From 59c1cd6c0b9277c07fb577be0f59ce74154352da Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 19 Feb 2017 22:56:44 +0100 Subject: no need for openvpn outgoing --- manifests/rules/openvpn.pp | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp index 55a20d2..842e276 100644 --- a/manifests/rules/openvpn.pp +++ b/manifests/rules/openvpn.pp @@ -1,18 +1,12 @@ +# openvpn incoming class shorewall::rules::openvpn { - shorewall::rule { 'net-me-openvpn-udp': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } - shorewall::rule { 'me-net-openvpn-udp': - source => '$FW', - destination => 'net', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { + 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From 89a350feaa3e5f94d104ac7e98af608db659e871 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 15:50:11 +0200 Subject: calculate whether we want to disable ipv6 (if there is no public ipv6 address) or not --- manifests/base.pp | 4 ++-- manifests/init.pp | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 22ef555..23d72e5 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -38,10 +38,10 @@ class shorewall::base { 'STARTUP_ENABLED': value => $startup_str; } - $cfs = keys($shorewall::settings) + $cfs = keys($shorewall::merged_settings) shorewall::config_settings{ $cfs: - settings => $shorewall::settings; + settings => $shorewall::merged_settings; } } diff --git a/manifests/init.pp b/manifests/init.pp index aac1520..44c703b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,10 +2,7 @@ class shorewall( $startup = true, $conf_source = false, - $settings = { - 'LOG_MARTIANS' => 'No', - 'DISABLE_IPV6' => 'Yes', - }, + $settings = {}, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', @@ -52,6 +49,17 @@ class shorewall( $daily_check = true, ) { + $disable_ipv6 = $ipaddress6 ? { + undef => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From fd83e644a5ec2630ccc8b83d6029fbba7bfe1fe9 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:05:39 +0200 Subject: first step towards shorewall6, basic service is running --- manifests/base.pp | 78 +++++++++++++++++++++++++++++++++++-------- manifests/config6_setting.pp | 18 ++++++++++ manifests/config6_settings.pp | 10 ++++++ manifests/init.pp | 10 ++++++ 4 files changed, 103 insertions(+), 13 deletions(-) create mode 100644 manifests/config6_setting.pp create mode 100644 manifests/config6_settings.pp diff --git a/manifests/base.pp b/manifests/base.pp index 23d72e5..8c42757 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -20,18 +20,36 @@ class shorewall::base { group => 'root', mode => '0644'; } + if $shorewall::with_shorewall6 { + package{'shorewall6': + ensure => 'installed' + } + file { + '/etc/shorewall6/shorewall6.conf': + require => Package['shorewall6'], + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/shorewall6/puppet': + ensure => directory, + require => Package['shorewall6'], + owner => 'root', + group => 'root', + mode => '0644'; + } + } + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } if $shorewall::conf_source { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } } else { - - if str2bool($shorewall::startup) { - $startup_str = 'Yes' - } else { - $startup_str = 'No' - } shorewall::config_setting{ 'CONFIG_PATH': value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; @@ -44,7 +62,6 @@ class shorewall::base { settings => $shorewall::merged_settings; } } - exec{'shorewall_check': command => 'shorewall check', refreshonly => true, @@ -58,24 +75,59 @@ class shorewall::base { require => Package['shorewall'], } + if $shorewall::with_shorewall6 { + shorewall::config6_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall6/puppet:\${CONFDIR}/shorewall6:/usr/share/shorewall6:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + $cfs6 = keys($shorewall::settings6) + shorewall::config6_settings{ + $cfs6: + settings => $shorewall::settings6; + } + + exec{'shorewall6_check': + command => 'shorewall6 check', + refreshonly => true, + notify => Service['shorewall6'], + } + service{'shorewall6': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall6'], + } + } + file{'/etc/cron.daily/shorewall_check':} if $shorewall::daily_check { + if $shorewall::with_shorewall6 { + $shorewall6_check_str = ' && shorewall6 check' + } else { + $shorewall6_check_str = '' + } File['/etc/cron.daily/shorewall_check']{ - content => '#!/bin/bash + content => "#!/bin/bash -output=$(shorewall check 2>&1) -if [ $? -gt 0 ]; then - echo "Error while checking firewall!" - echo $output +output=\$(shorewall check${shorewall6_check_str} 2>&1) +if [ \$? -gt 0 ]; then + echo 'Error while checking firewall!' + echo \$output exit 1 fi exit 0 -', +", owner => root, group => 0, mode => '0700', require => Service['shorewall'], } + if $shorewall::with_shorewall6 { + Service['shorewall6'] -> File['/etc/cron.daily/shorewall_check'] + } } else { File['/etc/cron.daily/shorewall_check']{ ensure => absent, diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp new file mode 100644 index 0000000..2fbb1df --- /dev/null +++ b/manifests/config6_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option for shorewall6 +# +# e.g. +# shorewall::config6_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall6_module_${name}": + changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall6.conf', + notify => Exec['shorewall6_check'], + require => Package['shorewall6']; + } +} diff --git a/manifests/config6_settings.pp b/manifests/config6_settings.pp new file mode 100644 index 0000000..2eb47f0 --- /dev/null +++ b/manifests/config6_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config6_settings( + $settings, +){ + shorewall::config6_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 44c703b..16d7170 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,6 +3,8 @@ class shorewall( $startup = true, $conf_source = false, $settings = {}, + $settings6 = {}, + $shorewall6 = 'auto', $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', @@ -60,6 +62,14 @@ class shorewall( $merged_settings = merge($def_settings,$settings) + $with_shorewall6 = $shorewall6 ? { + 'auto' => $ipaddress6 ? { + undef => false, + default => true, + }, + default => str2bool($shorewall6), + } + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From 9a1d3358e72ff682413ed9ecd8d04885d20f262e Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:15:08 +0200 Subject: correct naming --- manifests/config6_setting.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp index 2fbb1df..cd34530 100644 --- a/manifests/config6_setting.pp +++ b/manifests/config6_setting.pp @@ -5,7 +5,7 @@ # 'CONFIG_PATH': # value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' # } -define shorewall::config_setting( +define shorewall::config6_setting( $value, ){ augeas { "shorewall6_module_${name}": -- cgit v1.2.3 From cac17b52dd7a52e73c8cb0f6578ad710ce8531fb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:21:50 +0200 Subject: fix path --- manifests/base.pp | 4 ++-- manifests/config6_setting.