From 236336c6755c569ff43589b1256f177f11cfb1a0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 14 Feb 2011 13:32:38 -0200 Subject: Make $shorewall_ensure_version = present by default --- manifests/base.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/base.pp b/manifests/base.pp index 58b753e..53600e7 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,4 +1,8 @@ class shorewall::base { + case $shorewall_ensure_version { + '': { $shorewall_ensure_version = 'present' } + } + package { 'shorewall': ensure => $shorewall_ensure_version, } -- cgit v1.2.3 From fc200fa2135f7bbc86564f17f476df6257affcf0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 13 Sep 2011 22:16:00 -0300 Subject: Adding shorewall::tunnel --- manifests/base.pp | 1 + manifests/init.pp | 2 ++ manifests/tunnel.pp | 11 +++++++++++ 3 files changed, 14 insertions(+) create mode 100644 manifests/tunnel.pp diff --git a/manifests/base.pp b/manifests/base.pp index 53600e7..be3b1f6 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -46,6 +46,7 @@ class shorewall::base { File["/var/lib/puppet/modules/shorewall/tcdevices"], File["/var/lib/puppet/modules/shorewall/tcrules"], File["/var/lib/puppet/modules/shorewall/tcclasses"], + File["/var/lib/puppet/modules/shorewall/tunnel"], ], require => Package[shorewall], } diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..57dbeac 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -71,5 +71,7 @@ class shorewall { shorewall::managed_file { tcrules: } # See http://www.shorewall.net/3.0/traffic_shaping.htm shorewall::managed_file { tcclasses: } + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + shorewall::managed_file { tunnel: } } diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp new file mode 100644 index 0000000..e0c71e7 --- /dev/null +++ b/manifests/tunnel.pp @@ -0,0 +1,11 @@ +define shorewall::tunnel( + $tunnel_type, + $zone, + $gateway = '0.0.0.0/0', + $gateway_zones = '', + $order = '1' +) { + shorewall::entry { "tunnel.d/${order}-${title}": + line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", + } +} -- cgit v1.2.3 From c566c907a31b8142b2f2570210b9547c22af5326 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 13 Sep 2011 22:31:30 -0300 Subject: Adding tunnel boilerplate --- files/boilerplate/tunnel.footer | 1 + files/boilerplate/tunnel.header | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 files/boilerplate/tunnel.footer create mode 100644 files/boilerplate/tunnel.header diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnel.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tunnel.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header new file mode 100644 index 0000000..638fd56 --- /dev/null +++ b/files/boilerplate/tunnel.header @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Tunnels File +# +# For information about entries in this file, type "man shorewall-tunnels" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-tunnels.html +# +############################################################################### +#TYPE ZONE GATEWAY GATEWAY +# ZONE -- cgit v1.2.3 From f072fb5d41026d8b4b5125f8d249b687225cb108 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 12:35:12 -0400 Subject: fix for: Syntax error at [; expected ] at /etc/puppet/modules/shorewall/manifests/init.pp:39 --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index e5456d0..3921ade 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,7 +37,7 @@ class shorewall { case $non_torified_users { '': { $non_torified_users = [] } } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) + $real_non_torified_users = uniq_flatten($tor_user, $non_torified_users) file {"/var/lib/puppet/modules/shorewall": ensure => directory, -- cgit v1.2.3 From 30a604eced948f9cd8e663f129bd97ffdaf077aa Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 14:24:44 -0400 Subject: Revert "fix for: Syntax error at [; expected ] at /etc/puppet/modules/shorewall/manifests/init.pp:39" This reverts commit f072fb5d41026d8b4b5125f8d249b687225cb108. --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 3921ade..e5456d0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,7 +37,7 @@ class shorewall { case $non_torified_users { '': { $non_torified_users = [] } } - $real_non_torified_users = uniq_flatten($tor_user, $non_torified_users) + $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) file {"/var/lib/puppet/modules/shorewall": ensure => directory, -- cgit v1.2.3 From 911cc18e594bb5a3ab642ebb24615a0447050c32 