From d207277829a37bfd879a983a62bb68218f420c9b Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:28:28 +0100 Subject: with the latest updates on EL6 this is needed --- manifests/centos.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index 7968b69..591185a 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,12 +1,13 @@ +# things needed on centos class shorewall::centos inherits shorewall::base { if $::lsbmajdistrelease == '6' { - # workaround for - # http://comments.gmane.org/gmane.comp.security.shorewall/26991 - file{'/etc/shorewall/params': - ensure => link, - target => '/etc/shorewall/puppet/params', - before => Service['shorewall'], - require => File['/etc/shorewall/puppet'] + augeas{'enable_shorewall': + context => '/files/etc/sysconfig/shorewall', + changes => 'set startup 1', + lens => 'Shellvars.lns', + incl => '/etc/sysconfig/shorewall', + require => Package['shorewall'], + notify => Service['shorewall'], } } } -- cgit v1.2.3 From 180dacee8985ced3484426cbf349ffe6b808c1cb Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:45:41 +0100 Subject: use the centos class on centos based systems --- manifests/centos.pp | 2 +- manifests/init.pp | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index 591185a..f671bc9 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease == '6' { + if $::lsbmajdistrelease > 5 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', diff --git a/manifests/init.pp b/manifests/init.pp index 5a7f740..85977da 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,7 +16,7 @@ class shorewall( include shorewall::debian $dist_tor_user = 'debian-tor' } - centos: { include shorewall::base } + centos: { include shorewall::centos } ubuntu: { case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } @@ -24,7 +24,7 @@ class shorewall( } } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } @@ -65,5 +65,5 @@ class shorewall( shorewall::managed_file { tunnel: } # See http://www.shorewall.net/MultiISP.html shorewall::managed_file { rtrules: } - + } -- cgit v1.2.3 From 2ac0604026a808f91188e785a5c4d254eccf7d67 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 19:51:06 +0100 Subject: linting the init.pp --- manifests/init.pp | 78 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 37 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 85977da..cd6488b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,3 +1,4 @@ +# Manage shorewall on your system class shorewall( $startup = '1', $conf_source = false, @@ -29,41 +30,44 @@ class shorewall( } } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - shorewall::managed_file{ zones: } - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - shorewall::managed_file{ interfaces: } - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - shorewall::managed_file { hosts: } - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - shorewall::managed_file { policy: } - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - shorewall::managed_file { rules: } - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - shorewall::managed_file{ masq: } - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - shorewall::managed_file { proxyarp: } - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - shorewall::managed_file { nat: } - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - shorewall::managed_file { blacklist: } - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - shorewall::managed_file { rfc1918: } - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - shorewall::managed_file { params: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcdevices: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcrules: } - # See http://www.shorewall.net/3.0/traffic_shaping.htm - shorewall::managed_file { tcclasses: } - # http://www.shorewall.net/manpages/shorewall-providers.html - shorewall::managed_file { providers: } - # See http://www.shorewall.net/manpages/shorewall-tunnels.html - shorewall::managed_file { tunnel: } - # See http://www.shorewall.net/MultiISP.html - shorewall::managed_file { rtrules: } - + shorewall::managed_file{ + [ + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + 'zones', + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + 'interfaces', + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + 'hosts', + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + 'policy', + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + 'rules', + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + 'masq', + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + 'proxyarp', + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + 'nat', + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + 'blacklist', + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + 'rfc1918', + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + 'routestopped', + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + 'params', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcdevices', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcrules', + # See http://www.shorewall.net/3.0/traffic_shaping.htm + 'tcclasses', + # http://www.shorewall.net/manpages/shorewall-providers.html + 'providers', + # See http://www.shorewall.net/manpages/shorewall-tunnels.html + 'tunnel', + # See http://www.shorewall.net/MultiISP.html + 'rtrules', + ]:; + } } -- cgit v1.2.3 From c7aaea9b78f82ed2fb2c63571743c4e225a22a76 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:38:07 +0100 Subject: only manage the config_path if we do not manage the config file --- manifests/base.pp | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 7ee9f0c..6f39bcf 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -20,16 +20,17 @@ class shorewall::base { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } - } + } else { - require augeas + require augeas - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => [ Package['shorewall'] ]; + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall], + require => Package['shorewall']; + } } service{shorewall: -- cgit v1.2.3 From 4c613d6cd4ffd724bacd45e776efe3e6a082baa4 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 28 Feb 2013 20:40:38 +0100 Subject: linting --- manifests/base.pp | 75 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 40 insertions(+), 35 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 6f39bcf..4ee8747 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,43 +1,48 @@ +# base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + package { 'shorewall': + ensure => $shorewall::ensure_version, + } + + # This file has to be managed in place, so shorewall can find it + file { + '/etc/shorewall/shorewall.conf': + require => Package[shorewall], + notify => Service[shorewall], + owner => root, + group => 0, + mode => '0644'; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, + group => 0, + mode => '0644'; + } - # This file has to be managed in place, so shorewall can find it - file { - '/etc/shorewall/shorewall.conf': - require => Package[shorewall], - notify => Service[shorewall], - owner => root, group => 0, mode => 0644; - '/etc/shorewall/puppet': - ensure => directory, - require => Package[shorewall], - owner => root, group => 0, mode => 0644; + if $shorewall::conf_source { + File['/etc/shorewall/shorewall.conf']{ + source => $shorewall::conf_source, } + } else { - if $shorewall::conf_source { - File['/etc/shorewall/shorewall.conf']{ - source => $shorewall::conf_source, - } - } else { + require augeas - require augeas + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } + } - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service[shorewall], - require => Package['shorewall']; - } - } - - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package[shorewall], - } + service{'shorewall': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall'], + } } -- cgit v1.2.3 From 940e4d658443f31194f1565f6871ecab012b85a0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 14 Jun 2013 17:41:04 -0400 Subject: Change the 'require augeas' to instead be a class ordering hint. When the 'require augeas' was there, it would declare the augeas class, which would result in a duplicate definition when you have elsewhere something like this: $augeasversion = $::lsbdistcodename ? { squeeze => '0.10.0-1~bpo60+3', wheezy => latest } class { 'augeas': version => $augeasversion } changing it to an ordering parameter makes sure that it is installed and working before anything else happens --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..7959f01 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,7 +27,7 @@ class shorewall::base { } } else { - require augeas + Class['augeas'] -> Class['shorewall::base'] augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', -- cgit v1.2.3 From 562e3f64418bb8aab7626f3e2f87769e4f85970d Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 10 Aug 2013 15:15:17 +0200 Subject: migrate ipsec rules to a define so we can specify multiple zones --- manifests/rules/ipsec.pp | 62 ++++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 82adff0..54284b9 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -1,32 +1,32 @@ -class shorewall::rules::ipsec( - $source = 'net' -) { - shorewall::rule { - 'net-me-ipsec-udp': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec-udp': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'udp', - destinationport => '500', - order => 240, - action => 'ACCEPT'; - 'net-me-ipsec': - source => $shorewall::rules::ipsec::source, - destination => '$FW', - proto => 'esp', - order => 240, - action => 'ACCEPT'; - 'me-net-ipsec': - source => '$FW', - destination => $shorewall::rules::ipsec::source, - proto => 'esp', - order => 240, - action => 'ACCEPT'; - } +# manage ipsec rules for zone specified in +# $name +define shorewall::rules::ipsec() { + shorewall::rule { + "${name}-me-ipsec-udp": + source => $name, + destination => '$FW', + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec-udp": + source => '$FW', + destination => $name + proto => 'udp', + destinationport => '500', + order => 240, + action => 'ACCEPT'; + "${name}-me-ipsec": + source => $name + destination => '$FW', + proto => 'esp', + order => 240, + action => 'ACCEPT'; + "me-${name}-ipsec": + source => '$FW', + destination => $name, + proto => 'esp', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From 4d0f1855f2538a59a4fa59a8b7c101ebaa5d2280 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 10 Aug 2013 15:19:36 +0200 Subject: fix define --- manifests/rules/ipsec.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/rules/ipsec.pp b/manifests/rules/ipsec.pp index 54284b9..413406e 100644 --- a/manifests/rules/ipsec.pp +++ b/manifests/rules/ipsec.pp @@ -11,13 +11,13 @@ define shorewall::rules::ipsec() { action => 'ACCEPT'; "me-${name}-ipsec-udp": source => '$FW', - destination => $name + destination => $name, proto => 'udp', destinationport => '500', order => 240, action => 'ACCEPT'; "${name}-me-ipsec": - source => $name + source => $name, destination => '$FW', proto => 'esp', order => 240, -- cgit v1.2.3 From 9629084c45ee551d138b92ed944af68f5f967e65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 20 Aug 2013 15:34:09 +0200 Subject: Remove require for augeas, since it is provided with Puppet --- manifests/base.