]
introduce params for shorewall6, by default it's just a copy of the ones for shorewall

2 years agobroadcast column is not needed for shorewall6
mh [Sat, 8 Apr 2017 11:31:00 +0000 (13:31 +0200)]
broadcast column is not needed for shorewall6

2 years agoadd missing file
mh [Sat, 8 Apr 2017 11:25:56 +0000 (13:25 +0200)]
add missing file

2 years agomanage interfaces for shorewall6
mh [Sat, 8 Apr 2017 11:21:14 +0000 (13:21 +0200)]
manage interfaces for shorewall6

2 years agocleanup certain unsupported options
mh [Sat, 8 Apr 2017 11:06:43 +0000 (13:06 +0200)]
cleanup certain unsupported options

2 years agoadd a full version fact and derive the maj from that one and make the fact work,...
mh [Sat, 8 Apr 2017 10:55:24 +0000 (12:55 +0200)]
add a full version fact and derive the maj from that one and make the fact work, even if there is no shorewall installed

2 years agogroup that together
mh [Sat, 8 Apr 2017 10:41:58 +0000 (12:41 +0200)]
group that together

2 years agowe need this
mh [Fri, 7 Apr 2017 16:14:03 +0000 (18:14 +0200)]
we need this

2 years agorename snippet
mh [Fri, 7 Apr 2017 16:09:37 +0000 (18:09 +0200)]
rename snippet

2 years agoadd mgmt of files for shorewall6
mh [Fri, 7 Apr 2017 16:07:44 +0000 (18:07 +0200)]
add mgmt of files for shorewall6

2 years agomake zones also for ipv6
mh [Fri, 7 Apr 2017 15:46:01 +0000 (17:46 +0200)]
make zones also for ipv6

2 years agomake dependencies a bit more clear
mh [Fri, 7 Apr 2017 15:34:55 +0000 (17:34 +0200)]
make dependencies a bit more clear

2 years agofix path
mh [Fri, 7 Apr 2017 15:21:50 +0000 (17:21 +0200)]
fix path

2 years agocorrect naming
mh [Fri, 7 Apr 2017 15:15:08 +0000 (17:15 +0200)]
correct naming

2 years agofirst step towards shorewall6, basic service is running
mh [Fri, 7 Apr 2017 15:05:39 +0000 (17:05 +0200)]
first step towards shorewall6, basic service is running

2 years agocalculate whether we want to disable ipv6 (if there is no public ipv6 address) or not
mh [Fri, 7 Apr 2017 13:50:11 +0000 (15:50 +0200)]
calculate whether we want to disable ipv6 (if there is no public ipv6 address) or not

2 years agoMerge branch 'avoid-duplicate-package-definition' into 'master'
Micah [Fri, 24 Feb 2017 17:35:55 +0000 (17:35 +0000)]
Merge branch 'avoid-duplicate-package-definition' into 'master'

Use ensure_packages, to avoid duplicate definition in case Package['shorewall'] is defined elsewhere already.

See merge request !10

2 years agoMerge branch '5.x-3' into 'master'
Micah [Wed, 22 Feb 2017 18:17:04 +0000 (18:17 +0000)]
Merge branch '5.x-3' into 'master'

5.x part 3

See merge request !9

2 years agoupdate config file headers to current upstream versions
Matt Taggart [Sat, 11 Feb 2017 01:30:28 +0000 (17:30 -0800)]
update config file headers to current upstream versions

2 years agoupdate URLs to new working upstream locations
Matt Taggart [Sat, 11 Feb 2017 00:43:25 +0000 (16:43 -0800)]
update URLs to new working upstream locations

2 years agonew stoppedrules, replaces routestopped
Matt Taggart [Fri, 10 Feb 2017 23:53:28 +0000 (15:53 -0800)]
new stoppedrules, replaces routestopped

2 years agoadd some notes about deprecated features
Matt Taggart [Fri, 10 Feb 2017 23:06:16 +0000 (15:06 -0800)]
add some notes about deprecated features

2 years agonew shorewall_version fact, switch shorewall_major_version to use it
Matt Taggart [Fri, 10 Feb 2017 22:25:11 +0000 (14:25 -0800)]
new shorewall_version fact, switch shorewall_major_version to use it

from https://0xacab.org/riseup-puppet-recipes/shorewall/commit/0cd2a305f7fd9ba830a1fa3de25428ffa71d39f7#note_92590

2 years agono need for openvpn outgoing
mh [Sun, 19 Feb 2017 21:56:44 +0000 (22:56 +0100)]
no need for openvpn outgoing

2 years agoUse ensure_packages, to avoid duplicate definition in case Package['shorewall'] is...
intrigeri [Tue, 14 Feb 2017 09:48:23 +0000 (09:48 +0000)]
Use ensure_packages, to avoid duplicate definition in case Package['shorewall'] is defined elsewhere already.