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 8c42757..4fc5178 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -30,13 +30,13 @@ class shorewall::base { notify => Exec['shorewall6_check'], owner => 'root', group => 'root', - mode => '0644'; + mode => '0600'; '/etc/shorewall6/puppet': ensure => directory, require => Package['shorewall6'], owner => 'root', group => 'root', - mode => '0644'; + mode => '0600'; } } diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp index cd34530..5553e4f 100644 --- a/manifests/config6_setting.pp +++ b/manifests/config6_setting.pp @@ -11,7 +11,7 @@ define shorewall::config6_setting( augeas { "shorewall6_module_${name}": changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall6.conf', + incl => '/etc/shorewall6/shorewall6.conf', notify => Exec['shorewall6_check'], require => Package['shorewall6']; } -- cgit v1.2.3 From 4a29f5e293b36e11d870061d4d93d7af306dcbd6 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:34:55 +0200 Subject: make dependencies a bit more clear --- manifests/base.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4fc5178..7715baa 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -66,13 +66,14 @@ class shorewall::base { command => 'shorewall check', refreshonly => true, notify => Service['shorewall'], + require => Package['shorewall'], } service{'shorewall': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall'], + require => Exec['shorewall_check'], } if $shorewall::with_shorewall6 { @@ -92,13 +93,14 @@ class shorewall::base { command => 'shorewall6 check', refreshonly => true, notify => Service['shorewall6'], + require => Package['shorewall6'], } service{'shorewall6': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall6'], + require => Exec['shorewall6_check'], } } -- cgit v1.2.3 From cdb82d7bde4861434cea81d7f5770164f5fff76c Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:46:01 +0200 Subject: make zones also for ipv6 --- manifests/entry.pp | 25 +++++++++++++++++++------ manifests/zone.pp | 34 +++++++++++++++++++++++++--------- 2 files changed, 44 insertions(+), 15 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index c8fffc7..a7321f8 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,12 +1,25 @@ +# a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, + $ensure = present, + $shorewall = true, + $shorewall6 = false, $line ){ $parts = split($name,'-') - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $shorewall { + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } + } + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } } } diff --git a/manifests/zone.pp b/manifests/zone.pp index 81e5771..8ee1b58 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -1,14 +1,30 @@ +# define a zone define shorewall::zone( - $type, - $options = '-', - $in = '-', - $out = '-', - $parent = '-', - $order = 100 + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100, ){ - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones-${order}-${name}": - line => "${real_name} ${type} ${options} ${in} ${out}" + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + shorewall::entry { "zones-${order}-${name}": + line => "${real_name} ${type} ${options} ${in} ${out}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + $type6 = $type ? { + 'ipv4' => 'ipv6', + 'ipsec' => 'ipsec6', + 'bport' => 'bport6', + default => $type, } + shorewall::entry { "zones-${order}-${name}_6": + line => "${real_name} ${type6} ${options} ${in} ${out}", + shorewall => false, + shorewall6 => true, + } + } } -- cgit v1.2.3 From d11b179b1b2f6083c0987e4650d89ad7831863e6 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:07:44 +0200 Subject: add mgmt of files for shorewall6 --- files/boilerplate6/zones.header | 11 +++++++++++ manifests/init.pp | 3 +++ manifests/managed_file.pp | 19 +++++++++++++++++-- 3 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 files/boilerplate6/zones.header diff --git a/files/boilerplate6/zones.header b/files/boilerplate6/zones.header new file mode 100644 index 0000000..3e445c5 --- /dev/null +++ b/files/boilerplate6/zones.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/zones +# +# For information about this file, type "man shorewall6-zones" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-zones.html +# +############################################################################### +#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS + diff --git a/manifests/init.pp b/manifests/init.pp index 16d7170..eeab56f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,6 +124,9 @@ class shorewall( 'mangle', ]:; } + Shorewall::Managed_file['zones']{ + shorewall6 => true, + } create_resources('shorewall::zone',$zones,$zones_defaults) create_resources('shorewall::interface',$interfaces,$interfaces_defaults) diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b353814..b4941a7 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,8 +1,9 @@ # manage a certain file -define shorewall::managed_file() { +define shorewall::managed_file( + $shorewall6 = false, +) { concat{ "/etc/shorewall/puppet/${name}": notify => Exec['shorewall_check'], - require => File['/etc/shorewall/puppet'], owner => 'root', group => 'root', mode => '0600'; @@ -17,4 +18,18 @@ define shorewall::managed_file() { target => "/etc/shorewall/puppet/${name}", order => '999'; } + if $shorewall6 and $shorewall::with_shorewall6 { + concat{ "/etc/shorewall6/puppet/${name}": + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0600'; + } + concat::fragment { + "${name}-header": + source => "puppet:///modules/shorewall/boilerplate6/${name}.header", + target => "/etc/shorewall6/puppet/${name}", + order => '000'; + } + } } -- cgit v1.2.3 From 2c255e1fca1a5cabdc9e8dfab80e69dd4cd882ac Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:09:37 +0200 Subject: rename snippet --- manifests/managed_file.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b4941a7..135d59a 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -26,7 +26,7 @@ define shorewall::managed_file( mode => '0600'; } concat::fragment { - "${name}-header": + "6${name}-header": source => "puppet:///modules/shorewall/boilerplate6/${name}.header", target => "/etc/shorewall6/puppet/${name}", order => '000'; -- cgit v1.2.3 From 312dd4b7b990f0fad0b55f050e4c5c8e17c7e20d Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:14:03 +0200 Subject: we need this --- files/boilerplate6/zones.header | 1 + 1 file changed, 1 insertion(+) diff --git a/files/boilerplate6/zones.header b/files/boilerplate6/zones.header index 3e445c5..6ebe49b 100644 --- a/files/boilerplate6/zones.header +++ b/files/boilerplate6/zones.header @@ -9,3 +9,4 @@ ############################################################################### #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS +fw firewall -- cgit v1.2.3 From 9da596c12101c02e7cebc1d0d5d9f04952379007 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 12:41:58 +0200 Subject: group that together --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index 7715baa..d0a065f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -114,7 +114,7 @@ class shorewall::base { File['/etc/cron.daily/shorewall_check']{ content => "#!