From 28a72736071330261ba8fa9dd5ca4e1202c1247f Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 9 Apr 2017 18:57:53 +0200
Subject: make it possible to manage rules for ipv4 & ipv6 + add some more
 modern headers for certain versions

---
 files/boilerplate6/rules.header | 11 +++++++++
 manifests/init.pp               |  6 ++++-
 manifests/rule.pp               | 49 ++++++++++++++++++++++++++++-------------
 manifests/rule4.pp              | 43 ++++++++++++++++++++++++++++++++++++
 manifests/rule6.pp              | 43 ++++++++++++++++++++++++++++++++++++
 manifests/rule_section.pp       |  4 +++-
 6 files changed, 139 insertions(+), 17 deletions(-)
 create mode 100644 files/boilerplate6/rules.header
 create mode 100644 manifests/rule4.pp
 create mode 100644 manifests/rule6.pp

diff --git a/files/boilerplate6/rules.header b/files/boilerplate6/rules.header
new file mode 100644
index 0000000..91e57a8
--- /dev/null
+++ b/files/boilerplate6/rules.header
@@ -0,0 +1,11 @@
+#
+# Shorewall6 -- /etc/shorewall6/rules
+#
+# For information on the settings in this file, type "man shorewall6-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages6/shorewall6-rules.html
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+
diff --git a/manifests/init.pp b/manifests/init.pp
index 826f446..9320944 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -21,6 +21,8 @@ class shorewall(
   $policy                     = {},
   $policy_defaults            = {},
   $rules                      = {},
+  $rules4                     = {},
+  $rules6                     = {},
   $rules_defaults             = {},
   $rulesections               = {},
   $rulesections_defaults      = {},
@@ -126,7 +128,7 @@ class shorewall(
       'mangle',
     ]:;
   }
-  Shorewall::Managed_file['zones','interfaces','params']{
+  Shorewall::Managed_file['zones','interfaces','params','rules']{
     shorewall6 => true,
   }
 
@@ -135,6 +137,8 @@ class shorewall(
   create_resources('shorewall::host',$hosts,$hosts_defaults)
   create_resources('shorewall::policy',$policy,$policy_defaults)
   create_resources('shorewall::rule',$rules,$rules_defaults)
+  create_resources('shorewall::rule4',$rules4,$rules_defaults)
+  create_resources('shorewall::rule6',$rules6,$rules_defaults)
   create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults)
   create_resources('shorewall::masq',$masq,$masq_defaults)
   create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
diff --git a/manifests/rule.pp b/manifests/rule.pp
index 2fe91e2..39f0ef9 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -1,20 +1,39 @@
-# mark is new in 3.4.4
+# http://www.shorewall.net/manpages/shorewall-rules.html
+# http://www.shorewall.net/manpages6/shorewall6-rules.html
 define shorewall::rule(
-    $ensure = present,
-    $action,
-    $source,
-    $destination,
-    $proto = '-',
-    $destinationport = '-',
-    $sourceport = '-',
-    $originaldest = '-',
-    $ratelimit = '-',
-    $user = '-',
-    $mark = '',
-    $order
+  $action,
+  $source,
+  $destination,
+  $proto           = '-',
+  $destinationport = '-',
+  $sourceport      = '-',
+  $originaldest    = '-',
+  $ratelimit       = '-',
+  $user            = '-',
+  $mark            = '-',
+  $connlimit       = '-',
+  $time            = '-',
+  $headers         = '-',
+  $switch          = '-',
+  $helper          = '-',
+  $order           = '500',
+  $shorewall       = true,
+  $shorewall6      = false,
+  $ensure          = 'present',
 ){
+  if versioncmp($shorewall_version,'4.5.7') >= 0 {
+    $line = " ${connlimit} ${time} ${headers} ${switch} ${helper}"
+  } elsif versioncmp($shorewall_version,'4.4.24') >= 0 {
+    # el6
+    $line = " ${connlimit} ${time} ${headers} ${switch}"
+  } else {
+    # el5
+    $line = ''
+  }
   shorewall::entry{"rules-${order}-${name}":
-    ensure => $ensure,
-    line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
+    ensure     => $ensure,
+    line       => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}",
+    shorewall  => $shorewall,
+    shorewall6 => $shorewall6,
   }
 }
diff --git a/manifests/rule4.pp b/manifests/rule4.pp
new file mode 100644
index 0000000..08df395
--- /dev/null
+++ b/manifests/rule4.pp
@@ -0,0 +1,43 @@
+# http://www.shorewall.net/manpages/shorewall-rules.html
+define shorewall::rule4(
+  $action,
+  $source,
+  $destination,
+  $proto           = '-',
+  $destinationport = '-',
+  $sourceport      = '-',
+  $originaldest    = '-',
+  $ratelimit       = '-',
+  $user            = '-',
+  $mark            = '-',
+  $connlimit       = '-',
+  $time            = '-',
+  $headers         = '-',
+  $switch          = '-',
+  $helper          = '-',
+  $order           = '500',
+  $ensure          = 'present',
+){
+  shorewall::rule{
+    $name:
+      ensure          => $ensure,
+      action          => $action,
+      source          => $source,
+      destination     => $destination,
+      proto           => $proto,
+      destinationport => $destinationport,
+      sourceport      => $sourceport,
+      originaldest    => $originaldest,
+      ratelimit       => $ratelimit,
+      user            => $user,
+      mark            => $mark,
+      connlimit       => $connlimit,
+      time            => $time,
+      headers         => $headers,
+      switch          => $switch,
+      helper          => $helper,
+      order           => $order,
+      shorewall       => true,
+      shorewall6      => false,
+  }
+}
diff --git a/manifests/rule6.pp b/manifests/rule6.pp
new file mode 100644
index 0000000..eb6b741
--- /dev/null
+++ b/manifests/rule6.pp
@@ -0,0 +1,43 @@
+# http://www.shorewall.net/manpages6/shorewall6-rules.html
+define shorewall::rule6(
+  $action,
+  $source,
+  $destination,
+  $proto           = '-',
+  $destinationport = '-',
+  $sourceport      = '-',
+  $originaldest    = '-',
+  $ratelimit       = '-',
+  $user            = '-',
+  $mark            = '-',
+  $connlimit       = '-',
+  $time            = '-',
+  $headers         = '-',
+  $switch          = '-',
+  $helper          = '-',
+  $order           = '500',
+  $ensure          = 'present',
+){
+  shorewall::rule{
+    $name:
+      ensure          => $ensure,
+      action          => $action,
+      source          => $source,
+      destination     => $destination,
+      proto           => $proto,
+      destinationport => $destinationport,
+      sourceport      => $sourceport,
+      originaldest    => $originaldest,
+      ratelimit       => $ratelimit,
+      user            => $user,
+      mark            => $mark,
+      connlimit       => $connlimit,
+      time            => $time,
+      headers         => $headers,
+      switch          => $switch,
+      helper          => $helper,
+      order           => $order,
+      shorewall       => false,
+      shorewall6      => true,
+  }
+}
diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp
index 0a8b4bb..24b3dfb 100644
--- a/manifests/rule_section.pp
+++ b/manifests/rule_section.pp
@@ -9,6 +9,8 @@ define shorewall::rule_section(
   }
 
   shorewall::entry{"rules-${order}-${name}":
-    line => "${rule_section_prefix}SECTION ${name}",
+    line       => "${rule_section_prefix}SECTION ${name}",
+    shorewall  => true,
+    shorewall6 => true,
   }
 }
-- 
cgit v1.2.3