2 years agoMerge branch '5.x-2' into 'master'
Micah [Mon, 13 Feb 2017 15:37:50 +0000 (15:37 +0000)]
Merge branch '5.x-2' into 'master'

5.x changes part 2

See merge request !8

2 years agoremove deprecated rfc1918 file
Matt Taggart [Fri, 10 Feb 2017 21:33:05 +0000 (13:33 -0800)]
remove deprecated rfc1918 file

this hasn't been supported since 3.x days

2 years agoremove deprecated norfc1918 option
Matt Taggart [Fri, 10 Feb 2017 21:24:59 +0000 (13:24 -0800)]
remove deprecated norfc1918 option

It was deprecated in 4.2.0
http://www.shorewall.net/upgrade_issues.htm

2 years agoremove deprecated blacklist
Matt Taggart [Fri, 10 Feb 2017 21:08:12 +0000 (13:08 -0800)]
remove deprecated blacklist

the blacklist file was deprecated by upstream in 4.5.7, remove all
references to them. Debian wheezy shipped with 4.5.5.3-3 (but could
use a backport) and jessie has 4.6.4.3-2 currently.

2 years agoremove redundant fact
Micah Anderson [Fri, 10 Feb 2017 20:10:09 +0000 (15:10 -0500)]
remove redundant fact

2 years agoMerge remote-tracking branch 'origin/master' into riseup
Micah Anderson [Fri, 10 Feb 2017 20:07:13 +0000 (15:07 -0500)]
Merge remote-tracking branch 'origin/master' into riseup

2 years agoMerge two facts: shorewall_version && shorewall_major_version. The first one would...
Micah Anderson [Fri, 10 Feb 2017 20:02:44 +0000 (15:02 -0500)]
Merge two facts: shorewall_version && shorewall_major_version. The first one would be line 1 and the second one would take the value of the first fact and do the stuff we see here.

2 years agoMerge branch '5.x' into 'master'
Micah [Fri, 10 Feb 2017 19:58:46 +0000 (19:58 +0000)]
Merge branch '5.x' into 'master'

changes needed for 5.x

See merge request !7

2 years agocorrect decision
mh [Fri, 13 Jan 2017 15:54:23 +0000 (16:54 +0100)]
correct decision

2 years agocherry pick fixes for 5.x
mh [Fri, 13 Jan 2017 15:42:22 +0000 (16:42 +0100)]
cherry pick fixes for 5.x

Conflicts:
manifests/rule_section.pp

2 years agomory rubyism
mh [Fri, 13 Jan 2017 15:40:38 +0000 (16:40 +0100)]
mory rubyism

2 years ago* Fix typo
Lebedev Vadim [Tue, 18 Mar 2014 19:01:33 +0000 (23:01 +0400)]
* Fix typo

2 years ago* Add example
Lebedev Vadim [Tue, 18 Mar 2014 19:00:32 +0000 (23:00 +0400)]
* Add example

2 years ago* Add shorewall-blrules support
Lebedev Vadim [Sun, 16 Mar 2014 22:31:09 +0000 (02:31 +0400)]
* Add shorewall-blrules support

2 years ago* fix rule section
Lebedev Vadim [Wed, 29 Jun 2016 15:52:16 +0000 (18:52 +0300)]
* fix rule section

2 years ago* add shorewal version facter
Lebedev Vadim [Wed, 29 Jun 2016 15:54:03 +0000 (18:54 +0300)]
* add shorewal version facter

2 years agoMerge remote-tracking branch 'shared/master'
mh [Fri, 3 Feb 2017 00:31:08 +0000 (01:31 +0100)]
Merge remote-tracking branch 'shared/master'

2 years agoFix fact for when shorewall is not yet installed.
Micah Anderson [Thu, 2 Feb 2017 02:42:50 +0000 (21:42 -0500)]
Fix fact for when shorewall is not yet installed.

When a node has puppet run for the first time, shorewall may not be
installed. In that case there are a few problems that appear in puppet4:

1. Warning: Facter: Could not retrieve fact='shorewall_major_version', resolution='<anonymous>': undefined method `split' for nil:NilClass

This is because running 'shorewall version' fails and so results in a
nil, and the split cannot be done on a nil. That is solved by first
running the 'shorewall version' and setting a variable. If that variable
is not nil, then we can split off of that

2. Error: Could not retrieve catalog from remote server: Error 500 on
SERVER: Server Error: Evaluation Error: Error while evaluating a
Resource Statement, Evaluation Error: Error while evaluating a Function
Call, 'versioncmp' parameter 'a' expects a String value, got Undef

This happens because the shorewall_version is set to Undef, but we need
to have it set to a String. So we set the variable to '-1' if it is not
installed.

2 years agoMerge remote-tracking branch 'immerda/master' into riseup
Micah Anderson [Thu, 2 Feb 2017 02:27:04 +0000 (21:27 -0500)]
Merge remote-tracking branch 'immerda/master' into riseup

2 years agodon't include augeas due to conflict with riseup_common
Matt Taggart [Tue, 31 Jan 2017 20:16:33 +0000 (12:16 -0800)]
don't include augeas due to conflict with riseup_common