/bin/bash -output=\$(shorewall check${shorewall6_check_str} 2>&1) +output=\$((shorewall check${shorewall6_check_str}) 2>&1) if [ \$? -gt 0 ]; then echo 'Error while checking firewall!' echo \$output -- cgit v1.2.3 From af0e6b36d7c5c52f7eaa2d1827d51befd9971e98 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 12:55:24 +0200 Subject: add a full version fact and derive the maj from that one and make the fact work, even if there is no shorewall installed --- lib/facter/shorewall_major_version.rb | 3 ++- lib/facter/shorewall_version.rb | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 lib/facter/shorewall_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index 0068b48..e247fc4 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,6 @@ Facter.add("shorewall_major_version") do setcode do - Facter::Util::Resolution.exec('shorewall version').split('.').first || nil + v = Facter.value('shorewall_version') + v.nil? ? nil : v.split('.').first end end diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb new file mode 100644 index 0000000..2a28828 --- /dev/null +++ b/lib/facter/shorewall_version.rb @@ -0,0 +1,5 @@ +Facter.add('shorewall_version') do + setcode do + Facter::Util::Resolution.exec('shorewall version') + end +end -- cgit v1.2.3 From a8c1abea710e88e63a64b8889fe9965e95ff1740 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:06:43 +0200 Subject: cleanup certain unsupported options --- manifests/interface.pp | 57 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..4ec587e 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,29 +1,46 @@ +# manage a shorewall-interface entry +# http://www.shorewall.net/manpages/shorewall-interfaces.html define shorewall::interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $add_options = '', - $rfc1918 = false, - $dhcp = false, - $order = 100 + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $add_options = '', + $rfc1918 = false, + $dhcp = false, + $order = 100, ){ - $added_opts = $add_options ? { - '' => '', - default => ",${add_options}", - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", + } - $dhcp_opt = $dhcp ? { - false => '', - default => ',dhcp', - } + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } + if versioncmp($shorewall_version,'4.5') < 0 { $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', + false => ',norfc1918', + default => '', } + } else { + $rfc1918_opt = '' + } + $all_options = "${options}${dhcp_opt}${rfc1918_opt}${added_opts}" + if versioncmp($shorewall_version,'4.5') >= 0 { + $all_options1 = regsubst($all_options,',(no)?rfc1918','') + } else { + $all_options1 = $all_options + } + if versioncmp($shorewall_major_version,'5') >= 0 { + $all_options2 = regsubst($all_options1,',blacklist','') + } else { + $all_options2 = $all_options1 + } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", - } + shorewall::entry { "interfaces-${order}-${name}": + line => "${zone} ${name} ${broadcast} ${all_options2}", + } } -- cgit v1.2.3 From 6ac2e1752f2185c293360aa062b7f49facff6abe Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:21:14 +0200 Subject: manage interfaces for shorewall6 --- manifests/init.pp | 2 +- manifests/interface.pp | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index eeab56f..f74466b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,7 +124,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones']{ + Shorewall::Managed_file['zones','interfaces']{ shorewall6 => true, } diff --git a/manifests/interface.pp b/manifests/interface.pp index 4ec587e..3a90046 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -40,7 +40,18 @@ define shorewall::interface( } shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${all_options2}", + line => "${zone} ${name} ${broadcast} ${all_options2}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + # logmartians is not available on shorewall6 + $all_options3 = regsubst($all_options2,',logmartians','') + shorewall::entry { "interfaces-${order}-${name}_6": + line => "${zone} ${name} ${broadcast} ${all_options3}", + shorewall => false, + shorewall6 => true, + } } } -- cgit v1.2.3 From 0a9d42a755723374b32571a9ed225493b1d36f58 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:25:56 +0200 Subject: add missing file --- files/boilerplate6/interfaces.header | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 files/boilerplate6/interfaces.header diff --git a/files/boilerplate6/interfaces.header b/files/boilerplate6/interfaces.header new file mode 100644 index 0000000..be98744 --- /dev/null +++ b/files/boilerplate6/interfaces.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/interfaces +# +# For information about entries in this file, type "man shorewall6-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-interfaces.html +# +?FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS -- cgit v1.2.3 From 063183d10413c9ce5acd8c6f448764b42d6a73d1 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:31:00 +0200 Subject: broadcast column is not needed for shorewall6 --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 3a90046..bc891c9 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -48,7 +48,7 @@ define shorewall::interface( # logmartians is not available on shorewall6 $all_options3 = regsubst($all_options2,',logmartians','') shorewall::entry { "interfaces-${order}-${name}_6": - line => "${zone} ${name} ${broadcast} ${all_options3}", + line => "${zone} ${name} ${all_options3}", shorewall => false, shorewall6 => true, } -- cgit v1.2.3 From 37a69624f4828079bf7c76f34cf193ab495494a7 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:52:14 +0200 Subject: introduce params for shorewall6, by default it's just a copy of the ones for shorewall --- manifests/init.pp | 2 +- manifests/params.pp | 22 ++++++++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f74466b..d3728e5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,7 +124,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces']{ + Shorewall::Managed_file['zones','interfaces','params']{ shorewall6 => true, } diff --git a/manifests/params.pp b/manifests/params.pp index 3bc5663..49ced31 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,19 @@ -define shorewall::params($value, $order='100'){ - shorewall::entry{"params-${order}-${name}": - line => "${name}=${value}", - } +# manage a shorewall param, will be used for both +# ipv4 and ipv6 if not specified differently using +# shorewall or shorwall6 booleans. +# http://www.shorewall.net/manpages/shorewall-params.html +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params( + $value, + $key = $name, + $order ='100', + $shorewall = true, + $shorewall6 = true, +){ + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"params-${order}-${name}": + line => "${key}=${value}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } -- cgit v1.2.3 From 1661427d49cc359195deb3f0f7fa3cf841807159 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:54:50 +0200 Subject: introduce params only for ipv6 and only for ipv4 --- manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index d3728e5..6a7eafc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,6 +37,8 @@ class shorewall( $routestopped = {}, $routestopped_defaults = {}, $params = {}, + $params4 = {}, + $params6 = {}, $params_defaults = {}, $tcdevices = {}, $tcdevices_defaults = {}, @@ -142,6 +144,8 @@ class shorewall( create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::params',$params4,merge({shorewall6 => false,},$params_defaults)) + create_resources('shorewall::params',$params6,merge({shorewall => false,},$params_defaults)) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) -- cgit