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..edb0c45 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,8 +27,6 @@ class shorewall::base { } } else { - require augeas - augeas { 'shorewall_module_config_path': changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', lens => 'Shellvars.lns', -- cgit v1.2.3 From a437ccc4a943359e34ae02bf86edf7b877e8a2c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 20 Aug 2013 15:36:49 +0200 Subject: The augeas module is not needed, but the concat module is --- README | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README b/README index 3a84b3b..20d1b47 100644 --- a/README +++ b/README @@ -7,8 +7,8 @@ This module manages the configuration of Shorewall (http://www.shorewall.net/) Requirements ------------ -This module requires the augeas module, you can find that here: -https://labs.riseup.net/code/projects/shared-augeas +This module requires the concat module, you can find that here: +https://github.com/puppetlabs/puppetlabs-concat.git Copyright --------- -- cgit v1.2.3 From 35a8902dadc1460c463c8ae826cf5a0267f6a6cf Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 25 Aug 2013 18:44:45 +0200 Subject: make it easier to override behaviour of the dns rules --- manifests/rules/dns.pp | 20 ++++---------------- manifests/rules/dns/disable.pp | 7 ++++--- manifests/rules/dns_rules.pp | 22 ++++++++++++++++++++++ 3 files changed, 30 insertions(+), 19 deletions(-) create mode 100644 manifests/rules/dns_rules.pp diff --git a/manifests/rules/dns.pp b/manifests/rules/dns.pp index 99311ca..e775eee 100644 --- a/manifests/rules/dns.pp +++ b/manifests/rules/dns.pp @@ -1,18 +1,6 @@ +# open dns port class shorewall::rules::dns { - shorewall::rule { - 'net-me-tcp_dns': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - 'net-me-udp_dns': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '53', - order => 240, - action => 'ACCEPT'; - } + shorewall::rules::dns_rules{ + 'net': + } } diff --git a/manifests/rules/dns/disable.pp b/manifests/rules/dns/disable.pp index 36541da..7de923b 100644 --- a/manifests/rules/dns/disable.pp +++ b/manifests/rules/dns/disable.pp @@ -1,5 +1,6 @@ +# disable dns acccess class shorewall::rules::dns::disable inherits shorewall::rules::dns { - Shorewall::Rule['net-me-tcp_dns', 'net-me-udp_dns']{ - action => 'DROP', - } + Shorewall::Rules::Dns_rules['net']{ + action => 'DROP', + } } diff --git a/manifests/rules/dns_rules.pp b/manifests/rules/dns_rules.pp new file mode 100644 index 0000000..abe0eb5 --- /dev/null +++ b/manifests/rules/dns_rules.pp @@ -0,0 +1,22 @@ +# open dns port +define shorewall::rules::dns_rules( + $source = $name, + $action = 'ACCEPT', +) { + shorewall::rule { + "${source}-me-tcp_dns": + source => $source, + destination => '$FW', + proto => 'tcp', + destinationport => '53', + order => 240, + action => $action; + "${source}-me-udp_dns": + source => $source, + destination => '$FW', + proto => 'udp', + destinationport => '53', + order => 240, + action => $action; + } +} -- cgit v1.2.3 From 8416e792e085025e51524c8404e583fc5ed224bd Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 22 Sep 2013 18:12:09 +0200 Subject: add rules for pyzor --- manifests/rules/out/pyzor.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 manifests/rules/out/pyzor.pp diff --git a/manifests/rules/out/pyzor.pp b/manifests/rules/out/pyzor.pp new file mode 100644 index 0000000..f4f5151 --- /dev/null +++ b/manifests/rules/out/pyzor.pp @@ -0,0 +1,12 @@ +# pyzor calls out on 24441 +# https://wiki.apache.org/spamassassin/NetTestFirewallIssues +class shorewall::rules::out::pyzor { + shorewall::rule { 'me-net-udp_pyzor': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '24441', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 288ba2824aa1155a21015b34243371ffc5ba2b1c Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Sep 2013 15:16:21 +0200 Subject: manage new and legacy ports of managesieve --- manifests/rules/managesieve.pp | 30 ++++++++++++++++++++++-------- manifests/rules/out/managesieve.pp | 30 ++++++++++++++++++++++-------- 2 files changed, 44 insertions(+), 16 deletions(-) diff --git a/manifests/rules/managesieve.pp b/manifests/rules/managesieve.pp index 63fafcb..ce1c321 100644 --- a/manifests/rules/managesieve.pp +++ b/manifests/rules/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::managesieve { +# manage managesieve ports +class shorewall::rules::managesieve( + $legacy_port = false, +) { + shorewall::rule { + 'net-me-tcp_managesieve': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'net-me-tcp_managesieve': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'net-me-tcp_managesieve_legacy': + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } diff --git a/manifests/rules/out/managesieve.pp b/manifests/rules/out/managesieve.pp index b0e1c3d..c4147d4 100644 --- a/manifests/rules/out/managesieve.pp +++ b/manifests/rules/out/managesieve.pp @@ -1,11 +1,25 @@ -class shorewall::rules::out::managesieve { +# manage outgoing traffic to managesieve +class shorewall::rules::out::managesieve( + $legacy_port = false +) { + shorewall::rule { + 'me-net-tcp_managesieve': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '4190', + order => 260, + action => 'ACCEPT'; + } + if $legacy_port { shorewall::rule { - 'me-net-tcp_managesieve': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '2000', - order => 260, - action => 'ACCEPT'; + 'me-net-tcp_managesieve_legacy': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '2000', + order => 260, + action => 'ACCEPT'; } + } } -- cgit v1.2.3 From 46c42177cd05e997a89580e3463b2b63ecb2025d Mon Sep 17 00:00:00 2001 From: o Date: Thu, 19 Dec 2013 19:51:45 +0100 Subject: add rule for openvpn --- manifests/rules/openvpn.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 manifests/rules/openvpn.pp diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp new file mode 100644 index 0000000..55a20d2 --- /dev/null +++ b/manifests/rules/openvpn.pp @@ -0,0 +1,18 @@ +class shorewall::rules::openvpn { + shorewall::rule { 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } + shorewall::rule { 'me-net-openvpn-udp': + source => '$FW', + destination => 'net', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 3d574e179953fc5868b0cd0e972a0dd9b9bda5de Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 Dec 2013 16:03:02 +0100 Subject: reduce dependency on lsb modules, rather use the builtin facts --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index f671bc9..c210506 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if $::lsbmajdistrelease > 5 { + if $::operatingsystemmajrelease > 5 { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From 8ab86e291a3575ae69363c4318fb2222c69dd8a5 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Mon, 17 Mar 2014 02:31:09 +0400 Subject: * Add shorewall-blrules support --- manifests/blrules.pp | 16 ++++++++++++++++ templates/blrules.erb | 15 +++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 manifests/blrules.pp create mode 100644 templates/blrules.erb diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..843a28f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,16 @@ +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template("shorewall/blrules.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => 0644; + } +} + + + diff --git a/templates/blrules.erb b/templates/blrules.erb new file mode 100644 index 0000000..4c9af79 --- /dev/null +++ b/templates/blrules.erb @@ -0,0 +1,15 @@ +# +# Shorewall version 4.4 - Rule-based Blacklisting +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +<% @whitelists.each do |value| -%> +WHITELIST <%= value %> +<% end -%> +<% @drops.each do |value| -%> +REJECT <%= value %> +<% end -%> -- cgit v1.2.3 From a03b6c47c27100d21cf9d881848a367a3bab20fa Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:00:32 +0400 Subject: * Add example --- manifests/blrules.pp | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 843a28f..e45739e 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -1,9 +1,31 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + class shorewall::blrules ( $whitelists, $drops, ) { file{'/etc/shorewall/puppet/blrules': - content => template("shorewall/blrules.erb"), + content => template('shorewall/blrules.erb'), require => Package['shorewall'], notify => Service['shorewall'], owner => root, @@ -11,6 +33,3 @@ class shorewall::blrules ( mode => 0644; } } - - - -- cgit v1.2.3 From 473815ebdf0050c1cb2924891628e3555d10f4b2 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:01:33 +0400 Subject: * Fix typo --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index e45739e..b8fe73f 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -30,6 +30,6 @@ class shorewall::blrules ( notify => Service['shorewall'], owner => root, group => 0, - mode => 0644; + mode => '0644'; } } -- cgit v1.2.3 From 533509b6d3f7ba5d5a6af012ac949ee04c17e39e Mon Sep 17 00:00:00 2001 From: o Date: Wed, 11 Jun 2014 22:15:39 +0200 Subject: add rule for stun --- manifests/rules/jabberserver.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 3b38b29..dd51ca4 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,6 +7,13 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; + 'net-me-udp_jabber': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', -- cgit v1.2.3 From d918999700676b7b5a7c772b27bb1deca711fa52 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:37:54 +0200 Subject: a cleaner naming --- manifests/rules/jabberserver.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index dd51ca4..0495f61 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -7,7 +7,7 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber': + 'net-me-udp_jabber_stun_server': source => 'net', destination => '$FW', proto => 'udp', -- cgit v1.2.3 From 3219370dff88101acbce453db6df3eaac44712cb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:38:36 +0200 Subject: linting --- manifests/rules/jabberserver.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0495f61..14666a0 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,3 +1,5 @@ +# open ports used by a jabberserver +# in and outbound. class shorewall::rules::jabberserver { shorewall::rule { 'net-me-tcp_jabber': -- cgit v1.2.3 From e7556317e563ade2d2560b382b537376a9f4ec56 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:39:38 +0200 Subject: there might be people who don't have a stun server --- manifests/rules/jabberserver.pp | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 14666a0..0b10420 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -1,6 +1,8 @@ # open ports used by a jabberserver # in and outbound. -class shorewall::rules::jabberserver { +class shorewall::rules::jabberserver( + $open_stun = true, +) { shorewall::rule { 'net-me-tcp_jabber': source => 'net', @@ -9,13 +11,6 @@ class shorewall::rules::jabberserver { destinationport => '5222,5223,5269', order => 240, action => 'ACCEPT'; - 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': source => '$FW', destination => 'net', @@ -25,4 +20,15 @@ class shorewall::rules::jabberserver { action => 'ACCEPT'; } + if $open_stun { + shorewall::rule { + 'net-me-udp_jabber_stun_server': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; + } + } } -- cgit v1.2.3 From e0a67255fc62e67684ee8ad8597c4eb4a6da6ffb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jun 2014 09:40:09 +0200 Subject: indentation --- manifests/rules/jabberserver.pp | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/manifests/rules/jabberserver.pp b/manifests/rules/jabberserver.pp index 0b10420..226d627 100644 --- a/manifests/rules/jabberserver.pp +++ b/manifests/rules/jabberserver.pp @@ -5,30 +5,30 @@ class shorewall::rules::jabberserver( ) { shorewall::rule { 'net-me-tcp_jabber': - source => 'net', - destination => '$FW', - proto => 'tcp', - destinationport => '5222,5223,5269', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'tcp', + destinationport => '5222,5223,5269', + order => 240, + action => 'ACCEPT'; 'me-net-tcp_jabber_s2s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '5260,5269,5270,5271,5272', - order => 240, - action => 'ACCEPT'; + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '5260,5269,5270,5271,5272', + order => 240, + action => 'ACCEPT'; } if $open_stun { shorewall::rule { 'net-me-udp_jabber_stun_server': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '3478', - order => 240, - action => 'ACCEPT'; + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '3478', + order => 240, + action => 'ACCEPT'; } } } -- cgit v1.2.3 From a297c274cd4de20f64f37bd76bb97fbc750eab05 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 9 Jul 2014 23:25:46 +0200 Subject: get rid off lsb facts --- manifests/init.pp | 11 +---------- manifests/ubuntu/karmic.pp | 5 ----- 2 files changed, 1 insertion(+), 15 deletions(-) delete mode 100644 manifests/ubuntu/karmic.pp diff --git a/manifests/init.pp b/manifests/init.pp index cd6488b..30a0aca 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,17 +13,8 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian: { - include shorewall::debian - $dist_tor_user = 'debian-tor' - } + debian,ubuntu: { centos: { include shorewall::centos } - ubuntu: { - case $::lsbdistcodename { - karmic: { include shorewall::ubuntu::karmic } - default: { include shorewall::debian } - } - } default: { notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base diff --git a/manifests/ubuntu/karmic.pp b/manifests/ubuntu/karmic.pp deleted file mode 100644 index 0df3789..0000000 --- a/manifests/ubuntu/karmic.