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 20 Jun 2012 14:24:54 -0400 Subject: Revert "Support exempting some users from torification measures." This reverts commit 6cb88973f53aa7d92414797dd21952c1c1d5da98. --- README | 5 +---- manifests/init.pp | 4 ---- manifests/rules/torify.pp | 2 -- manifests/rules/torify/allow_tor_user.pp | 15 +++++++++++++++ manifests/rules/torify/non_torified_user.pp | 25 ------------------------- manifests/rules/torify/non_torified_users.pp | 9 --------- manifests/rules/torify/redirect_tcp_to_tor.pp | 7 ++++++- manifests/rules/torify/user.pp | 4 ++++ 8 files changed, 26 insertions(+), 45 deletions(-) create mode 100644 manifests/rules/torify/allow_tor_user.pp delete mode 100644 manifests/rules/torify/non_torified_user.pp delete mode 100644 manifests/rules/torify/non_torified_users.pp diff --git a/README b/README index c20227e..648eaf7 100644 --- a/README +++ b/README @@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses is by default allowed and (obviously) not torified. This behaviour can be changed by setting the allow_rfc1918 parameter to false. -Torify any outgoing TCP traffic but - - connections to RFC1918 addresses - - connections from users bob and alice: +Torify any outgoing TCP traffic but connections to RFC1918 addresses: - $non_torified_users = [ 'bob', 'alice' ] shorewall::rules::torify { 'torify-everything-but-lan': } diff --git a/manifests/init.pp b/manifests/init.pp index e5456d0..f69a6f2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -34,10 +34,6 @@ class shorewall { default => $dist_tor_user, } } - case $non_torified_users { - '': { $non_torified_users = [] } - } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) file {"/var/lib/puppet/modules/shorewall": ensure => directory, diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index b393a2a..f6e62d8 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,8 +18,6 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ - include shorewall::rules::torify::non_torified_users - $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp deleted file mode 100644 index 34e4db7..0000000 --- a/manifests/rules/torify/non_torified_user.pp +++ /dev/null @@ -1,25 +0,0 @@ -define shorewall::rules::torify::non_torified_user() { - - $user = $name - - $whitelist_rule = "allow-from-user=${user}" - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $user, - order => 101, - action => 'ACCEPT'; - } - - $nonat_rule = "dont-redirect-to-tor-user=${user}" - shorewall::rule { - "$nonat_rule": - source => '$FW', - destination => '-', - user => $user, - order => 106, - action => 'NONAT'; - } - -} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp deleted file mode 100644 index 582dfed..0000000 --- a/manifests/rules/torify/non_torified_users.pp +++ /dev/null @@ -1,9 +0,0 @@ -class shorewall::rules::torify::non_torified_users { - - $real_non_torified_users = $shorewall::real_non_torified_users - - shorewall::rules::torify::non_torified_user { - $real_non_torified_users: - } - -} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index fe1c5fe..2bee658 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user, + user => $user_real, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 49c0b34..5caccfd 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,6 +7,10 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, -- cgit v1.2.3 From 8c018a38aadafc94762c6f9bf7efdf9640bbac9b Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 12 Jul 2012 19:32:12 -0400 Subject: update to latest upstream --- files/shorewall.conf.CentOS.6 | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/files/shorewall.conf.CentOS.6 b/files/shorewall.conf.CentOS.6 index 0d7a9be..7f9013b 100644 --- a/files/shorewall.conf.CentOS.6 +++ b/files/shorewall.conf.CentOS.6 @@ -42,6 +42,8 @@ LOGLIMIT= MACLIST_LOG_LEVEL=info +RELATED_LOG_LEVEL= + SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info @@ -54,7 +56,9 @@ TCP_FLAGS_LOG_LEVEL=info # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### -CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" +CONFIG_PATH="/etc/shorewall/puppet:${CONFDIR}/shorewall:${SHAREDIR}/shorewall" + +GEOIPDIR=/usr/share/xt_geoip/LE IPTABLES= @@ -62,6 +66,8 @@ IP= IPSET= +LOCKFILE= + MODULESDIR= PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" @@ -139,7 +145,7 @@ FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=Yes -HIGH_ROUTE_MARKS=No +IPSET_WARNINGS=Yes IP_FORWARDING=On @@ -149,7 +155,7 @@ LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No -MACLIST_TABLE=mangle +MACLIST_TABLE=filter MACLIST_TTL= @@ -191,7 +197,7 @@ TRACK_PROVIDERS=No USE_DEFAULT_RT=No -WIDE_TC_MARKS=No +USE_PHYSICAL_NAMES=No ZONE2ZONE=2 @@ -201,7 +207,9 @@ ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP -MACLIST_DISPOSITION=DROP +MACLIST_DISPOSITION=REJECT + +RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP @@ -209,6 +217,20 @@ SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP +################################################################################ +# P A C K E T M A R K L A Y O U T +################################################################################ + +TC_BITS= + +PROVIDER_BITS= + +PROVIDER_OFFSET= + +MASK_BITS= + +ZONE_BITS=0 + ################################################################################ # L E G A C Y O P T I O N # D O N O T D E L E T E O R A L T E R -- cgit v1.2.3 From b2499eb83c6a55ecebc92e9150cd383eac423fc2 Mon Sep 17 00:00:00 2001 From: Andreas Date: Tue, 2 Oct 2012 20:28:05 -0500 Subject: add ipsec_nat rule port 4500 --- manifests/rules/ipsec_nat.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 manifests/rules/ipsec_nat.pp diff --git a/manifests/rules/ipsec_nat.pp b/manifests/rules/ipsec_nat.pp new file mode 100644 index 0000000..6c0d507 --- /dev/null +++ b/manifests/rules/ipsec_nat.pp @@ -0,0 +1,18 @@ +class shorewall::rules::ipsec_nat { + shorewall::rule { + 'net-me-ipsec-nat-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + 'me-net-ipsec-nat-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '4500', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 8a98c5b47995f54a2619f5fe2964edd792bb051f Mon Sep 17 00:00:00 2001 From: intrigeri Date: Thu, 24 May 2012 21:25:10 +0200 Subject: Import rough libvirt::host class. --- manifests/rules/libvirt/host.pp | 47 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 manifests/rules/libvirt/host.pp diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp new file mode 100644 index 0000000..ac60b98 --- /dev/null +++ b/manifests/rules/libvirt/host.pp @@ -0,0 +1,47 @@ +class shorewall::rules::libvirt::host ( + $vmz = 'vmz', + $masq_iface = 'eth0', + ) { + + define shorewall::rule::accept::from_vmz ( + $proto = '-', $destinationport = '-', $action = 'ACCEPT' ) { + shorewall::rule { "$name": + source => $vmz, destination => '$FW', order => 300, + proto => $proto, destinationport => $destinationport, action => $action; + } + } + + shorewall::policy { + 'fw-to-vmz': + sourcezone => '$FW', + destinationzone => $vmz, + policy => 'ACCEPT', + order => 110; + 'vmz-to-net': + sourcezone => $vmz, + destinationzone => 'net', + policy => 'ACCEPT', + order => 200; + 'vmz-to-all': + sourcezone => $vmz, + destinationzone => 'all', + policy => 'DROP', + shloglevel => 'info', + order => 800; + } + + shorewall::rule::accept::from_vmz { + 'accept_ftp_from_vmz': action => 'FTP(ACCEPT)'; + 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; + 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; + 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; + 'accept_puppet_from_vmz': proto => 'tcp', destinationport => '8140', action => 'ACCEPT'; + } + + shorewall::masq { + "masq-${masq_iface}": + interface => "$masq_iface", + source => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16'; + } + +} -- cgit v1.2.3 From 0c28fa636653f395c756f56c93f8c78fddfcee00 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 7 Jan 2012 15:23:47 +0100 Subject: Allow redirecting DNS requests to Tor for specific users or globally. --- README | 13 ++++++++- manifests/init.pp | 6 +++++ manifests/rules/torify/redirect_dns_to_tor.pp | 38 +++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 manifests/rules/torify/redirect_dns_to_tor.pp diff --git a/README b/README index 648eaf7..816ed48 100644 --- a/README +++ b/README @@ -107,7 +107,18 @@ rejected. This is intentional: it does not make sense leaking -via DNS requests- network activity that would otherwise be torified. In that case you probably want to read proper documentation about such matters, enable the Tor DNS resolver and redirect DNS requests through -it. +it, + +either globally: + + shorewall::rules::torify::redirect_dns_to_tor { '-': } + +or for specific users: + + shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: } + +The $tor_dns_host and $tor_dns_port variables must be set before +these defines are setup. Example ------- diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..5c9b602 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -28,6 +28,12 @@ class