v1.2.3 From e89e367f4a70b13bb2889203642ee5ec31367b75 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:59:11 +0200 Subject: add missing file --- files/boilerplate6/params.header | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 files/boilerplate6/params.header diff --git a/files/boilerplate6/params.header b/files/boilerplate6/params.header new file mode 100644 index 0000000..cf40b53 --- /dev/null +++ b/files/boilerplate6/params.header @@ -0,0 +1,23 @@ +# +# Shorewall6 -- /etc/shorewall6/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall6 programs +# +# Example: +# +# NET_IF=eth0 +# NET_OPTIONS=dhcp,nosmurfs +# +# Example (/etc/shorewall6/interfaces record): +# +# net $NET_IF - $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 - dhcp,nosmurfs +# +############################################################################### -- cgit v1.2.3 From 4b5ea4bec4b6abb6abed8005bce1c8071ef97ffa Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 14:04:39 +0200 Subject: introduce params4 and params6 helper to more easily differentiate --- manifests/init.pp | 4 ++-- manifests/params4.pp | 16 ++++++++++++++++ manifests/params6.pp | 16 ++++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 manifests/params4.pp create mode 100644 manifests/params6.pp diff --git a/manifests/init.pp b/manifests/init.pp index 6a7eafc..826f446 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -144,8 +144,8 @@ class shorewall( create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) - create_resources('shorewall::params',$params4,merge({shorewall6 => false,},$params_defaults)) - create_resources('shorewall::params',$params6,merge({shorewall => false,},$params_defaults)) + create_resources('shorewall::params4',$params4,$params_defaults) + create_resources('shorewall::params6',$params6,$params_defaults) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) diff --git a/manifests/params4.pp b/manifests/params4.pp new file mode 100644 index 0000000..fc50fa3 --- /dev/null +++ b/manifests/params4.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv4 +# http://www.shorewall.net/manpages/shorewall-params.html +define shorewall::params4( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/params6.pp b/manifests/params6.pp new file mode 100644 index 0000000..58c1f86 --- /dev/null +++ b/manifests/params6.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv6 +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params6( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => false, + shorewall6 => true, + } +} -- cgit v1.2.3 From 75f0f1dbaa0827f64fb0d21db8f4a89296f177e0 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 14:07:07 +0200 Subject: migrate to dedicated params --- manifests/rules/munin.pp | 27 +++++++++++++++------------ manifests/rules/puppet.pp | 3 ++- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index a20a4e0..252f2ed 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,16 +1,19 @@ +# outgoing munin rules class shorewall::rules::munin( - $munin_port = '4949', - $munin_collector = ['127.0.0.1'], + $munin_port = '4949', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ - shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } - shorewall::rule{'net-me-munin-tcp': - source => "${collector_source}:\$MUNINCOLLECTOR", - destination => '$FW', - proto => 'tcp', - destinationport => '$MUNINPORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::params4{ + 'MUNINPORT': value => $munin_port; + 'MUNINCOLLECTOR': value => join(any2array($munin_collector),','); + } + shorewall::rule{'net-me-munin-tcp': + source => "${collector_source}:\$MUNINCOLLECTOR", + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 84e7d81..ee920b0 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,9 +1,10 @@ +# outgoing puppet params class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_port = 8140, $puppetserver_signport = 8141 ){ - shorewall::params{ + shorewall::params4{ 'PUPPETSERVER': value => $puppetserver; 'PUPPETSERVER_PORT': value => $puppetserver_port; 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; -- cgit v1.2.3 From f7fec4c4a6faef8d5d75ebdb73ed8fdd374d0184 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 12:43:08 +0200 Subject: make output nicer --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index d0a065f..abf477b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -117,7 +117,7 @@ class shorewall::base { output=\$((shorewall check${shorewall6_check_str}) 2>&1) if [ \$? -gt 0 ]; then echo 'Error while checking firewall!' - echo \$output + echo \"\${output}\" exit 1 fi exit 0 -- cgit v1.2.3 From 28a72736071330261ba8fa9dd5ca4e1202c1247f Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 18:57:53 +0200 Subject: make it possible to manage rules for ipv4 & ipv6 + add some more modern headers for certain versions --- files/boilerplate6/rules.header | 11 +++++++++ manifests/init.pp | 6 ++++- manifests/rule.pp | 49 ++++++++++++++++++++++++++++------------- manifests/rule4.pp | 43 ++++++++++++++++++++++++++++++++++++ manifests/rule6.pp | 43 ++++++++++++++++++++++++++++++++++++ manifests/rule_section.pp | 4 +++- 6 files changed, 139 insertions(+), 17 deletions(-) create mode 100644 files/boilerplate6/rules.header create mode 100644 manifests/rule4.pp create mode 100644 manifests/rule6.pp diff --git a/files/boilerplate6/rules.header b/files/boilerplate6/rules.header new file mode 100644 index 0000000..91e57a8 --- /dev/null +++ b/files/boilerplate6/rules.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/rules +# +# For information on the settings in this file, type "man shorewall6-rules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-rules.html +# +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + diff --git a/manifests/init.pp b/manifests/init.pp index 826f446..9320944 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,8 @@ class shorewall( $policy = {}, $policy_defaults = {}, $rules = {}, + $rules4 = {}, + $rules6 = {}, $rules_defaults = {}, $rulesections = {}, $rulesections_defaults = {}, @@ -126,7 +128,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces','params']{ + Shorewall::Managed_file['zones','interfaces','params','rules']{ shorewall6 => true, } @@ -135,6 +137,8 @@ class shorewall( create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule4',$rules4,$rules_defaults) + create_resources('shorewall::rule6',$rules6,$rules_defaults) create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) diff --git a/manifests/rule.pp b/manifests/rule.pp index 2fe91e2..39f0ef9 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,20 +1,39 @@ -# mark is new in 3.4.4 +# http://www.shorewall.net/manpages/shorewall-rules.html +# http://www.shorewall.net/manpages6/shorewall6-rules.html define shorewall::rule( - $ensure = present, - $action, - $source, - $destination, - $proto = '-', - $destinationport = '-', - $sourceport = '-', - $originaldest = '-', - $ratelimit = '-', - $user = '-', - $mark = '', - $order + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $shorewall = true, + $shorewall6 = false, + $ensure = 'present', ){ + if versioncmp($shorewall_version,'4.5.7') >= 0 { + $line = " ${connlimit} ${time} ${headers} ${switch} ${helper}" + } elsif versioncmp($shorewall_version,'4.4.24') >= 0 { + # el6 + $line = " ${connlimit} ${time} ${headers} ${switch}" + } else { + # el5 + $line = '' + } shorewall::entry{"rules-${order}-${name}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", + shorewall => $shorewall, + shorewall6 => $shorewall6, } } diff --git a/manifests/rule4.pp b/manifests/rule4.pp new file mode 100644 index 0000000..08df395 --- /dev/null +++ b/manifests/rule4.