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::ubuntu::karmic inherits shorewall::debian { - Package['shorewall']{ - name => 'shorewall-shell', - } -} -- cgit v1.2.3 From 19029f91579bf08a7186119322ccd4642642bb49 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 11 Jul 2014 16:36:58 +0200 Subject: fix the missing include --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 30a0aca..128e98d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -13,7 +13,7 @@ class shorewall( case $::operatingsystem { gentoo: { include shorewall::gentoo } - debian,ubuntu: { + debian,ubuntu: { include shorewall::debian } centos: { include shorewall::centos } default: { notice "unknown operatingsystem: ${::operatingsystem}" -- cgit v1.2.3 From 00d6c84d5578e61f72f88f816527c333cafb477e Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Aug 2014 17:53:09 +0200 Subject: linting --- manifests/base.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4ee8747..d43ea64 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,15 +27,15 @@ class shorewall::base { } } else { - require augeas + require augeas - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Service['shorewall'], - require => Package['shorewall']; - } + augeas { 'shorewall_module_config_path': + changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service['shorewall'], + require => Package['shorewall']; + } } service{'shorewall': -- cgit v1.2.3 From 7ef94b2e8431b669af868547f75742438cac80af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 16 Sep 2014 15:28:50 +0200 Subject: Non string mode is now deprecated --- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..2ff88c8 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; + owner => root, group => 0, mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..9c5758d 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => root, group => 0, mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From 5b602647de2abe832be5fbc9329408ea5268ba6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sylvain=20Veyri=C3=A9?= Date: Tue, 16 Sep 2014 15:40:38 +0200 Subject: Deprecated --- manifests/base.pp | 8 ++++---- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index edb0c45..8eee3c0 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -10,14 +10,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': require => Package[shorewall], notify => Service[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; '/etc/shorewall/puppet': ensure => directory, require => Package[shorewall], - owner => root, - group => 0, + owner => 'root', + group => 'root', mode => '0644'; } diff --git a/manifests/debian.pp b/manifests/debian.pp index 2ff88c8..01d108f 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => '0644'; + owner => 'root', group => 'root', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 9c5758d..7061721 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => '0600'; + owner => 'root', group => 'root', mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From 27dcb673758d8d7b6325c3448f65b2007493e331 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 17 Oct 2014 12:30:38 +0200 Subject: update a few headers --- files/boilerplate/interfaces.header | 4 ++-- files/boilerplate/policy.header | 8 +++++--- files/boilerplate/zones.header | 11 ++++++----- 3 files changed, 13 insertions(+), 10 deletions(-) diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header index 2027523..663e436 100644 --- a/files/boilerplate/interfaces.header +++ b/files/boilerplate/interfaces.header @@ -1,10 +1,10 @@ # -# Shorewall version 3.4 - Interfaces File +# Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # For additional information, see -# http://shorewall.net/Documentation.htm#Interfaces +# http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header index a0c5d5d..cc9781f 100644 --- a/files/boilerplate/policy.header +++ b/files/boilerplate/policy.header @@ -1,9 +1,11 @@ # -# Shorewall version 3.4 - Policy File +# Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # -# See http://shorewall.net/Documentation.htm#Policy for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### -#SOURCE DEST POLICY LOG LIMIT:BURST +#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: +# LEVEL BURST MASK diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header index 8b82c2e..5dada52 100644 --- a/files/boilerplate/zones.header +++ b/files/boilerplate/zones.header @@ -1,11 +1,12 @@ # -# Shorewall version 3.4 - Zones File +# Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # -# For more information, see http://www.shorewall.net/Documentation.htm#Zones +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall +#ZONE TYPE OPTIONS IN OUT +# OPTIONS OPTIONS +fw firewall -- cgit v1.2.3 From 55796b7b8c627ca1a0c85f9f8faa4cabacfccfd2 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 17 Oct 2014 12:44:51 +0200 Subject: make it possible to create resources from hiera --- manifests/init.pp | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 128e98d..f096d86 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,7 +8,43 @@ class shorewall( $tor_user = $::operatingsystem ? { 'Debian' => 'debian-tor', default => 'tor' - } + }, + $zones = {}, + $zones_defaults = {}, + $interfaces = {}, + $interfaces_defaults = {}, + $hosts = {}, + $hosts_defaults = {}, + $policy = {}, + $policy_defaults = {}, + $rules = {}, + $rules_defaults = {}, + $rulesections = {}, + $rulesections_defaults = {}, + $masq = {}, + $masq_defaults = {}, + $proxyarp = {}, + $proxyarp_defaults = {}, + $nat = {}, + $nat_defaults = {}, + $blacklist = {}, + $blacklist_defaults = {}, + $rfc1918 = {}, + $rfc1918_defaults = {}, + $routestopped = {}, + $routestopped_defaults = {}, + $params = {}, + $params_defaults = {}, + $tcdevices = {}, + $tcdevices_defaults = {}, + $tcrules = {}, + $tcrules_defaults = {}, + $tcclasses = {}, + $tcclasses_defaults = {}, + $tunnels = {}, + $tunnels_defaults = {}, + $rtrules = {}, + $rtrules_defaults = {}, ) { case $::operatingsystem { @@ -61,4 +97,24 @@ class shorewall( 'rtrules', ]:; } + + create_resources('shorewall::zone',$zones,$zones_defaults) + create_resources('shorewall::interface',$interfaces,$interfaces_defaults) + create_resources('shorewall::host',$hosts,$hosts_defaults) + create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) + create_resources('shorewall::masq',$masq,$masq_defaults) + create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) + create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) + create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) + create_resources('shorewall::routestopped',$routestopped, + $routestopped_defaults) + create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) + create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) + create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) + create_resources('shorewall::tunnel',$tunnels,$tunnels_defaults) + create_resources('shorewall::rtrules',$rtrules,$rtrules_defaults) } -- cgit v1.2.3 From 81b0f114d8a9510286f7fb31b7202bcd86104409 Mon Sep 17 00:00:00 2001 From: duritong Date: Mon, 9 Feb 2015 23:58:30 +0100 Subject: we also support later versions --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 20d1b47..0e61035 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x +modules/shorewall/manifests/init.pp - manage firewalling with shorewall Puppet Module for Shorewall --------------------------- -- cgit v1.2.3 From e61e6805e5a8fe4e39b0c31631491c29f209357c Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 17 Apr 2015 12:54:57 +0200 Subject: Fix tunnels filename --- manifests/tunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/tunnel.pp b/manifests/tunnel.pp index 2cac922..0e645c8 100644 --- a/manifests/tunnel.pp +++ b/manifests/tunnel.pp @@ -5,7 +5,7 @@ define shorewall::tunnel( $gateway_zones = '', $order = '1' ) { - shorewall::entry { "tunnel-${order}-${name}": + shorewall::entry { "tunnels-${order}-${name}": line => "# ${name}\n${tunnel_type} ${zone} ${gateway} ${gateway_zones}", } } -- cgit v1.2.3 From 07c863098f453d3ce67d64c2ac5c67d8cf4c6a25 Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 17 Apr 2015 12:59:19 +0200 Subject: Change tunnel managed file --- files/boilerplate/tunnel.footer | 1 - files/boilerplate/tunnel.header | 11 ----------- files/boilerplate/tunnels.footer | 1 + files/boilerplate/tunnels.header | 11 +++++++++++ manifests/init.pp | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) delete mode 100644 files/boilerplate/tunnel.footer delete mode 100644 files/boilerplate/tunnel.header create mode 100644 files/boilerplate/tunnels.footer create mode 100644 files/boilerplate/tunnels.header diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnel.footer deleted file mode 100644 index 5e12d1d..0000000 --- a/files/boilerplate/tunnel.footer +++ /dev/null @@ -1 +0,0 @@ -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header deleted file mode 100644 index 638fd56..0000000 --- a/files/boilerplate/tunnel.header +++ /dev/null @@ -1,11 +0,0 @@ -# -# Shorewall version 4 - Tunnels File -# -# For information about entries in this file, type "man shorewall-tunnels" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-tunnels.html -# -############################################################################### -#TYPE ZONE GATEWAY GATEWAY -# ZONE diff --git a/files/boilerplate/tunnels.footer b/files/boilerplate/tunnels.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tunnels.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnels.header b/files/boilerplate/tunnels.header new file mode 100644 index 0000000..638fd56 --- /dev/null +++ b/files/boilerplate/tunnels.header @@ -0,0 +1,11 @@ +# +# Shorewall version 4 - Tunnels File +# +# For information about entries in this file, type "man shorewall-tunnels" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-tunnels.html +# +############################################################################### +#TYPE ZONE GATEWAY GATEWAY +# ZONE diff --git a/manifests/init.pp b/manifests/init.pp index f096d86..5966bed 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -92,7 +92,7 @@ class shorewall( # http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html - 'tunnel', + 'tunnels', # See http://www.shorewall.net/MultiISP.html 'rtrules', ]:; -- cgit v1.2.3 From 79503b830d17af99427c69eb64c2e21a7c36485f Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Fri, 29 Apr 2016 12:59:26 +0300 Subject: * fix permission --- manifests/debian.pp | 2 +- manifests/managed_file.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/debian.pp b/manifests/debian.pp index c7ed607..c439871 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -3,7 +3,7 @@ class shorewall::debian inherits shorewall::base { content => template("shorewall/debian_default.erb"), require => Package['shorewall'], notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; + owner => root, group => '0', mode => '0644'; } Service['shorewall']{ status => '/sbin/shorewall status' diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index d564daa..75326b8 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -2,7 +2,7 @@ define shorewall::managed_file () { concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], - owner => root, group => 0, mode => 0600; + owner => root, group => '0', mode => '0600'; } concat::fragment { "${name}-header": -- cgit v1.2.3 From c02b8c963d16c3f56b571a273623feab629cf752 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 28 May 2016 10:45:46 +0200 Subject: the section requires a ? since EL6 --- manifests/rule_section.pp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..d853f70 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,13 @@ +# a rule section marker define shorewall::rule_section( - $order + $order ){ - shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", - } + if $::operatingsystem == 'CentOS' and versioncmp($::operatingsystemmajrelease,'6') > 0 { + $prefix = '?SECTION' + } else { + $prefix = 'SECTION' + } + shorewall::entry{"rules-${order}-${name}": + line => "${prefix} ${name}", + } } -- cgit v1.2.3 From 2e1250278283e039cae9a37f3cdfa8dd16791f5f Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:09:14 +0200 Subject: this is only needed on EL6 --- manifests/centos.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/centos.pp b/manifests/centos.pp index 1f8b37d..ff8c6ad 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,6 +1,6 @@ # things needed on centos class shorewall::centos inherits shorewall::base { - if versioncmp($::operatingsystemmajrelease,'5') > 0 { + if $::operatingsystemmajrelease == '6' { augeas{'enable_shorewall': context => '/files/etc/sysconfig/shorewall', changes => 'set startup 1', -- cgit v1.2.3 From 90f61d5178b5cb0d879d175e3c9f8cfdc8b56f09 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:13:09 +0200 Subject: modernize lookup --- templates/debian_default.