shorewall { case $tor_transparent_proxy_port { '': { $tor_transparent_proxy_port = '9040' } } + case $tor_dns_host { + '': { $tor_dns_host = '127.0.0.1' } + } + case $tor_dns_port { + '': { $tor_dns_port = '8853' } + } if $tor_user == '' { $tor_user = $dist_tor_user ? { '' => 'tor', diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp new file mode 100644 index 0000000..9c71204 --- /dev/null +++ b/manifests/rules/torify/redirect_dns_to_tor.pp @@ -0,0 +1,38 @@ +define shorewall::rules::torify::redirect_dns_to_tor() { + + $user = $name + + $destzone = $shorewall::tor_dns_host ? { + '127.0.0.1' => '$FW', + default => 'net' + } + + $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$tcp_rule"]) { + shorewall::rule { + "$tcp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'tcp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + + $udp_rule = "redirect-udp-dns-to-tor-user=${user}" + if !defined(Shorewall::Rule["$udp_rule"]) { + shorewall::rule { + "$udp_rule": + source => '$FW', + destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", + proto => 'udp', + destinationport => 'domain', + user => $user, + order => 108, + action => 'DNAT'; + } + } + +} -- cgit v1.2.3 From 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 7 Jan 2012 06:09:54 +0100 Subject: Support exempting some users from torification measures. --- README | 5 ++++- manifests/init.pp | 4 ++++ manifests/rules/torify.pp | 2 ++ manifests/rules/torify/allow_tor_user.pp | 15 --------------- manifests/rules/torify/non_torified_user.pp | 25 +++++++++++++++++++++++++ manifests/rules/torify/non_torified_users.pp | 9 +++++++++ manifests/rules/torify/redirect_tcp_to_tor.pp | 7 +------ manifests/rules/torify/user.pp | 4 ---- 8 files changed, 45 insertions(+), 26 deletions(-) delete mode 100644 manifests/rules/torify/allow_tor_user.pp create mode 100644 manifests/rules/torify/non_torified_user.pp create mode 100644 manifests/rules/torify/non_torified_users.pp diff --git a/README b/README index 648eaf7..c20227e 100644 --- a/README +++ b/README @@ -88,8 +88,11 @@ When no destination is provided traffic directed to RFC1918 addresses is by default allowed and (obviously) not torified. This behaviour can be changed by setting the allow_rfc1918 parameter to false. -Torify any outgoing TCP traffic but connections to RFC1918 addresses: +Torify any outgoing TCP traffic but + - connections to RFC1918 addresses + - connections from users bob and alice: + $non_torified_users = [ 'bob', 'alice' ] shorewall::rules::torify { 'torify-everything-but-lan': } diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..e5456d0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -34,6 +34,10 @@ class shorewall { default => $dist_tor_user, } } + case $non_torified_users { + '': { $non_torified_users = [] } + } + $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) file {"/var/lib/puppet/modules/shorewall": ensure => directory, diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index f6e62d8..b393a2a 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,6 +18,8 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ + include shorewall::rules::torify::non_torified_users + $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp deleted file mode 100644 index f44c1f0..0000000 --- a/manifests/rules/torify/allow_tor_user.pp +++ /dev/null @@ -1,15 +0,0 @@ -class shorewall::rules::torify::allow_tor_user { - - $whitelist_rule = "allow-from-tor-user" - if !defined(Shorewall::Rule["$whitelist_rule"]) { - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $shorewall::tor_user, - order => 101, - action => 'ACCEPT'; - } - } - -} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp new file mode 100644 index 0000000..34e4db7 --- /dev/null +++ b/manifests/rules/torify/non_torified_user.pp @@ -0,0 +1,25 @@ +define shorewall::rules::torify::non_torified_user() { + + $user = $name + + $whitelist_rule = "allow-from-user=${user}" + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $user, + order => 101, + action => 'ACCEPT'; + } + + $nonat_rule = "dont-redirect-to-tor-user=${user}" + shorewall::rule { + "$nonat_rule": + source => '$FW', + destination => '-', + user => $user, + order => 106, + action => 'NONAT'; + } + +} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp new file mode 100644 index 0000000..582dfed --- /dev/null +++ b/manifests/rules/torify/non_torified_users.pp @@ -0,0 +1,9 @@ +class shorewall::rules::torify::non_torified_users { + + $real_non_torified_users = $shorewall::real_non_torified_users + + shorewall::rules::torify::non_torified_user { + $real_non_torified_users: + } + +} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index 2bee658..fe1c5fe 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } - $user_real = $user ? { - '-' => "!