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages/shorewall-rules.html +define shorewall::rule4( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/rule6.pp b/manifests/rule6.pp new file mode 100644 index 0000000..eb6b741 --- /dev/null +++ b/manifests/rule6.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages6/shorewall6-rules.html +define shorewall::rule6( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => false, + shorewall6 => true, + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 0a8b4bb..24b3dfb 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -9,6 +9,8 @@ define shorewall::rule_section( } shorewall::entry{"rules-${order}-${name}": - line => "${rule_section_prefix}SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", + shorewall => true, + shorewall6 => true, } } -- cgit v1.2.3 From 60b1ac3ad8fc6ed5277ca7f3cb0cdd52df5f6875 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 19:11:37 +0200 Subject: minor linting --- manifests/gentoo.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 7b307a4..b3fd670 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -1,5 +1,6 @@ +# gentoo specific things class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package['shorewall']{ + category => 'net-firewall', + } } -- cgit v1.2.3 From 31a4479652a881ed0a6b5eee7454f317b4f6bd80 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 15 Apr 2017 13:33:39 +0200 Subject: linting --- manifests/masq.pp | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/manifests/masq.pp b/manifests/masq.pp index fb097e5..1ecbe35 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -2,16 +2,17 @@ # source (= subnet) = Set of hosts that you wish to masquerade. # address = If you specify an address here, SNAT will be used and this will be the source address. define shorewall::masq( - $interface, - $source, $address = '-', - $proto = '-', - $port = '-', - $ipsec = '-', - $mark = '', - $order='100' + $interface, + $source, + $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '-', + $order = '100', ){ - shorewall::entry{"masq-${order}-${name}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } + shorewall::entry{"masq-${order}-${name}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } } -- cgit v1.2.3 From 0c9ec55f15475e5f4dd464aa5bb3e5e4c2c2f794 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 14:28:18 +0200 Subject: suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall --- manifests/params6.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/params6.pp b/manifests/params6.pp index 58c1f86..2fd117c 100644 --- a/manifests/params6.pp +++ b/manifests/params6.pp @@ -6,7 +6,7 @@ define shorewall::params6( $order ='100', ){ shorewall::params{ - $name: + "${name}_IP6": key => $key, value => $value, order => $order, -- cgit v1.2.3 From e2f07459474470aeea73e6160ecf2652bc9ae6bf Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 14:54:00 +0200 Subject: suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall --- manifests/rule6.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rule6.pp b/manifests/rule6.pp index eb6b741..77a945f 100644 --- a/manifests/rule6.pp +++ b/manifests/rule6.pp @@ -19,7 +19,7 @@ define shorewall::rule6( $ensure = 'present', ){ shorewall::rule{ - $name: + "${name}_IP6": ensure => $ensure, action => $action, source => $source, -- cgit v1.2.3 From 591b48169ba18c8f9d8337aa2626d716e6866476 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 15:16:08 +0200 Subject: enable shorewall6 rules by default --- manifests/rule.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/rule.pp b/manifests/rule.pp index 39f0ef9..12c4858 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -18,7 +18,7 @@ define shorewall::rule( $helper = '-', $order = '500', $shorewall = true, - $shorewall6 = false, + $shorewall6 = true, $ensure = 'present', ){ if versioncmp($shorewall_version,'4.5.7') >= 0 { @@ -30,10 +30,11 @@ define shorewall::rule( # el5 $line = '' } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 shorewall::entry{"rules-${order}-${name}": ensure => $ensure, line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", shorewall => $shorewall, - shorewall6 => $shorewall6, + shorewall6 => $with_shorewall6, } } -- cgit v1.2.3 From c2bf7e71d8598dbb05b5dee9f452b6332e9e916e Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 15:28:26 +0200 Subject: make it possibble to disable ipv6 for these rules --- manifests/rules/munin.pp | 4 +++- manifests/rules/out/puppet.pp | 21 ++++++++++++--------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 252f2ed..9496138 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -2,7 +2,8 @@ class shorewall::rules::munin( $munin_port = '4949', $munin_collector = ['127.0.0.1'], - $collector_source = 'net' + $collector_source = 'net', + $shorewall6 = true, ){ shorewall::params4{ 'MUNINPORT': value => $munin_port; @@ -14,6 +15,7 @@ class shorewall::rules::munin( proto => 'tcp', destinationport => '$MUNINPORT', order => 240, + shorewall6 => $shorewall6, action => 'ACCEPT'; } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index cbe8cce..827e23a 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,7 +1,9 @@ +# outgoing puppet traffic class shorewall::rules::out::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141, + $shorewall6 = true, ) { class{'shorewall::rules::puppet': puppetserver => $puppetserver, @@ -10,11 +12,12 @@ class shorewall::rules::out::puppet( } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + shorewall6 => $shorewall6, + action => 'ACCEPT'; } } -- cgit v1.2.3 From 1bcdc4ad9340b1468e4bb14e0b7f1ea8bea73c7f Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:12:59 +0200 Subject: manage policies for shorewall6 --- manifests/init.pp | 4 ++++ manifests/policy.pp | 24 ++++++++++++++++-------- manifests/policy4.pp | 22 ++++++++++++++++++++++ manifests/policy6.pp | 22 ++++++++++++++++++++++ 4 files changed, 64 insertions(+), 8 deletions(-) create mode 100644 manifests/policy4.pp create mode 100644 manifests/policy6.pp diff --git a/manifests/init.pp b/manifests/init.pp index 9320944..52de35c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,6 +19,8 @@ class shorewall( $hosts = {}, $hosts_defaults = {}, $policy = {}, + $policy4 = {}, + $policy6 = {}, $policy_defaults = {}, $rules = {}, $rules4 = {}, @@ -136,6 +138,8 @@ class shorewall( create_resources('shorewall::interface',$interfaces,$interfaces_defaults) create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::policy4',$policy4,$policy_defaults) + create_resources('shorewall::policy6',$policy6,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) create_resources('shorewall::rule4',$rules4,$rules_defaults) create_resources('shorewall::rule6',$rules6,$rules_defaults) diff --git a/manifests/policy.pp b/manifests/policy.pp index efee05b..892a3d3 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,12 +1,20 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +# http://www.shorewall.net/manpages6/shorewall6-policy.html define shorewall::policy( - $sourcezone, - $destinationzone, - $policy, $shloglevel = '-', - $limitburst = '-', - $order + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', + $shorewall = true, + $shorewall6 = true, ){ - shorewall::entry{"policy-${order}-${name}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"policy-${order}-${name}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } diff --git a/manifests/policy4.pp b/manifests/policy4.pp new file mode 100644 index 0000000..301d9af --- /dev/null +++ b/manifests/policy4.