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/debian_default.erb b/templates/debian_default.erb index ec64cbe..8a9e328 100644 --- a/templates/debian_default.erb +++ b/templates/debian_default.erb @@ -3,7 +3,7 @@ # This file is brought to you by puppet -startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %> +startup=<%= ['0',false].include?(scope['shorewall::startup']) ? '0' : '1' %> # if your Shorewall configuration requires detection of the ip address of a ppp # interface, you must list such interfaces in "wait_interface" to get Shorewall to -- cgit v1.2.3 From 543ae812999f35008a835db19b22874d5f6e923c Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 25 Jun 2016 15:13:31 +0200 Subject: make this a boolean --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index d6b2d2a..84ba76a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,6 +1,6 @@ # Manage shorewall on your system class shorewall( - $startup = '1', + $startup = true, $conf_source = false, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', -- cgit v1.2.3 From 4a0cfbb26e072d12bcb14a31ef8b6f69e190d42e Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 26 Jun 2016 13:39:04 +0200 Subject: modernize so we don't need to deploy a full config file anymore --- manifests/base.pp | 22 ++++++++++++++-------- manifests/config_setting.pp | 18 ++++++++++++++++++ manifests/config_settings.pp | 10 ++++++++++ manifests/init.pp | 4 ++++ 4 files changed, 46 insertions(+), 8 deletions(-) create mode 100644 manifests/config_setting.pp create mode 100644 manifests/config_settings.pp diff --git a/manifests/base.pp b/manifests/base.pp index 0cf3dc6..cf8811b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,14 +27,20 @@ class shorewall::base { } } else { - Class['augeas'] -> Class['shorewall::base'] - - augeas { 'shorewall_module_config_path': - changes => 'set /files/etc/shorewall/shorewall.conf/CONFIG_PATH \'"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"\'', - lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall.conf', - notify => Exec['shorewall_check'], - require => Package['shorewall']; + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } + shorewall::config_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + shorewall::config_settings{ + keys($shorewall::settings): + settings => $shorewall::settings; } } diff --git a/manifests/config_setting.pp b/manifests/config_setting.pp new file mode 100644 index 0000000..5eecf42 --- /dev/null +++ b/manifests/config_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option +# +# e.g. +# shorewall::config_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall_module_${name}": + changes => "set /files/etc/shorewall/shorewall.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Exec['shorewall_check'], + require => Package['shorewall']; + } +} diff --git a/manifests/config_settings.pp b/manifests/config_settings.pp new file mode 100644 index 0000000..69eb380 --- /dev/null +++ b/manifests/config_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config_settings( + $settings, +){ + shorewall::config_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 84ba76a..ede0be2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,6 +2,10 @@ class shorewall( $startup = true, $conf_source = false, + $settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => 'Yes', + }, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', -- cgit v1.2.3 From caadcdbd3be5c32120b0cbe5071cb702330a0243 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 26 Jun 2016 14:02:55 +0200 Subject: older puppet versions can't yet dealt with that --- manifests/base.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index cf8811b..22ef555 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -38,8 +38,9 @@ class shorewall::base { 'STARTUP_ENABLED': value => $startup_str; } + $cfs = keys($shorewall::settings) shorewall::config_settings{ - keys($shorewall::settings): + $cfs: settings => $shorewall::settings; } } -- cgit v1.2.3 From 10576074788edae1c77b0b9c51949bee5a25f1d6 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:52:16 +0300 Subject: * fix rule section --- manifests/rule_section.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..3f2ecc5 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,11 @@ define shorewall::rule_section( $order ){ + $rule_section_prefix = $shorewall_major_version ? { + '5' => '?' + } + shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } -- cgit v1.2.3 From 3b623df1f88adf2a177829dacae822dec2c3c7d0 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:54:03 +0300 Subject: * add shorewal version facter --- lib/facter/shorewall_major_version.rb | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 lib/facter/shorewall_major_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb new file mode 100644 index 0000000..a733842 --- /dev/null +++ b/lib/facter/shorewall_major_version.rb @@ -0,0 +1,5 @@ +Facter.add("shorewall_major_version") do + setcode do + Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + end +end -- cgit v1.2.3 From 8b20a24773e646a827f5bd9eb6030bfcbf12137d Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 23 Sep 2016 23:58:27 +0200 Subject: add tor out rule --- manifests/rules/out/tor.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/out/tor.pp diff --git a/manifests/rules/out/tor.pp b/manifests/rules/out/tor.pp new file mode 100644 index 0000000..b4128d0 --- /dev/null +++ b/manifests/rules/out/tor.pp @@ -0,0 +1,11 @@ +# open outgoing port to connect to the network +class shorewall::rules::out::tor { + shorewall::rule{'me-net-tor-tcp': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '9001', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 5bbdd438b0fbdefabd9a8542535cdfc60882866e Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:08:51 +0100 Subject: Create conntrack.header --- files/boilerplate/conntrack.header | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 files/boilerplate/conntrack.header diff --git a/files/boilerplate/conntrack.header b/files/boilerplate/conntrack.header new file mode 100644 index 0000000..2db7bda --- /dev/null +++ b/files/boilerplate/conntrack.header @@ -0,0 +1,10 @@ +# +# Shorewall -- /etc/shorewall/conntrack +# +# For information about entries in this file, type "man shorewall-conntrack" +# +?FORMAT 3 +###################################################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH + +?if $AUTOHELPERS && __CT_TARGET -- cgit v1.2.3 From f4648a11950120b553e96e3859e7d8131329ae59 Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:09:21 +0100 Subject: Create conntrack.footer --- files/boilerplate/conntrack.footer | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 files/boilerplate/conntrack.footer diff --git a/files/boilerplate/conntrack.footer b/files/boilerplate/conntrack.footer new file mode 100644 index 0000000..8648c65 --- /dev/null +++ b/files/boilerplate/conntrack.footer @@ -0,0 +1,3 @@ + +?endif +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE -- cgit v1.2.3 From 45c62306c1e0a3749a06db14deb4c7eb10cf9bee Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:10:51 +0100 Subject: Added conntrack to managed files --- manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 5966bed..6ee8c5d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -95,6 +95,8 @@ class shorewall( 'tunnels', # See http://www.shorewall.net/MultiISP.html 'rtrules', + # See http://shorewall.net/manpages/shorewall-conntrack.html + 'conntrack', ]:; } -- cgit v1.2.3 From 78b2f91caf4c7ade2630376c9c326773fdd5ef3c Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 27 Dec 2016 12:12:10 +0100 Subject: Conntrack helper --- manifests/conntrack/helper.pp | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 manifests/conntrack/helper.pp diff --git a/manifests/conntrack/helper.pp b/manifests/conntrack/helper.pp new file mode 100644 index 0000000..ea7fb2e --- /dev/null +++ b/manifests/conntrack/helper.pp @@ -0,0 +1,32 @@ +# Class for managing conntrack file: Helpers +# +# See http://shorewall.net/manpages/shorewall-conntrack.html for more info. +# The $name defines the helper, so this needs to match one of the helpers +# in the documentation. +define shorewall::conntrack::helper( + $ensure = present, + $options = '', + $source = '-', + $destination = '-', + $proto, + $destinationport, + $sourceport = '', + $user = '', + $switch = '', + $chain = 'PO', + $order +) { + + $_helper = sprintf("__%s_HELPER", upcase($name)) + $_chain = ":${chain}" + $_options = '' + + if ($options != '') { + $_options = "(${options})" + } + + shorewall::entry{"conntrack-${order}-${name}": + ensure => $ensure, + line => "?if ${_helper}\nCT:helper:${name}${_options}${_chain} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${$user} ${switch}\n?endif" + } +} -- cgit v1.2.3 From 32c97619505a28d6f9838d9ebc109f472687fe4f Mon Sep 17 00:00:00 2001 From: Marknl Date: Tue, 10 Jan 2017 11:21:20 +0100 Subject: Added $host option Current rule.pp converts the $name into the "HOST" parameter in the file, this can result in these definitions: ```shorewall::host { 'eth0:$VPN_HOSTS': zone => 'vpn', options => 'ipsec', order => 200; }``` I suggest moving the variable usage from the $name into a $host parameter, so above example becomes: ```shorewall::host { 'vpn-hosts': zone => 'vpn', host => 'eth0:$VPN_HOSTS', options => 'ipsec', order => 200; }``` --- manifests/host.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/host.pp b/manifests/host.pp index f400223..2510ca7 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,10 +1,11 @@ define shorewall::host( $zone, + $host, $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": - line => "${zone} ${name} ${options}" + line => "#${name}\n${zone} ${host} ${options}" } } -- cgit v1.2.3 From a7b138d73ea419afa82c83d1b4d607a5a5d5ddee Mon Sep 17 00:00:00 2001 From: Marknl Date: Wed, 11 Jan 2017 22:52:36 +0100 Subject: Brought $name back into the game for backw. compat --- manifests/host.pp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/manifests/host.pp b/manifests/host.pp index 2510ca7..1bd56cc 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,11 +1,15 @@ define shorewall::host( $zone, - $host, + $host = undef, $options = 'tcpflags,blacklist,norfc1918', - $order='100' + $order ='100' ){ + + unless $host == undef { + $host = $name + } + shorewall::entry{"hosts-${order}-${name}": line => "#${name}\n${zone} ${host} ${options}" } } - -- cgit v1.2.3 From 9d36decac41bf6cda6f09adfce76e6ef9138205f Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 12 Jan 2017 11:30:49 +0100 Subject: connect docu with class --- manifests/blrules.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..7f3953b 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -18,8 +18,7 @@ # 'net all tcp 22', #ssh # ], # } - - +# class shorewall::blrules ( $whitelists, $drops, -- cgit v1.2.3 From c868850e3161c69d01b7caf05192d625fc1df0c1 Mon Sep 17 00:00:00 2001 From: Marknl Date: Thu, 12 Jan 2017 13:17:21 +0100 Subject: Use $name for backwards compatibility --- manifests/host.pp | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/manifests/host.pp b/manifests/host.pp index 1bd56cc..d2a73ce 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,13 +1,9 @@ define shorewall::host( $zone, - $host = undef, + $host = $name, $options = 'tcpflags,blacklist,norfc1918', $order ='100' ){ - - unless $host == undef { - $host = $name - } shorewall::entry{"hosts-${order}-${name}": line => "#${name}\n${zone} ${host} ${options}" -- cgit v1.2.3 From 4557aa6dff84fe6189a1ea7af39bbc63c2c00628 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:40:38 +0100 Subject: mory rubyism --- lib/facter/shorewall_major_version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index a733842..0068b48 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,5 @@ Facter.add("shorewall_major_version") do setcode do - Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + Facter::Util::Resolution.exec('shorewall version').split('.').first || nil end end -- cgit v1.2.3 From b8514959659822868ec1a6b3922854497256338a Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:42:22 +0100 Subject: also support the older versions --- manifests/rule_section.pp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 08e5708..9315046 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,9 +1,11 @@ # a rule section marker define shorewall::rule_section( - $order + $order, ){ - $rule_section_prefix = $shorewall_major_version ? { - '5' => '?' + if versioncmp($shorewall_major_version,'5') < 0 { + $rule_section_prefix = '?' + } else { + $rule_section_prefix = '' } shorewall::entry{"rules-${order}-${name}": -- cgit v1.2.3 From 9e82e791f01a85c5ab25c5311ba962d2ca2c7b24 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:54:23 +0100 Subject: correct decision --- manifests/rule_section.