${shorewall::tor_user}", - default => $user, - } - $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user_real, + user => $user, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 5caccfd..49c0b34 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,10 +7,6 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy - if $originaldest == '-' and $user == '-' { - include shorewall::rules::torify::allow_tor_user - } - shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, -- cgit v1.2.3 From e4b415405884300af34ed8e5df5e4057cb001099 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 11 Nov 2012 23:21:28 +0100 Subject: Update Wheezy's shorewall.conf to use the new configuration directory. Managed configuration files now live in /etc/shorewall/puppet. --- files/shorewall.conf.Debian.wheezy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/shorewall.conf.Debian.wheezy b/files/shorewall.conf.Debian.wheezy index b5084c6..09693a6 100644 --- a/files/shorewall.conf.Debian.wheezy +++ b/files/shorewall.conf.Debian.wheezy @@ -72,7 +72,7 @@ SUBSYSLOCK="" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= -- cgit v1.2.3 From ceb57f6a7073b9f7fddfda3ba5b734b168019285 Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 25 Nov 2012 17:49:37 +0100 Subject: add rtrules --- files/boilerplate/rtrules.footer | 1 + files/boilerplate/rtrules.header | 8 ++++++++ manifests/base.pp | 1 + manifests/init.pp | 2 ++ manifests/rtrules.pp | 11 +++++++++++ 5 files changed, 23 insertions(+) create mode 100644 files/boilerplate/rtrules.footer create mode 100644 files/boilerplate/rtrules.header create mode 100644 manifests/rtrules.pp diff --git a/files/boilerplate/rtrules.footer b/files/boilerplate/rtrules.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/rtrules.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/rtrules.header b/files/boilerplate/rtrules.header new file mode 100644 index 0000000..fd9b2f4 --- /dev/null +++ b/files/boilerplate/rtrules.header @@ -0,0 +1,8 @@ +# +# Shorewall version 4 - route rules File +# +# For information about entries in this file, type "man shorewall-rtrules" +# +# For additional information, see http://www.shorewall.net/MultiISP.html +#################################################################################### +# SOURCE DEST PROVIDER PRIORITY MASK diff --git a/manifests/base.pp b/manifests/base.pp index 58b753e..c49c23b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -42,6 +42,7 @@ class shorewall::base { File["/var/lib/puppet/modules/shorewall/tcdevices"], File["/var/lib/puppet/modules/shorewall/tcrules"], File["/var/lib/puppet/modules/shorewall/tcclasses"], + File["/var/lib/puppet/modules/shorewall/rtrules"], ], require => Package[shorewall], } diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..72e0533 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -72,4 +72,6 @@ class shorewall { # See http://www.shorewall.net/3.0/traffic_shaping.htm shorewall::managed_file { tcclasses: } + shorewall::managed_file { rtrules: } + } diff --git a/manifests/rtrules.pp b/manifests/rtrules.pp new file mode 100644 index 0000000..eeb7cc6 --- /dev/null +++ b/manifests/rtrules.pp @@ -0,0 +1,11 @@ +define shorewall::rtrules( + $source = '-', + $destination = '-', + $provider, + $priority, + $mark, +){ + shorewall::entry { "rtrules.d/${mark}-${title}": + line => "# ${name}\n${source} ${destination} ${provider} ${priority} ${mark}", + } +} -- cgit v1.2.3 From 8db3b2ad945642c925713c8da792e2b405bfe6ab Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 25 Nov 2012 18:27:20 +0100 Subject: rtrules: added default priority --- manifests/rtrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rtrules.pp b/manifests/rtrules.pp index eeb7cc6..34e12b4 100644 --- a/manifests/rtrules.pp +++ b/manifests/rtrules.pp @@ -2,7 +2,7 @@ define shorewall::rtrules( $source = '-', $destination = '-', $provider, - $priority, + $priority = '10000', $mark, ){ shorewall::entry { "rtrules.d/${mark}-${title}": -- cgit v1.2.3 From faf6fba9579e285efd28f2ef96a7e3a5d4a5dd4b Mon Sep 17 00:00:00 2001 From: varac Date: Sun, 25 Nov 2012 18:27:33 +0100 Subject: added provider --- files/boilerplate/providers.footer | 1 + files/boilerplate/providers.header | 9 +++++++++ manifests/base.pp | 1 + manifests/init.pp | 1 + manifests/providers.pp | 13 +++++++++++++ 5 files changed, 25 insertions(+) create mode 100644 files/boilerplate/providers.footer create mode 100644 files/boilerplate/providers.header create mode 100644 manifests/providers.pp diff --git a/files/boilerplate/providers.footer b/files/boilerplate/providers.