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +define shorewall::policy4( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => true, + shorewall6 => false, + } +} + diff --git a/manifests/policy6.pp b/manifests/policy6.pp new file mode 100644 index 0000000..1a4735f --- /dev/null +++ b/manifests/policy6.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages6/shorewall6-policy.html +define shorewall::policy6( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => false, + shorewall6 => true, + } +} + -- cgit v1.2.3 From 8782101a26279b109f7742d244f23fd245cd3f72 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:18:18 +0200 Subject: we should start managing also that file --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 52de35c..93f71f7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -130,7 +130,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces','params','rules']{ + Shorewall::Managed_file['zones','interfaces','params','rules','policy']{ shorewall6 => true, } -- cgit v1.2.3 From 265cf2afa424b5bf9c48b6e8512308d8911a1eca Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:24:50 +0200 Subject: add missing file --- files/boilerplate6/policy.header | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 files/boilerplate6/policy.header diff --git a/files/boilerplate6/policy.header b/files/boilerplate6/policy.header new file mode 100644 index 0000000..aee2ff0 --- /dev/null +++ b/files/boilerplate6/policy.header @@ -0,0 +1,10 @@ +# +# Shorewall6 -- /etc/shorewall6/policy +# +# For information about entries in this file, type "man shorewall6-policy" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-policy.html +# +############################################################################### +#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT -- cgit v1.2.3 From 80aa7d6546d122ccba0b2acc8befa3f20bd08ffd Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:33:25 +0200 Subject: add missing package for EL6 --- manifests/centos.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/centos.pp b/manifests/centos.pp index ff8c6ad..09f34e7 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -9,5 +9,11 @@ class shorewall::centos inherits shorewall::base { require => Package['shorewall'], notify => Exec['shorewall_check'], } + if $shorewall::with_shorewall6 { + package{'perl-Socket6': + ensure => 'installed', + before => Package['shorewall6'], + } + } } } -- cgit v1.2.3 From db26643a43b74f5718f81a821316d6a58855b371 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:37:05 +0200 Subject: also support EL6 style files --- files/boilerplate6/interfaces.header.CentOS.6 | 12 ++++++++++++ manifests/managed_file.pp | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 files/boilerplate6/interfaces.header.CentOS.6 diff --git a/files/boilerplate6/interfaces.header.CentOS.6 b/files/boilerplate6/interfaces.header.CentOS.6 new file mode 100644 index 0000000..944bd94 --- /dev/null +++ b/files/boilerplate6/interfaces.header.CentOS.6 @@ -0,0 +1,12 @@ +# +# Shorewall6 version 4 - Interfaces File +# +# For information about entries in this file, type "man shorewall6-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-interfaces.html +# +############################################################################### +FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 135d59a..4251a8f 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -27,7 +27,8 @@ define shorewall::managed_file( } concat::fragment { "6${name}-header": - source => "puppet:///modules/shorewall/boilerplate6/${name}.header", + source => [ "puppet:///modules/shorewall/boilerplate6/${name}.header.${operatingsystem}.${operatingsystemmajrelease}", + "puppet:///modules/shorewall/boilerplate6/${name}.header",], target => "/etc/shorewall6/puppet/${name}", order => '000'; } -- cgit v1.2.3 From a5e5276a42745bde23800fb5a614363924351323 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:37:55 +0200 Subject: this is IPv4 only so far --- manifests/rules/out/ekeyd.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 8acdaad..c437f6a 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,5 +1,5 @@ define shorewall::rules::out::ekeyd($host) { - shorewall::rule { "me-${name}-tcp_ekeyd": + shorewall::rule4{ "me-${name}-tcp_ekeyd": source => '$FW', destination => "${name}:${host}", proto => 'tcp', -- cgit v1.2.3 From 4112e79844623b76e0fc47e647a38f99c6d60d9e Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 21:08:58 +0200 Subject: correct snippet --- files/boilerplate6/interfaces.header.CentOS.6 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/files/boilerplate6/interfaces.header.CentOS.6 b/files/boilerplate6/interfaces.header.CentOS.6 index 944bd94..2e5bd3d 100644 --- a/files/boilerplate6/interfaces.header.CentOS.6 +++ b/files/boilerplate6/interfaces.header.CentOS.6 @@ -1,12 +1,11 @@ # -# Shorewall6 version 4 - Interfaces File +# Shorewall6 -- /etc/shorewall6/interfaces # # For information about entries in this file, type "man shorewall6-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages6/shorewall6-interfaces.html # -############################################################################### FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -- cgit v1.2.3 From dbc02ed9a962ef85739094f4a3cbd4ad009d0dde Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 8 May 2017 22:12:02 +0200 Subject: don't notify the service --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 7f3953b..f37e5ed 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -26,7 +26,7 @@ class shorewall::blrules ( file{'/etc/shorewall/puppet/blrules': content => template('shorewall/blrules.erb'), require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], owner => root, group => 0, mode => '0644'; -- cgit v1.2.3 From 33b575da9deec3f41896b8e2dfe9e6a89e57e83c Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 8 May 2017 22:13:01 +0200 Subject: try to be extra cautious when restarting and do it with the try, so nothing breaks if something is broken that is not connected at compile time --- manifests/base.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index abf477b..c96e48f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -65,10 +65,11 @@ class shorewall::base { exec{'shorewall_check': command => 'shorewall check', refreshonly => true, - notify => Service['shorewall'], require => Package['shorewall'], - } - service{'shorewall': + } ~> exec{'shorewall_try': + command => 'shorewall try /etc/shorewall/puppet', + refreshonly => true, + } -> service{'shorewall': ensure => running, enable => true, hasstatus => true, @@ -92,15 +93,15 @@ class shorewall::base { exec{'shorewall6_check': command => 'shorewall6 check', refreshonly => true, - notify => Service['shorewall6'], require => Package['shorewall6'], - } - service{'shorewall6': + } ~> exec{'shorewall6_try': + command => 'shorewall6 try /etc/shorewall6/puppet', + refreshonly => true, + } -> service{'shorewall6': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Exec['shorewall6_check'], } } -- cgit v1.2.3 From 49d8591a1d027ee44b839c364dffe4624f264c2b Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 21 May 2017 13:14:56 +0200 Subject: remove an unnecessary dep --- manifests/base.