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 9315046..0a8b4bb 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -2,7 +2,7 @@ define shorewall::rule_section( $order, ){ - if versioncmp($shorewall_major_version,'5') < 0 { + if versioncmp($shorewall_major_version,'4') > 0 { $rule_section_prefix = '?' } else { $rule_section_prefix = '' -- cgit v1.2.3 From 2b75a0321bc9e65f4e9e6cf34b708a3d40318731 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Tue, 31 Jan 2017 12:16:33 -0800 Subject: don't include augeas due to conflict with riseup_common --- manifests/base.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index 6599759..9d65b7b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -27,7 +27,8 @@ class shorewall::base { } } else { - include ::augeas + # riseup commented due to redeclare + #include ::augeas Class['augeas'] -> Class['shorewall::base'] augeas { 'shorewall_module_config_path': -- cgit v1.2.3 From 0cd2a305f7fd9ba830a1fa3de25428ffa71d39f7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 1 Feb 2017 21:42:50 -0500 Subject: Fix fact for when shorewall is not yet installed. When a node has puppet run for the first time, shorewall may not be installed. In that case there are a few problems that appear in puppet4: 1. Warning: Facter: Could not retrieve fact='shorewall_major_version', resolution='': undefined method `split' for nil:NilClass This is because running 'shorewall version' fails and so results in a nil, and the split cannot be done on a nil. That is solved by first running the 'shorewall version' and setting a variable. If that variable is not nil, then we can split off of that 2. Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, 'versioncmp' parameter 'a' expects a String value, got Undef This happens because the shorewall_version is set to Undef, but we need to have it set to a String. So we set the variable to '-1' if it is not installed. --- lib/facter/shorewall_major_version.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index 0068b48..9c53ec2 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,10 @@ Facter.add("shorewall_major_version") do setcode do - Facter::Util::Resolution.exec('shorewall version').split('.').first || nil + shorewall_version = Facter::Util::Resolution.exec('shorewall version') + if shorewall_version != nil + shorewall_major_version = shorewall_version.split('.').first + else + shorewall_major_version = '-1' + end end end -- cgit v1.2.3 From 69eac26f08e65eb288e526abd85e34e639369fb0 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:54:03 +0300 Subject: * add shorewal version facter --- lib/facter/shorewall_major_version.rb | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 lib/facter/shorewall_major_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb new file mode 100644 index 0000000..a733842 --- /dev/null +++ b/lib/facter/shorewall_major_version.rb @@ -0,0 +1,5 @@ +Facter.add("shorewall_major_version") do + setcode do + Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + end +end -- cgit v1.2.3 From f35965e0d13c5a20213046f7facbfd609d418545 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Wed, 29 Jun 2016 18:52:16 +0300 Subject: * fix rule section --- manifests/rule_section.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 82984ca..3f2ecc5 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,11 @@ define shorewall::rule_section( $order ){ + $rule_section_prefix = $shorewall_major_version ? { + '5' => '?' + } + shorewall::entry{"rules-${order}-${name}": - line => "SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", } } -- cgit v1.2.3 From ba8d84a98b4193867f3edda7fc3f497fd7edc373 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Mon, 17 Mar 2014 02:31:09 +0400 Subject: * Add shorewall-blrules support --- manifests/blrules.pp | 16 ++++++++++++++++ templates/blrules.erb | 15 +++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 manifests/blrules.pp create mode 100644 templates/blrules.erb diff --git a/manifests/blrules.pp b/manifests/blrules.pp new file mode 100644 index 0000000..843a28f --- /dev/null +++ b/manifests/blrules.pp @@ -0,0 +1,16 @@ +class shorewall::blrules ( + $whitelists, + $drops, +) { + file{'/etc/shorewall/puppet/blrules': + content => template("shorewall/blrules.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, + group => 0, + mode => 0644; + } +} + + + diff --git a/templates/blrules.erb b/templates/blrules.erb new file mode 100644 index 0000000..4c9af79 --- /dev/null +++ b/templates/blrules.erb @@ -0,0 +1,15 @@ +# +# Shorewall version 4.4 - Rule-based Blacklisting +# +# For information about entries in this file, type "man shorewall-blrules" +# +# Please see http://shorewall.net/blacklisting_support.htm for additional +# information. +# +############################################################################### +<% @whitelists.each do |value| -%> +WHITELIST <%= value %> +<% end -%> +<% @drops.each do |value| -%> +REJECT <%= value %> +<% end -%> -- cgit v1.2.3 From 4c69a621db40f60a3f43e6587e6367dbf8cbfb1a Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:00:32 +0400 Subject: * Add example --- manifests/blrules.pp | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 843a28f..e45739e 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -1,9 +1,31 @@ +# Manage blrules. For additional information type "man shorewall-blrules" +# +# Sample Usage: +# +# shorewall::interface { 'br0': +# zone => 'net', +# rfc1918 => true, +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# } +# +# class { 'shorewall::blrules': +# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# whitelists => [ +# "net:10.0.0.1,192.168.0.1 all", +# ], +# +# drops => [ +# 'net all tcp 22', #ssh +# ], +# } + + class shorewall::blrules ( $whitelists, $drops, ) { file{'/etc/shorewall/puppet/blrules': - content => template("shorewall/blrules.erb"), + content => template('shorewall/blrules.erb'), require => Package['shorewall'], notify => Service['shorewall'], owner => root, @@ -11,6 +33,3 @@ class shorewall::blrules ( mode => 0644; } } - - - -- cgit v1.2.3 From ea4721adecb9c8e0f5542c498b341a8ad87e0355 Mon Sep 17 00:00:00 2001 From: Lebedev Vadim Date: Tue, 18 Mar 2014 23:01:33 +0400 Subject: * Fix typo --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index e45739e..b8fe73f 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -30,6 +30,6 @@ class shorewall::blrules ( notify => Service['shorewall'], owner => root, group => 0, - mode => 0644; + mode => '0644'; } } -- cgit v1.2.3 From e6a2b00207b0ec495b81e44e8d90acffcf1bb166 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:40:38 +0100 Subject: mory rubyism --- lib/facter/shorewall_major_version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index a733842..0068b48 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,5 @@ Facter.add("shorewall_major_version") do setcode do - Facter::Util::Resolution.exec('shorewall version').split('.')[0] || nil + Facter::Util::Resolution.exec('shorewall version').split('.').first || nil end end -- cgit v1.2.3 From b6698ab18b4522a621d534a6e214219247ce3afc Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:42:22 +0100 Subject: cherry pick fixes for 5.x Conflicts: manifests/rule_section.pp --- manifests/rule_section.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 3f2ecc5..35e46b2 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,8 +1,10 @@ define shorewall::rule_section( $order ){ - $rule_section_prefix = $shorewall_major_version ? { - '5' => '?' + if versioncmp($shorewall_major_version,'5') < 0 { + $rule_section_prefix = '?' + } else { + $rule_section_prefix = '' } shorewall::entry{"rules-${order}-${name}": -- cgit v1.2.3 From 50acce5dee1b76746f81d7c300913dd7d58021d4 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 13 Jan 2017 16:54:23 +0100 Subject: correct decision --- manifests/rule_section.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 35e46b2..f5fa785 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,7 @@ define shorewall::rule_section( $order ){ - if versioncmp($shorewall_major_version,'5') < 0 { + if versioncmp($shorewall_major_version,'4') > 0 { $rule_section_prefix = '?' } else { $rule_section_prefix = '' -- cgit v1.2.3 From 334332c38f0044d54c1b7166f727bfa480cb0a84 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 10 Feb 2017 15:02:44 -0500 Subject: Merge two facts: shorewall_version && shorewall_major_version. The first one would be line 1 and the second one would take the value of the first fact and do the stuff we see here. --- lib/facter/shorewall_major_version.rb | 10 ---------- lib/facter/shorewall_version.rb | 10 ++++++++++ 2 files changed, 10 insertions(+), 10 deletions(-) delete mode 100644 lib/facter/shorewall_major_version.rb create mode 100644 lib/facter/shorewall_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb deleted file mode 100644 index 9c53ec2..0000000 --- a/lib/facter/shorewall_major_version.rb +++ /dev/null @@ -1,10 +0,0 @@ -Facter.add("shorewall_major_version") do - setcode do - shorewall_version = Facter::Util::Resolution.exec('shorewall version') - if shorewall_version != nil - shorewall_major_version = shorewall_version.split('.').first - else - shorewall_major_version = '-1' - end - end -end diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb new file mode 100644 index 0000000..9c53ec2 --- /dev/null +++ b/lib/facter/shorewall_version.rb @@ -0,0 +1,10 @@ +Facter.add("shorewall_major_version") do + setcode do + shorewall_version = Facter::Util::Resolution.exec('shorewall version') + if shorewall_version != nil + shorewall_major_version = shorewall_version.split('.').first + else + shorewall_major_version = '-1' + end + end +end -- cgit v1.2.3 From e0248f504ada8efb5184f43cbaf61097ce1ddd65 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 10 Feb 2017 15:10:09 -0500 Subject: remove redundant fact --- lib/facter/shorewall_major_version.rb | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 lib/facter/shorewall_major_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb deleted file mode 100644 index 0068b48..0000000 --- a/lib/facter/shorewall_major_version.rb +++ /dev/null @@ -1,5 +0,0 @@ -Facter.add("shorewall_major_version") do - setcode do - Facter::Util::Resolution.exec('shorewall version').split('.').first || nil - end -end -- cgit v1.2.3 From 8552753d9e3ab7662e618c54875e626a2b6926e9 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:08:12 -0800 Subject: remove deprecated blacklist the blacklist file was deprecated by upstream in 4.5.7, remove all references to them. Debian wheezy shipped with 4.5.5.3-3 (but could use a backport) and jessie has 4.6.4.3-2 currently. --- README.md | 2 +- files/boilerplate/blacklist.footer | 1 - files/boilerplate/blacklist.header | 10 ---------- files/boilerplate/started.header | 22 ++++++++++------------ manifests/blacklist.pp | 9 --------- manifests/blrules.pp | 4 ++-- manifests/host.pp | 2 +- manifests/init.pp | 5 ----- manifests/interface.pp | 2 +- 9 files changed, 15 insertions(+), 42 deletions(-) delete mode 100644 files/boilerplate/blacklist.footer delete mode 100644 files/boilerplate/blacklist.header delete mode 100644 manifests/blacklist.pp diff --git a/README.md b/README.md index e7e2985..82c0ab3 100644 --- a/README.md +++ b/README.md @@ -187,7 +187,7 @@ Example from node.pp: shorewall::interface { 'eth0': zone => 'net', rfc1918 => true, - options => 'tcpflags,blacklist,nosmurfs'; + options => 'tcpflags,nosmurfs'; } shorewall::policy { diff --git a/files/boilerplate/blacklist.footer b/files/boilerplate/blacklist.footer deleted file mode 100644 index 5e12d1d..0000000 --- a/files/boilerplate/blacklist.footer +++ /dev/null @@ -1 +0,0 @@ -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/blacklist.header b/files/boilerplate/blacklist.header deleted file mode 100644 index 2392e17..0000000 --- a/files/boilerplate/blacklist.header +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall version 3.4 - Blacklist File -# -# For information about entries in this file, type "man shorewall-blacklist" -# -# Please see http://shorewall.net/blacklisting_support.htm for additional -# information. -# -############################################################################### -#ADDRESS/SUBNET PROTOCOL PORT diff --git a/files/boilerplate/started.header b/files/boilerplate/started.header index b7704db..4adc4b9 100644 --- a/files/boilerplate/started.header +++ b/files/boilerplate/started.header @@ -1,20 +1,18 @@ # -# Shorewall version 4 - Started File +# Shorewall -- /etc/shorewall/started # -# /etc/shorewall/started +# Add commands below that you want to be executed after shorewall has +# been completely started, reloaded or restarted. The difference between +# this extension script and /etc/shorewall/start is that this one is +# invoked after the 'shorewall' chain has been created (thus +# signaling that the firewall is completely up). # -# Add commands below that you want to be executed after shorewall has -# been completely started or restarted. The difference between this -# extension script and /etc/shorewall/start is that this one is invoked -# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and -# after the 'shorewall' chain has been created (thus signaling that the -# firewall is completely up). -# -# This script should not change the firewall configuration directly but -# may do so indirectly by running /sbin/shorewall with the 'nolock' -# option. +# This script should not change the firewall configuration directly but +# may do so indirectly by running /sbin/shorewall with the 'nolock' +# option. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### + diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp deleted file mode 100644 index afbe216..0000000 --- a/manifests/blacklist.pp +++ /dev/null @@ -1,9 +0,0 @@ -define shorewall::blacklist( - $proto = '-', - $port = '-', - $order='100' -){ - shorewall::entry{"blacklist-${order}-${name}": - line => "${name} ${proto} ${port}", - } -} diff --git a/manifests/blrules.pp b/manifests/blrules.pp index b8fe73f..d6b5550 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -5,11 +5,11 @@ # shorewall::interface { 'br0': # zone => 'net', # rfc1918 => true, -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge'; +# options => 'tcpflags,nosmurfs,routeback,bridge'; # } # # class { 'shorewall::blrules': -# options => 'tcpflags,blacklist,nosmurfs,routeback,bridge', +# options => 'tcpflags,nosmurfs,routeback,bridge', # whitelists => [ # "net:10.0.0.1,192.168.0.1 all", # ], diff --git a/manifests/host.pp b/manifests/host.pp index f400223..370be03 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,6 +1,6 @@ define shorewall::host( $zone, - $options = 'tcpflags,blacklist,norfc1918', + $options = 'tcpflags,norfc1918', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": diff --git a/manifests/init.pp b/manifests/init.pp index d6b2d2a..5e2da52 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,8 +27,6 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $blacklist = {}, - $blacklist_defaults = {}, $rfc1918 = {}, $rfc1918_defaults = {}, $routestopped = {}, @@ -76,8 +74,6 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - 'blacklist', # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 'rfc1918', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped @@ -110,7 +106,6 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::blacklist',$blacklist,$blacklist_defaults) create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..b3d66c6 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,7 +1,7 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', $rfc1918 = false, $dhcp = false, -- cgit v1.2.3 From 47f1ee74666fa00314546d01982461fa79d9da0a Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:24:59 -0800 Subject: remove deprecated norfc1918 option It was deprecated in 4.2.0 http://www.shorewall.net/upgrade_issues.htm --- files/boilerplate/params.header | 4 ++-- manifests/host.pp | 2 +- manifests/interface.pp | 8 +------- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/files/boilerplate/params.header b/files/boilerplate/params.header index b258b0d..c4dd504 100644 --- a/files/boilerplate/params.header +++ b/files/boilerplate/params.header @@ -13,7 +13,7 @@ # # NET_IF=eth0 # NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter,norfc1918 +# NET_OPTIONS=routefilter # # Example (/etc/shorewall/interfaces record): # @@ -21,6 +21,6 @@ # # The result will be the same as if the record had been written # -# net eth0 130.252.100.255 routefilter,norfc1918 +# net eth0 130.252.100.255 routefilter # ############################################################################### diff --git a/manifests/host.pp b/manifests/host.pp index 370be03..fe12247 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,6 +1,6 @@ define shorewall::host( $zone, - $options = 'tcpflags,norfc1918', + $options = 'tcpflags', $order='100' ){ shorewall::entry{"hosts-${order}-${name}": diff --git a/manifests/interface.pp b/manifests/interface.pp index b3d66c6..670e477 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -3,7 +3,6 @@ define shorewall::interface( $broadcast = 'detect', $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', - $rfc1918 = false, $dhcp = false, $order = 100 ){ @@ -17,13 +16,8 @@ define shorewall::interface( default => ',dhcp', } - $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', - } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", + line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${added_opts}", } } -- cgit v1.2.3 From 4b3f8eac5f343b5ecd2354d16e83256b8413e807 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:33:05 -0800 Subject: remove deprecated rfc1918 file this hasn't been supported since 3.x days --- README.md | 1 - manifests/blrules.pp | 1 - manifests/init.pp | 5 ----- manifests/rfc1918.pp | 8 -------- 4 files changed, 15 deletions(-) delete mode 100644 manifests/rfc1918.pp diff --git a/README.md b/README.md index 82c0ab3..e6fb027 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,6 @@ Example from node.pp: shorewall::interface { 'eth0': zone => 'net', - rfc1918 => true, options => 'tcpflags,nosmurfs'; } diff --git a/manifests/blrules.pp b/manifests/blrules.pp index d6b5550..abf7508 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -4,7 +4,6 @@ # # shorewall::interface { 'br0': # zone => 'net', -# rfc1918 => true, # options => 'tcpflags,nosmurfs,routeback,bridge'; # } # diff --git a/manifests/init.pp b/manifests/init.pp index 5e2da52..fa2641d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -27,8 +27,6 @@ class shorewall( $proxyarp_defaults = {}, $nat = {}, $nat_defaults = {}, - $rfc1918 = {}, - $rfc1918_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, $params = {}, @@ -74,8 +72,6 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - 'rfc1918', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped 'routestopped', # See http://www.shorewall.net/3.0/Documentation.htm#Variables @@ -106,7 +102,6 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) - create_resources('shorewall::rfc1918',$rfc1918,$rfc1918_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp deleted file mode 100644 index 31dce5d..0000000 --- a/manifests/rfc1918.pp +++ /dev/null @@ -1,8 +0,0 @@ -define shorewall::rfc1918( - $action = 'logdrop', - $order='100' -){ - shorewall::entry{"rfc1918-${order}-${name}": - line => "${name} ${action}" - } -} -- cgit v1.2.3 From 9205eb4a039680b39c3802fd0f39e79eaf47a123 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Tue, 14 Feb 2017 09:48:23 +0000 Subject: Use ensure_packages, to avoid duplicate definition in case Package['shorewall'] is defined elsewhere already. --- manifests/base.pp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 6599759..dddfcaa 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,9 +1,7 @@ # base things for shorewall class shorewall::base { - package { 'shorewall': - ensure => $shorewall::ensure_version, - } + ensure_packages({ 'shorewall' => { ensure => $shorewall::ensure_version }}) # This file has to be managed in place, so shorewall can find it file { -- cgit v1.2.3 From 59c1cd6c0b9277c07fb577be0f59ce74154352da Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 19 Feb 2017 22:56:44 +0100 Subject: no need for openvpn outgoing --- manifests/rules/openvpn.pp | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/manifests/rules/openvpn.pp b/manifests/rules/openvpn.pp index 55a20d2..842e276 100644 --- a/manifests/rules/openvpn.pp +++ b/manifests/rules/openvpn.pp @@ -1,18 +1,12 @@ +# openvpn incoming class shorewall::rules::openvpn { - shorewall::rule { 'net-me-openvpn-udp': - source => 'net', - destination => '$FW', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } - shorewall::rule { 'me-net-openvpn-udp': - source => '$FW', - destination => 'net', - proto => 'udp', - destinationport => '1194', - order => 240, - action => 'ACCEPT'; - } + shorewall::rule { + 'net-me-openvpn-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '1194', + order => 240, + action => 'ACCEPT'; + } } -- cgit v1.2.3 From 70bba04533e2b01584775448a3d04a76e0a1c12c Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 14:25:11 -0800 Subject: new shorewall_version fact, switch shorewall_major_version to use it from https://0xacab.org/riseup-puppet-recipes/shorewall/commit/0cd2a305f7fd9ba830a1fa3de25428ffa71d39f7#note_92590 --- lib/facter/shorewall_major_version.rb | 3 ++- lib/facter/shorewall_version.rb | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 lib/facter/shorewall_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index 0068b48..9b4c9a2 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,6 @@ Facter.add("shorewall_major_version") do + confine :shorewall_version => /\d/ setcode do - Facter::Util::Resolution.exec('shorewall version').split('.').first || nil + Facter.value(:shorewall_version).split('.').first end end diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb new file mode 100644 index 0000000..3c1cc67 --- /dev/null +++ b/lib/facter/shorewall_version.rb @@ -0,0 +1,3 @@ +Facter.add("shorewall_version") do + setcode 'shorewall version' +end -- cgit v1.2.3 From 725b5bdc4c3e278ed34aee408a54a5453a04a41b Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 15:06:16 -0800 Subject: add some notes about deprecated features --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index e6fb027..4cb1a8a 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,23 @@ module will not work: CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall" +Warnings +-------- +There are some features that have been deprecated upstream that may still be +supported by this module on certain shorewall major version. Please note +the following: + +* the blacklist file and option is deprecated and replaced by blrules +* the rfc1918 file and norfc1918 option are deprecated +* the tcrules file is deprecated, replaced by mangled +* the routestopped file is deprecated and replaced by stoppedrules +* as of shorewall 4.6.0, SECTION headers need a leading '?' + +You should migrate your own calls to this module to move to the currently +supported methods, we will be dropping support for deprecated features as +the available distribution version permit it. +For more details see http://www.shorewall.net/upgrade_issues.htm + Documentation ------------- -- cgit v1.2.3 From eb4720e57cddbe1d26fde10429de5e413321a5d3 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 15:53:28 -0800 Subject: new stoppedrules, replaces routestopped --- files/boilerplate/stoppedrules.footer | 1 + files/boilerplate/stoppedrules.header | 13 +++++++++++++ manifests/init.pp | 6 ++++++ manifests/stoppedrules.pp | 13 +++++++++++++ 4 files changed, 33 insertions(+) create mode 100644 files/boilerplate/stoppedrules.footer create mode 100644 files/boilerplate/stoppedrules.header create mode 100644 manifests/stoppedrules.pp diff --git a/files/boilerplate/stoppedrules.footer b/files/boilerplate/stoppedrules.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/stoppedrules.