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/providers.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header new file mode 100644 index 0000000..b4a5990 --- /dev/null +++ b/files/boilerplate/providers.header @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - Providers File +# +# For information about entries in this file, type "man shorewall-providers" +# +# For additional information, see http://shorewall.net/MultiISP.html +# +############################################################################################ +#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY diff --git a/manifests/base.pp b/manifests/base.pp index c49c23b..c50aa6e 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -43,6 +43,7 @@ class shorewall::base { File["/var/lib/puppet/modules/shorewall/tcrules"], File["/var/lib/puppet/modules/shorewall/tcclasses"], File["/var/lib/puppet/modules/shorewall/rtrules"], + File["/var/lib/puppet/modules/shorewall/providers"], ], require => Package[shorewall], } diff --git a/manifests/init.pp b/manifests/init.pp index 72e0533..0bdc50d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -73,5 +73,6 @@ class shorewall { shorewall::managed_file { tcclasses: } shorewall::managed_file { rtrules: } + shorewall::managed_file { providers: } } diff --git a/manifests/providers.pp b/manifests/providers.pp new file mode 100644 index 0000000..d179247 --- /dev/null +++ b/manifests/providers.pp @@ -0,0 +1,13 @@ +define shorewall::providers( + $number, + $mark, + $duplicate = '-', + $interface, + $gateway, + $options = '-', + $copy = '', +){ + shorewall::entry { "providers.d/${mark}-${title}": + line => "${name} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}", + } +} -- cgit v1.2.3 From ad4e76925e6372752393bb2cb6db0aa8c7aaa468 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sun, 2 Dec 2012 11:29:22 +0100 Subject: libvirt::host: don't accept FTP from VMs. It was meant to provide preseeding files over FTP, but the Debian installer has been supporting TFTP for a while, so no additional software is needed. --- manifests/rules/libvirt/host.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index ac60b98..aaecd9d 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -31,7 +31,6 @@ class shorewall::rules::libvirt::host ( } shorewall::rule::accept::from_vmz { - 'accept_ftp_from_vmz': action => 'FTP(ACCEPT)'; 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; 'accept_tftp_from_vmz': action => 'TFTP(ACCEPT)'; 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => '8000', action => 'ACCEPT'; -- cgit v1.2.3 From bcded0b6e2ed96e1f44058ba7e70a404a83c2c71 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 1 Jan 2013 16:22:55 +0100 Subject: make it possible to exent nets for ipsec --- manifests/rules/ipsec.pp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 3e9db55..82adff0 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,7 +1,9 @@ -class shorewall::rules::ipsec { +class shorewall::rules::ipsec( + $source = 'net' +) { shorewall::rule { 'net-me-ipsec-udp': - source => 'net', + source => $shorewall::rules::ipsec::source, destination => '$FW', proto => 'udp', destinationport => '500', @@ -9,20 +11,20 @@ class shorewall::rules::ipsec { action => 'ACCEPT'; 'me-net-ipsec-udp': source => '$FW', - destination => 'net', + destination => $shorewall::rules::ipsec::source, proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; 'net-me-ipsec': - source => 'net', + source => $shorewall::rules::ipsec::source, destination => '$FW', proto => 'esp', order => 240, action => 'ACCEPT'; 'me-net-ipsec': source => '$FW', - destination => 'net', + destination => $shorewall::rules::ipsec::source, proto => 'esp', order => 240, action => 'ACCEPT'; -- cgit v1.2.3 From 88fa544a9c2f974b35a169b4e3865ccaf4f68fd1 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 2 Jan 2013 18:01:43 +0100 Subject: Revert "Allow redirecting DNS requests to Tor for specific users or globally." This reverts commit 0c28fa636653f395c756f56c93f8c78fddfcee00. This stuff is not ready for the shared repo, but we want to take benefit from me having already merged immerda's stuff into my branch and solved the conflicts. --- README | 13 +-------- manifests/init.pp | 6 ----- manifests/rules/torify/redirect_dns_to_tor.pp | 38 --------------------------- 3 files changed, 1 insertion(+), 56 deletions(-) delete mode 100644 manifests/rules/torify/redirect_dns_to_tor.pp diff --git a/README b/README index 07c50f2..cb4424f 100644 --- a/README +++ b/README @@ -110,18 +110,7 @@ rejected. This is intentional: it does not make sense leaking -via DNS requests- network activity that would otherwise be torified. In that case you probably want to read proper documentation about such matters, enable the Tor DNS resolver and redirect DNS requests through -it, - -either globally: - - shorewall::rules::torify::redirect_dns_to_tor { '-': } - -or for specific users: - - shorewall::rules::torify::redirect_dns_to_tor { ['bob', 'alice' ]: } - -The $tor_dns_host and $tor_dns_port variables must be set before -these defines are setup. +it. Example ------- diff --git a/manifests/init.pp b/manifests/init.pp index a446253..dd28767 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,12 +27,6 @@ class shorewall( case $tor_transparent_proxy_port { '': { $tor_transparent_proxy_port = '9040' } } - case $tor_dns_host { - '': { $tor_dns_host = '127.0.0.1' } - } - case $tor_dns_port { - '': { $tor_dns_port = '8853' } - } if $tor_user == '' { $tor_user = $dist_tor_user ? { '' => 'tor', diff --git a/manifests/rules/torify/redirect_dns_to_tor.pp b/manifests/rules/torify/redirect_dns_to_tor.pp deleted file mode 100644 index 9c71204..0000000 --- a/manifests/rules/torify/redirect_dns_to_tor.pp +++ /dev/null @@ -1,38 +0,0 @@ -define shorewall::rules::torify::redirect_dns_to_tor() { - - $user = $name - - $destzone = $shorewall::tor_dns_host ? { - '127.0.0.1' => '$FW', - default => 'net' - } - - $tcp_rule = "redirect-tcp-dns-to-tor-user=${user}" - if !defined(Shorewall::Rule["$tcp_rule"]) { - shorewall::rule { - "$tcp_rule": - source => '$FW', - destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", - proto => 'tcp', - destinationport => 'domain', - user => $user, - order => 108, - action => 'DNAT'; - } - } - - $udp_rule = "redirect-udp-dns-to-tor-user=${user}" - if !defined(Shorewall::Rule["$udp_rule"]) { - shorewall::rule { - "$udp_rule": - source => '$FW', - destination => "${destzone}:${shorewall::tor_dns_host}:${shorewall::tor_dns_port}", - proto => 'udp', - destinationport => 'domain', - user => $user, - order => 108, - action => 'DNAT'; - } - } - -} -- cgit v1.2.3 From 5e555243c8dd93f7e5cfadacc9c3843d5f9d421c Mon Sep 17 00:00:00 2001 From: intrigeri Date: Wed, 2 Jan 2013 18:02:31 +0100 Subject: Revert "Support exempting some users from torification measures." This reverts commit 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a. This stuff is not ready for the shared repo, but we want to take benefit from me having already merged immerda's stuff into my branch and solved the conflicts. --- README | 5 +---- manifests/init.pp | 4 ---- manifests/rules/torify.pp | 2 -- manifests/rules/torify/allow_tor_user.pp | 15 +++++++++++++++ manifests/rules/torify/non_torified_user.pp | 25 ------------------------- manifests/rules/torify/non_torified_users.pp | 9 --------- manifests/rules/torify/redirect_tcp_to_tor.pp | 7 ++++++- manifests/rules/torify/user.pp | 4 ++++ 8 files changed, 26 insertions(+), 45 deletions(-) create mode 100644 manifests/rules/torify/allow_tor_user.pp delete mode 100644 manifests/rules/torify/non_torified_user.pp delete mode 100644 manifests/rules/torify/non_torified_users.pp diff --git a/README b/README index cb4424f..0010450 100644 --- a/README +++ b/README @@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses is by default allowed and (obviously) not torified. This behaviour can be changed by setting the allow_rfc1918 parameter to false. -Torify any outgoing TCP traffic but - - connections to RFC1918 addresses - - connections from users bob and alice: +Torify any outgoing TCP traffic but connections to RFC1918 addresses: - $non_torified_users = [ 'bob', 'alice' ] shorewall::rules::torify { 'torify-everything-but-lan': } diff --git a/manifests/init.pp b/manifests/init.pp index dd28767..3b4b3b2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,10 +33,6 @@ class shorewall( default => $dist_tor_user, } } - case $non_torified_users { - '': { $non_torified_users = [] } - } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index b393a2a..f6e62d8 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,8 +18,6 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ - include shorewall::rules::torify::non_torified_users - $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp deleted file mode 100644 index 34e4db7..0000000 --- a/manifests/rules/torify/non_torified_user.pp +++ /dev/null @@ -1,25 +0,0 @@ -define shorewall::rules::torify::non_torified_user() { - - $user = $name - - $whitelist_rule = "allow-from-user=${user}" - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $user, - order => 101, - action => 'ACCEPT'; - } - - $nonat_rule = "dont-redirect-to-tor-user=${user}" - shorewall::rule { - "$nonat_rule": - source => '$FW', - destination => '-', - user => $user, - order => 106, - action => 'NONAT'; - } - -} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp deleted file mode 100644 index 582dfed..0000000 --- a/manifests/rules/torify/non_torified_users.pp +++ /dev/null @@ -1,9 +0,0 @@ -class shorewall::rules::torify::non_torified_users { - - $real_non_torified_users = $shorewall::real_non_torified_users - - shorewall::rules::torify::non_torified_user { - $real_non_torified_users: - } - -} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index fe1c5fe..2bee658 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user, + user => $user_real, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 49c0b34..5caccfd 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,6 +7,10 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, -- cgit v1.2.3 From eac5a3c28c4773531964f77e25291c88efcc5e12 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Jan 2013 19:46:52 +0100 Subject: provide an easy option to still manage the source of the central conf file --- README | 11 ++++------- manifests/base.pp | 6 ++++++ manifests/init.pp | 1 + 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/README b/README index 29fd84d..f0b13cc 100644 --- a/README +++ b/README @@ -49,14 +49,11 @@ shorewall.conf, simply do this: NOTE: this requires the augeas ruby bindings newer than 0.7.3. -If you need to, you can provide an entire shorewall.conf by overriding the file -resource, for example: +If you need to, you can provide an entire shorewall.conf by passing its +source to the main class: -class site_shorewall::config inherits shorewall::base { - - File["/etc/shorewall/shorewall.conf"] { - source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", - } +class{'shorewall': + conf_source => "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", } NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas diff --git a/manifests/base.pp b/manifests/base.pp index 52e77d8..4324553 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -16,6 +16,12 @@ class shorewall::base { owner => root, group => 0, mode => 0644; } + if $shorewall::conf_source { + File['/etc/shorewall/shorewall.conf']{ + source => $shorewall::conf_source, + } + } + augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', diff --git a/manifests/init.pp b/manifests/init.pp index 63e6fd3..13eea89 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,6 @@ class shorewall( $startup = '1', + $conf_source = false, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', -- cgit v1.2.3 From 00783476d162088eaf7a15a287316c2233ae5465 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 2 Jan 2013 20:12:40 +0100 Subject: cleanup a merge issue --- manifests/init.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 13eea89..5a7f740 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -63,8 +63,7 @@ class shorewall( shorewall::managed_file { providers: } # See http://www.shorewall.net/manpages/shorewall-tunnels.html shorewall::managed_file { tunnel: } - + # See http://www.shorewall.net/MultiISP.html shorewall::managed_file { rtrules: } - shorewall::managed_file { providers: } } -- cgit v1.2.3 From 9e79c7c55755e4cff5097d34c14396fdb0f15f85 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 24 Jan 2013 16:03:26 -0500 Subject: fix missing dependency on augeas make sure that the augeas class has been applied before attempting to do any augeas operations. without this, you will non-deterministically get: err: /Stage[main]/Shorewall::Base/Augeas[shorewall_module_config_path]: Could not evaluate: Save failed with return code false --- manifests/base.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4324553..f2004ab 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -22,11 +22,14 @@ class shorewall::base { } } + include augeas + augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall]; + notify => Service[shorewall], + require => Class[augeas]; } service{shorewall: -- cgit v1.2.3