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index c96e48f..48451ae 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -74,7 +74,6 @@ class shorewall::base { enable => true, hasstatus => true, hasrestart => true, - require => Exec['shorewall_check'], } if $shorewall::with_shorewall6 { -- cgit v1.2.3 From 93ce8e5ec63440dd7ec5586785f24a7609ae48ca Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 5 Jul 2017 14:03:24 +0200 Subject: make ensure a noop for concat::framet, as from puppetlabs-concat 4.0.1 on this is removed and concat purges non-managed fragments --- manifests/entry.pp | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index a7321f8..ccd3305 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -5,21 +5,23 @@ define shorewall::entry( $shorewall6 = false, $line ){ - $parts = split($name,'-') - if $shorewall { - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $ensure == 'present' { + $parts = split($name,'-') + if $shorewall { + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } } - } - if $shorewall6 and $shorewall::with_shorewall6 { - concat::fragment{"shorewall6_${name}": - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall6/puppet/${parts[0]}", + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } } } } -- cgit v1.2.3 From 06f09ecfbfbdd4c59e31bbcabcc356d2b7a50e9d Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 5 Jul 2017 14:04:01 +0200 Subject: linting --- manifests/entry.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index ccd3305..b8768b0 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,9 +1,9 @@ # a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, - $shorewall = true, - $shorewall6 = false, - $line + $line, + $ensure = present, + $shorewall = true, + $shorewall6 = false, ){ if $ensure == 'present' { $parts = split($name,'-') -- cgit v1.2.3 From aa9d865f8d9a841cc7d4bef70aa5481816a9649e Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 6 Jul 2017 08:07:08 +0200 Subject: to make the previous commit work, we should also remove the ensure from fragment --- manifests/entry.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index b8768b0..b6ce702 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -9,7 +9,6 @@ define shorewall::entry( $parts = split($name,'-') if $shorewall { concat::fragment{$name: - ensure => $ensure, content => "${line}\n", order => $parts[1], target => "/etc/shorewall/puppet/${parts[0]}", @@ -17,7 +16,6 @@ define shorewall::entry( } if $shorewall6 and $shorewall::with_shorewall6 { concat::fragment{"shorewall6_${name}": - ensure => $ensure, content => "${line}\n", order => $parts[1], target => "/etc/shorewall6/puppet/${parts[0]}", -- cgit v1.2.3 From b92b6930ca6c10c89b8f59cce393643eb32248e5 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 19 Jul 2017 17:05:48 +0200 Subject: add mosh support --- manifests/rules/mosh.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/mosh.pp diff --git a/manifests/rules/mosh.pp b/manifests/rules/mosh.pp new file mode 100644 index 0000000..1cd3486 --- /dev/null +++ b/manifests/rules/mosh.pp @@ -0,0 +1,11 @@ +# enable mosh support +class shorewall::rules::mosh { + shorewall::rule { 'net-me-mosh-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '60000:61000', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 4b9c6e1714857a702add52b1176eb65d347ac71d Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 3 Aug 2017 10:17:00 +0200 Subject: make it possible to set v6 and v6 puppetserver --- manifests/rules/puppet.pp | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index ee920b0..6cb0282 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,12 +1,30 @@ # outgoing puppet params class shorewall::rules::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, + $puppetserver = "puppet.${::domain}", + $puppetserver_v6 = undef, + $puppetserver_port = 8140, $puppetserver_signport = 8141 ){ - shorewall::params4{ - 'PUPPETSERVER': value => $puppetserver; + shorewall::params{ 'PUPPETSERVER_PORT': value => $puppetserver_port; 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } + if is_ipv4_address($puppetserver){ + shorewall::params4{ + 'PUPPETSERVER': value => $puppetserver; + } + if $puppetserver_v6 { + shorewall::params6{ + 'PUPPETSERVER': value => $puppetserver; + } + } + } elsif is_ipv6_address($puppetserver){ + shorewall::params6{ + 'PUPPETSERVER': value => $puppetserver; + } + } else { + shorewall::params{ + 'PUPPETSERVER': value => $puppetserver; + } + } } -- cgit v1.2.3 From 48fad255975ccbe9b58bb1e17882a4357f8721ab Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 19:15:12 +0200 Subject: workaround a bug in facter that sets ipaddress6 to ipv4 addresses --- manifests/init.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 93f71f7..7f9676d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -68,6 +68,16 @@ class shorewall( $merged_settings = merge($def_settings,$settings) + # workaround https://tickets.puppetlabs.com/browse/FACT-1739 + if $shorewall6 == 'auto' { + if $ipaddress6 and $ipaddress6 =~ /:/ { + $with_shorewall6 = true + } else { + $with_shorewall6 = false + } + } else { + $with_shorewall6 = str2bool($shorewall6) + } $with_shorewall6 = $shorewall6 ? { 'auto' => $ipaddress6 ? { undef => false, -- cgit v1.2.3 From fb533f32279e4479431a37b4245a6e2f1d17e32b Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 20:29:56 +0200 Subject: delete the old way --- manifests/init.pp | 7 ------- 1 file changed, 7 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 7f9676d..cf7d5b8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -78,13 +78,6 @@ class shorewall( } else { $with_shorewall6 = str2bool($shorewall6) } - $with_shorewall6 = $shorewall6 ? { - 'auto' => $ipaddress6 ? { - undef => false, - default => true, - }, - default => str2bool($shorewall6), - } case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } -- cgit v1.2.3 From aee37040009edb28105f06ebc615f4b55d5d56a9 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 21:14:20 +0200 Subject: make sure we also en/disable it based on the right setting --- manifests/init.pp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index cf7d5b8..61187f0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -57,17 +57,6 @@ class shorewall( $daily_check = true, ) { - $disable_ipv6 = $ipaddress6 ? { - undef => 'Yes', - default => 'No', - } - $def_settings = { - 'LOG_MARTIANS' => 'No', - 'DISABLE_IPV6' => $disable_ipv6, - } - - $merged_settings = merge($def_settings,$settings) - # workaround https://tickets.puppetlabs.com/browse/FACT-1739 if $shorewall6 == 'auto' { if $ipaddress6 and $ipaddress6 =~ /:/ { @@ -79,6 +68,17 @@ class shorewall( $with_shorewall6 = str2bool($shorewall6) } + $disable_ipv6 = $with_shorewall6 ? { + false => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From 1643fc0f14aaf4a31f18af8adcf682298a9c8aca Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 12:50:31 +0200 Subject: there is no ipv6 support there yet --- manifests/rules/out/ibackup.