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/stoppedrules.header b/files/boilerplate/stoppedrules.header new file mode 100644 index 0000000..94f4d0c --- /dev/null +++ b/files/boilerplate/stoppedrules.header @@ -0,0 +1,13 @@ +# +# Shorewall -- /etc/shorewall/stoppedrules +# +# For information about entries in this file, type "man shorewall-stoppedrules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-stoppedrules.html +# +# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional +# information. +# +############################################################################### +#ACTION SOURCE DEST PROTO DPORT SPORT diff --git a/manifests/init.pp b/manifests/init.pp index fa2641d..7dc7855 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -29,6 +29,8 @@ class shorewall( $nat_defaults = {}, $routestopped = {}, $routestopped_defaults = {}, + $stoppedrules = {}, + $stoppedrules_defaults = {}, $params = {}, $params_defaults = {}, $tcdevices = {}, @@ -72,6 +74,8 @@ class shorewall( 'proxyarp', # See http://www.shorewall.net/3.0/Documentation.htm#NAT 'nat', + # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html + 'stoppedrules', # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped 'routestopped', # See http://www.shorewall.net/3.0/Documentation.htm#Variables @@ -102,6 +106,8 @@ class shorewall( create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) create_resources('shorewall::nat',$nat,$nat_defaults) + create_resources('shorewall::stoppedrules',$stoppedrules, + $stoppedrules_defaults) create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) diff --git a/manifests/stoppedrules.pp b/manifests/stoppedrules.pp new file mode 100644 index 0000000..2dff218 --- /dev/null +++ b/manifests/stoppedrules.pp @@ -0,0 +1,13 @@ +define shorewall::stoppedrules( + $action = 'ACCEPT', + $source = '-', + $destination = '-', + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $order = '100' +){ + shorewall::entry{"stoppedrules-${order}-${name}": + line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport}" + } +} -- cgit v1.2.3 From 30c6790b2ee38fc225f41a74a7380a0d7ea0a5fb Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 16:43:25 -0800 Subject: update URLs to new working upstream locations --- manifests/init.pp | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 7dc7855..51f7c4d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -58,39 +58,39 @@ class shorewall( shorewall::managed_file{ [ - # See http://www.shorewall.net/3.0/Documentation.htm#Zones + # See http://www.shorewall.net/manpages/shorewall-zones.html 'zones', - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + # See http://www.shorewall.net/manpages/shorewall-interfaces.html 'interfaces', - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + # See http://www.shorewall.net/manpages/shorewall-hosts.html 'hosts', - # See http://www.shorewall.net/3.0/Documentation.htm#Policy + # See http://www.shorewall.net/manpages/shorewall-policy.html 'policy', - # See http://www.shorewall.net/3.0/Documentation.htm#Rules + # See http://www.shorewall.net/manpages/shorewall-rules.html 'rules', - # See http://www.shorewall.net/3.0/Documentation.htm#Masq + # See http://www.shorewall.net/manpages/shorewall-masq.html 'masq', - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + # See http://www.shorewall.net/manpages/shorewall-proxyarp.html 'proxyarp', - # See http://www.shorewall.net/3.0/Documentation.htm#NAT + # See http://www.shorewall.net/manpages/shorewall-nat.html 'nat', # See http://www.shorewall.net/manpages/shorewall-stoppedrules.html 'stoppedrules', - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + # Deprecated http://www.shorewall.net/4.2/manpages/shorewall-routestopped.html 'routestopped', - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/manpages/shorewall-params.html 'params', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcdevices.html 'tcdevices', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # Deprecated http://www.shorewall.net/4.6/manpages/shorewall-tcrules.htmle 'tcrules', - # See http://www.shorewall.net/3.0/traffic_shaping.htm + # See http://www.shorewall.net/manpages/shorewall-tcclasses.html 'tcclasses', - # http://www.shorewall.net/manpages/shorewall-providers.html + # See http://www.shorewall.net/manpages/shorewall-providers.html 'providers', # See http://www.shorewall.net/manpages/shorewall-tunnels.html 'tunnel', - # See http://www.shorewall.net/MultiISP.html + # See http://www.shorewall.net/manpages/shorewall-rtrules.html 'rtrules', # See http://www.shorewall.net/manpages/shorewall-mangle.html 'mangle', -- cgit v1.2.3 From b131814ed976c2034521a460b6790f78703d8f2f Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 17:30:28 -0800 Subject: update config file headers to current upstream versions --- files/boilerplate/clear.header | 9 +++------ files/boilerplate/hosts.header | 7 ++++--- files/boilerplate/init.header | 9 +++------ files/boilerplate/initdone.header | 12 +++++------- files/boilerplate/interfaces.header | 8 +++++--- files/boilerplate/mangle.header | 15 +++++++++++---- files/boilerplate/masq.header | 9 +++++---- files/boilerplate/nat.header | 4 ++-- files/boilerplate/params.header | 28 +++++++++++++--------------- files/boilerplate/policy.header | 5 ++--- files/boilerplate/providers.header | 2 +- files/boilerplate/proxyarp.header | 4 ++-- files/boilerplate/rtrules.header | 5 +++-- files/boilerplate/rules.header | 11 ++++++----- files/boilerplate/start.header | 8 +++----- files/boilerplate/stop.header | 9 +++------ files/boilerplate/stopped.header | 9 +++------ files/boilerplate/tcclasses.header | 4 ++-- files/boilerplate/tcdevices.header | 5 ++--- files/boilerplate/tunnel.header | 5 ++--- files/boilerplate/zones.header | 8 ++++---- 21 files changed, 84 insertions(+), 92 deletions(-) diff --git a/files/boilerplate/clear.header b/files/boilerplate/clear.header index 6a39b0b..8bf025c 100644 --- a/files/boilerplate/clear.header +++ b/files/boilerplate/clear.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Clear +# Shorewall -- /etc/shorewall/clear # -# /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. +# Add commands below that you want to be executed after Shorewall has +# processed the 'clear' command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/hosts.header b/files/boilerplate/hosts.header index e39d614..99bfa02 100644 --- a/files/boilerplate/hosts.header +++ b/files/boilerplate/hosts.header @@ -1,9 +1,10 @@ # -# Shorewall version 3.4 - Hosts file +# Shorewall -- /etc/shorewall/hosts # # For information about entries in this file, type "man shorewall-hosts" # -# For additional information, see http://shorewall.net/Documentation.htm#Hosts +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-hosts.html # ############################################################################### -#ZONE HOST(S) OPTIONS +#ZONE HOSTS OPTIONS diff --git a/files/boilerplate/init.header b/files/boilerplate/init.header index cbb0393..417c3f2 100644 --- a/files/boilerplate/init.header +++ b/files/boilerplate/init.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Init File +# Shorewall -- /etc/shorewall/init # -# /etc/shorewall/init -# -# Add commands below that you want to be executed at the beginning of -# a "shorewall start" or "shorewall restart" command. +# Add commands below that you want to be executed at the beginning of +# a "shorewall start", "shorewall-reload" or "shorewall restart" command. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### - diff --git a/files/boilerplate/initdone.header b/files/boilerplate/initdone.header index 9252a3b..5ad859a 100644 --- a/files/boilerplate/initdone.header +++ b/files/boilerplate/initdone.header @@ -1,14 +1,12 @@ # -# Shorewall version 4 - Initdone File +# Shorewall -- /etc/shorewall/initdone # -# /etc/shorewall/initdone -# -# Add commands below that you want to be executed during -# "shorewall start" or "shorewall restart" commands at the point where -# Shorewall has not yet added any perminent rules to the builtin chains. +# Add commands below that you want to be executed during +# "shorewall start", "shorewall reload" or "shorewall restart" commands +# at the point where Shorewall has not yet added any permanent rules to +# the builtin chains. # # For additional information, see # http://shorewall.net/shorewall_extension_scripts.htm # ############################################################################### - diff --git a/files/boilerplate/interfaces.header b/files/boilerplate/interfaces.header index 663e436..12855c7 100644 --- a/files/boilerplate/interfaces.header +++ b/files/boilerplate/interfaces.header @@ -1,10 +1,12 @@ # -# Shorewall version 4 - Interfaces File +# Shorewall -- /etc/shorewall/interfaces # # For information about entries in this file, type "man shorewall-interfaces" # -# For additional information, see +# The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # +# FIXME: need to switch to format 2 +#?FORMAT 2 ############################################################################### -#ZONE INTERFACE BROADCAST OPTIONS +#ZONE INTERFACE OPTIONS diff --git a/files/boilerplate/mangle.header b/files/boilerplate/mangle.header index 7a7b12a..496e3f5 100644 --- a/files/boilerplate/mangle.header +++ b/files/boilerplate/mangle.header @@ -1,7 +1,14 @@ # -# Shorewall - Mangle File +# Shorewall -- /etc/shorewall/mangle # -# For additional information, see http://shorewall.net/manpages/shorewall-mangle.html +# For information about entries in this file, type "man shorewall-mangle" # -####################################################################################### -#ACTION SOURCE DESTINATION PROTO DSTPORT SRCPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +# +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH diff --git a/files/boilerplate/masq.header b/files/boilerplate/masq.header index f823321..2f7c22e 100644 --- a/files/boilerplate/masq.header +++ b/files/boilerplate/masq.header @@ -1,9 +1,10 @@ # -# Shorewall version 3.4 - Masq file +# Shorewall -- /etc/shorewall/masq # # For information about entries in this file, type "man shorewall-masq" # -# For additional information, see http://shorewall.net/Documentation.htm#Masq +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-masq.html # -############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK +################################################################################################################################### +#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY diff --git a/files/boilerplate/nat.header b/files/boilerplate/nat.header index c2e0d92..5d0871f 100644 --- a/files/boilerplate/nat.header +++ b/files/boilerplate/nat.header @@ -1,9 +1,9 @@ # -# Shorewall version 3.4 - Nat File +# Shorewall -- /etc/shorewall/nat # # For information about entries in this file, type "man shorewall-nat" # # For additional information, see http://shorewall.net/NAT.htm # ############################################################################### -#EXTERNAL INTERFACE INTERNAL ALL LOCAL +#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL diff --git a/files/boilerplate/params.header b/files/boilerplate/params.header index c4dd504..f07a916 100644 --- a/files/boilerplate/params.header +++ b/files/boilerplate/params.header @@ -1,26 +1,24 @@ # -# Shorewall version 3.4 - Params File +# Shorewall -- /etc/shorewall/params # -# /etc/shorewall/params +# Assign any variables that you need here. # -# Assign any variables that you need here. +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall programs # -# It is suggested that variable names begin with an upper case letter -# to distinguish them from variables used internally within the -# Shorewall programs +# Example: # -# Example: +# NET_IF=eth0 +# NET_BCAST=130.252.100.255 +# NET_OPTIONS=routefilter # -# NET_IF=eth0 -# NET_BCAST=130.252.100.255 -# NET_OPTIONS=routefilter +# Example (/etc/shorewall/interfaces record): # -# Example (/etc/shorewall/interfaces record): +# net $NET_IF $NET_BCAST $NET_OPTIONS # -# net $NET_IF $NET_BCAST $NET_OPTIONS +# The result will be the same as if the record had been written # -# The result will be the same as if the record had been written -# -# net eth0 130.252.100.255 routefilter +# net eth0 130.252.100.255 routefilter # ############################################################################### diff --git a/files/boilerplate/policy.header b/files/boilerplate/policy.header index cc9781f..8e9d032 100644 --- a/files/boilerplate/policy.header +++ b/files/boilerplate/policy.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Policy File +# Shorewall -- /etc/shorewall/policy # # For information about entries in this file, type "man shorewall-policy" # @@ -7,5 +7,4 @@ # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### -#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: -# LEVEL BURST MASK +#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT diff --git a/files/boilerplate/providers.header b/files/boilerplate/providers.header index b4a5990..0dfb950 100644 --- a/files/boilerplate/providers.header +++ b/files/boilerplate/providers.