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 856bcdb..9827426 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,5 +1,7 @@ class shorewall::rules::out::ibackup( - $backup_host + $backup_host, + $shorewall4 = true, + $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', @@ -7,6 +9,8 @@ class shorewall::rules::out::ibackup( proto => 'tcp', destinationport => 'ssh', order => 240, - action => 'ACCEPT'; + action => 'ACCEPT', + shorewall4 => $shorewall4, + shorewall6 => $shorewall6, } } -- cgit v1.2.3 From 398b8b94cbeedf08615c926a5a37974bca002943 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 12:52:56 +0200 Subject: fix param name --- manifests/rules/out/ibackup.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 9827426..17cc314 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,6 +1,6 @@ class shorewall::rules::out::ibackup( $backup_host, - $shorewall4 = true, + $shorewall = true, $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': @@ -10,7 +10,7 @@ class shorewall::rules::out::ibackup( destinationport => 'ssh', order => 240, action => 'ACCEPT', - shorewall4 => $shorewall4, + shorewall => $shorewall, shorewall6 => $shorewall6, } } -- cgit v1.2.3 From 983ae4c5bc61b09422b671123e670d62cb4e2e59 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 22:14:33 +0200 Subject: correctly set shorewall6 option for puppetserver config --- manifests/rules/out/puppet.pp | 1 + manifests/rules/puppet.pp | 24 +++++++++++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 827e23a..2444dcb 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -9,6 +9,7 @@ class shorewall::rules::out::puppet( puppetserver => $puppetserver, puppetserver_port => $puppetserver_port, puppetserver_signport => $puppetserver_signport, + shorewall6 => $shorewall6, } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 6cb0282..dcb88f5 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -3,28 +3,38 @@ class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_v6 = undef, $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver_signport = 8141, + $shorewall6 = true, ){ shorewall::params{ - 'PUPPETSERVER_PORT': value => $puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; + 'PUPPETSERVER_PORT': + value => $puppetserver_port, + shorewall6 => $shorewall6; + 'PUPPETSERVER_SIGN_PORT': + value => $puppetserver_signport, + shorewall6 => $shorewall6, } if is_ipv4_address($puppetserver){ shorewall::params4{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver; } if $puppetserver_v6 { shorewall::params6{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver_v6; } } } elsif is_ipv6_address($puppetserver){ shorewall::params6{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver; } } else { shorewall::params{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver, + shorewall6 => $shorewall6; } } } -- cgit v1.2.3 From 213a4254c03db1477f584972519b1fe3b351074b Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 30 Aug 2017 00:39:26 +0200 Subject: make ipv6 tuneable --- manifests/rules/out/imap.pp | 24 ++++++++++++++---------- manifests/rules/out/pop3.pp | 24 ++++++++++++++---------- 2 files changed, 28 insertions(+), 20 deletions(-) diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp index f1313d2..0cbee50 100644 --- a/manifests/rules/out/imap.pp +++ b/manifests/rules/out/imap.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::imap { - shorewall::rule { - 'me-net-tcp_imap_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '143,993', - order => 260, - action => 'ACCEPT'; - } +# outgoing imap +class shorewall::rules::out::imap( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp index ebd4828..ea66bf7 100644 --- a/manifests/rules/out/pop3.pp +++ b/manifests/rules/out/pop3.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::pop3 { - shorewall::rule { - 'me-net-tcp_pop3_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => 'pop3,pop3s', - order => 260, - action => 'ACCEPT'; - } +# outoging oper3 +class shorewall::rules::out::pop3( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } -- cgit v1.2.3 From cb6b6b7f85b39374897ccb8fd8b219809f35d9ba Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Sep 2017 11:59:03 +0200 Subject: make sure shorewall6 is started after shorewall as inserting fw rules into iptables can't be properly serialized. This is a backport of a fix that went into shorewall 5.1.6 by commit 0603f8e355b19ca88d2a7ad6f181767092e02e00 in the shorewall repository. --- manifests/base.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/manifests/base.pp b/manifests/base.pp index 48451ae..cc8090b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -24,6 +24,24 @@ class shorewall::base { package{'shorewall6': ensure => 'installed' } + # serialize systemd where it's not yet done + if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { + include ::systemd + file{ + '/etc/systemd/system/shorewall6.service.d': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/systemd/system/shorewall6.service.d/after-ipv4.conf': + content => "[Unit]\nAfter=shorewall.service\n", + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['systemctl-daemon-reload'], + } + Exec['systemctl-daemon-reload'] -> Service['shorewall6'] + } file { '/etc/shorewall6/shorewall6.conf': require => Package['shorewall6'], -- cgit v1.2.3 From 9a8057158e7a08a3da86fee163e8d955193e6900 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Sep 2017 12:01:09 +0200 Subject: linting --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index cc8090b..51e99bf 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -22,7 +22,7 @@ class shorewall::base { } if $shorewall::with_shorewall6 { package{'shorewall6': - ensure => 'installed' + ensure => 'installed', } # serialize systemd where it's not yet done if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { -- cgit v1.2.3 From fab57483f46bab58275063081c5e4e6f7db9d2ab Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 2 Nov 2017 16:27:01 +0100 Subject: switch to the new facts hash --- manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 61187f0..c286ba5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,7 +8,7 @@ class shorewall( $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', - $tor_user = $::operatingsystem ? { + $tor_user = $facts['operatingsystem'] ? { 'Debian' => 'debian-tor', default => 'tor' }, @@ -59,7 +59,7 @@ class shorewall( # workaround https://tickets.puppetlabs.com/browse/FACT-1739 if $shorewall6 == 'auto' { - if $ipaddress6 and $ipaddress6 =~ /:/ { + if $facts['ipaddress6'] and $facts['ipaddress6'] =~ /:/ { $with_shorewall6 = true } else { $with_shorewall6 = false @@ -79,12 +79,12 @@ class shorewall( $merged_settings = merge($def_settings,$settings) - case $::operatingsystem { + case $facts['operatingsystem'] { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } 'CentOS': { include ::shorewall::centos } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${facts['operatingsystem']}" include ::shorewall::base } } -- cgit v1.2.3