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Providers File +# Shorewall -- /etc/shorewall/providers # # For information about entries in this file, type "man shorewall-providers" # diff --git a/files/boilerplate/proxyarp.header b/files/boilerplate/proxyarp.header index 1e16853..4249e03 100644 --- a/files/boilerplate/proxyarp.header +++ b/files/boilerplate/proxyarp.header @@ -1,9 +1,9 @@ # -# Shorewall version 3.4 - Proxyarp File +# Shorewall -- /etc/shorewall/proxyarp # # For information about entries in this file, type "man shorewall-proxyarp" # # See http://shorewall.net/ProxyARP.htm for additional information. # ############################################################################### -#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT +#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT diff --git a/files/boilerplate/rtrules.header b/files/boilerplate/rtrules.header index fd9b2f4..7700816 100644 --- a/files/boilerplate/rtrules.header +++ b/files/boilerplate/rtrules.header @@ -1,8 +1,9 @@ # -# Shorewall version 4 - route rules File +# Shorewall -- /etc/shorewall/rtrules # # For information about entries in this file, type "man shorewall-rtrules" # # For additional information, see http://www.shorewall.net/MultiISP.html +# #################################################################################### -# SOURCE DEST PROVIDER PRIORITY MASK +#SOURCE DEST PROVIDER PRIORITY MASK diff --git a/files/boilerplate/rules.header b/files/boilerplate/rules.header index 764358a..1ebf187 100644 --- a/files/boilerplate/rules.header +++ b/files/boilerplate/rules.header @@ -1,10 +1,11 @@ # -# Shorewall version 3.4 - Rules File +# Shorewall -- /etc/shorewall/rules # # For information on the settings in this file, type "man shorewall-rules" # -# See http://shorewall.net/Documentation.htm#Rules for additional information. +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-rules.html # -############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK -# PORT PORT(S) DEST LIMIT GROUP +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + diff --git a/files/boilerplate/start.header b/files/boilerplate/start.header index 689dff1..881cdfd 100644 --- a/files/boilerplate/start.header +++ b/files/boilerplate/start.header @@ -1,10 +1,8 @@ # -# Shorewall version 4 - Start File +# Shorewall -- /etc/shorewall/start # -# /etc/shorewall/start -# -# Add commands below that you want to be executed after shorewall has -# been started or restarted. +# Add commands below that you want to be executed after shorewall has +# been started, reloaded or restarted. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. diff --git a/files/boilerplate/stop.header b/files/boilerplate/stop.header index 0088abe..27a993b 100644 --- a/files/boilerplate/stop.header +++ b/files/boilerplate/stop.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Stop File +# Shorewall -- /etc/shorewall/stop # -# /etc/shorewall/stop -# -# Add commands below that you want to be executed at the beginning of a -# "shorewall stop" command. +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/stopped.header b/files/boilerplate/stopped.header index 438e5e0..8cc6bc6 100644 --- a/files/boilerplate/stopped.header +++ b/files/boilerplate/stopped.header @@ -1,13 +1,10 @@ # -# Shorewall version 4 - Stopped File +# Shorewall -- /etc/shorewall/stopped # -# /etc/shorewall/stopped -# -# Add commands below that you want to be executed at the completion of a -# "shorewall stop" command. +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. # # See http://shorewall.net/shorewall_extension_scripts.htm for additional # information. # ############################################################################### -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/tcclasses.header b/files/boilerplate/tcclasses.header index 025415b..b31b684 100644 --- a/files/boilerplate/tcclasses.header +++ b/files/boilerplate/tcclasses.header @@ -1,9 +1,9 @@ # -# Shorewall version 4 - Tcclasses File +# Shorewall -- /etc/shorewall/tcclasses # # For information about entries in this file, type "man shorewall-tcclasses" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### -#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS +#INTERFACE MARK RATE CEIL PRIO OPTIONS diff --git a/files/boilerplate/tcdevices.header b/files/boilerplate/tcdevices.header index fe7c3d1..226192e 100644 --- a/files/boilerplate/tcdevices.header +++ b/files/boilerplate/tcdevices.header @@ -1,10 +1,9 @@ # -# Shorewall version 4 - Tcdevices File +# Shorewall -- /etc/shorewall/tcdevices # # For information about entries in this file, type "man shorewall-tcdevices" # # See http://shorewall.net/traffic_shaping.htm for additional information. # ############################################################################### -#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED -#INTERFACE INTERFACES +#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header index 638fd56..7bfd966 100644 --- a/files/boilerplate/tunnel.header +++ b/files/boilerplate/tunnel.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Tunnels File +# Shorewall -- /etc/shorewall/tunnels # # For information about entries in this file, type "man shorewall-tunnels" # @@ -7,5 +7,4 @@ # http://www.shorewall.net/manpages/shorewall-tunnels.html # ############################################################################### -#TYPE ZONE GATEWAY GATEWAY -# ZONE +#TYPE ZONE GATEWAY GATEWAY_ZONE diff --git a/files/boilerplate/zones.header b/files/boilerplate/zones.header index 5dada52..d4b8cbc 100644 --- a/files/boilerplate/zones.header +++ b/files/boilerplate/zones.header @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Zones File +# Shorewall -- /etc/shorewall/zones # # For information about this file, type "man shorewall-zones" # @@ -7,6 +7,6 @@ # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### -#ZONE TYPE OPTIONS IN OUT -# OPTIONS OPTIONS -fw firewall +#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS + +fw firewall -- cgit v1.2.3 From 89a350feaa3e5f94d104ac7e98af608db659e871 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 15:50:11 +0200 Subject: calculate whether we want to disable ipv6 (if there is no public ipv6 address) or not --- manifests/base.pp | 4 ++-- manifests/init.pp | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 22ef555..23d72e5 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -38,10 +38,10 @@ class shorewall::base { 'STARTUP_ENABLED': value => $startup_str; } - $cfs = keys($shorewall::settings) + $cfs = keys($shorewall::merged_settings) shorewall::config_settings{ $cfs: - settings => $shorewall::settings; + settings => $shorewall::merged_settings; } } diff --git a/manifests/init.pp b/manifests/init.pp index aac1520..44c703b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,10 +2,7 @@ class shorewall( $startup = true, $conf_source = false, - $settings = { - 'LOG_MARTIANS' => 'No', - 'DISABLE_IPV6' => 'Yes', - }, + $settings = {}, $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', @@ -52,6 +49,17 @@ class shorewall( $daily_check = true, ) { + $disable_ipv6 = $ipaddress6 ? { + undef => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From fd83e644a5ec2630ccc8b83d6029fbba7bfe1fe9 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:05:39 +0200 Subject: first step towards shorewall6, basic service is running --- manifests/base.pp | 78 +++++++++++++++++++++++++++++++++++-------- manifests/config6_setting.pp | 18 ++++++++++ manifests/config6_settings.pp | 10 ++++++ manifests/init.pp | 10 ++++++ 4 files changed, 103 insertions(+), 13 deletions(-) create mode 100644 manifests/config6_setting.pp create mode 100644 manifests/config6_settings.pp diff --git a/manifests/base.pp b/manifests/base.pp index 23d72e5..8c42757 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -20,18 +20,36 @@ class shorewall::base { group => 'root', mode => '0644'; } + if $shorewall::with_shorewall6 { + package{'shorewall6': + ensure => 'installed' + } + file { + '/etc/shorewall6/shorewall6.conf': + require => Package['shorewall6'], + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/shorewall6/puppet': + ensure => directory, + require => Package['shorewall6'], + owner => 'root', + group => 'root', + mode => '0644'; + } + } + if str2bool($shorewall::startup) { + $startup_str = 'Yes' + } else { + $startup_str = 'No' + } if $shorewall::conf_source { File['/etc/shorewall/shorewall.conf']{ source => $shorewall::conf_source, } } else { - - if str2bool($shorewall::startup) { - $startup_str = 'Yes' - } else { - $startup_str = 'No' - } shorewall::config_setting{ 'CONFIG_PATH': value => "\"\${CONFDIR}/shorewall/puppet:\${CONFDIR}/shorewall:\${SHAREDIR}/shorewall\""; @@ -44,7 +62,6 @@ class shorewall::base { settings => $shorewall::merged_settings; } } - exec{'shorewall_check': command => 'shorewall check', refreshonly => true, @@ -58,24 +75,59 @@ class shorewall::base { require => Package['shorewall'], } + if $shorewall::with_shorewall6 { + shorewall::config6_setting{ + 'CONFIG_PATH': + value => "\"\${CONFDIR}/shorewall6/puppet:\${CONFDIR}/shorewall6:/usr/share/shorewall6:\${SHAREDIR}/shorewall\""; + 'STARTUP_ENABLED': + value => $startup_str; + } + $cfs6 = keys($shorewall::settings6) + shorewall::config6_settings{ + $cfs6: + settings => $shorewall::settings6; + } + + exec{'shorewall6_check': + command => 'shorewall6 check', + refreshonly => true, + notify => Service['shorewall6'], + } + service{'shorewall6': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package['shorewall6'], + } + } + file{'/etc/cron.daily/shorewall_check':} if $shorewall::daily_check { + if $shorewall::with_shorewall6 { + $shorewall6_check_str = ' && shorewall6 check' + } else { + $shorewall6_check_str = '' + } File['/etc/cron.daily/shorewall_check']{ - content => '#!/bin/bash + content => "#!/bin/bash -output=$(shorewall check 2>&1) -if [ $? -gt 0 ]; then - echo "Error while checking firewall!" - echo $output +output=\$(shorewall check${shorewall6_check_str} 2>&1) +if [ \$? -gt 0 ]; then + echo 'Error while checking firewall!' + echo \$output exit 1 fi exit 0 -', +", owner => root, group => 0, mode => '0700', require => Service['shorewall'], } + if $shorewall::with_shorewall6 { + Service['shorewall6'] -> File['/etc/cron.daily/shorewall_check'] + } } else { File['/etc/cron.daily/shorewall_check']{ ensure => absent, diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp new file mode 100644 index 0000000..2fbb1df --- /dev/null +++ b/manifests/config6_setting.pp @@ -0,0 +1,18 @@ +# set a particular config option for shorewall6 +# +# e.g. +# shorewall::config6_setting{ +# 'CONFIG_PATH': +# value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' +# } +define shorewall::config_setting( + $value, +){ + augeas { "shorewall6_module_${name}": + changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall6.conf', + notify => Exec['shorewall6_check'], + require => Package['shorewall6']; + } +} diff --git a/manifests/config6_settings.pp b/manifests/config6_settings.pp new file mode 100644 index 0000000..2eb47f0 --- /dev/null +++ b/manifests/config6_settings.pp @@ -0,0 +1,10 @@ +# a nice wrapper to make hiera config +# a bit easier +define shorewall::config6_settings( + $settings, +){ + shorewall::config6_setting{ + $name: + value => $settings[$name], + } +} diff --git a/manifests/init.pp b/manifests/init.pp index 44c703b..16d7170 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,6 +3,8 @@ class shorewall( $startup = true, $conf_source = false, $settings = {}, + $settings6 = {}, + $shorewall6 = 'auto', $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', @@ -60,6 +62,14 @@ class shorewall( $merged_settings = merge($def_settings,$settings) + $with_shorewall6 = $shorewall6 ? { + 'auto' => $ipaddress6 ? { + undef => false, + default => true, + }, + default => str2bool($shorewall6), + } + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From 9a1d3358e72ff682413ed9ecd8d04885d20f262e Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:15:08 +0200 Subject: correct naming --- manifests/config6_setting.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp index 2fbb1df..cd34530 100644 --- a/manifests/config6_setting.pp +++ b/manifests/config6_setting.pp @@ -5,7 +5,7 @@ # 'CONFIG_PATH': # value => '"/etc/shorewall6/puppet:/etc/shorewall6:/usr/share/shorewall6"' # } -define shorewall::config_setting( +define shorewall::config6_setting( $value, ){ augeas { "shorewall6_module_${name}": -- cgit v1.2.3 From cac17b52dd7a52e73c8cb0f6578ad710ce8531fb Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:21:50 +0200 Subject: fix path --- manifests/base.pp | 4 ++-- manifests/config6_setting.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 8c42757..4fc5178 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -30,13 +30,13 @@ class shorewall::base { notify => Exec['shorewall6_check'], owner => 'root', group => 'root', - mode => '0644'; + mode => '0600'; '/etc/shorewall6/puppet': ensure => directory, require => Package['shorewall6'], owner => 'root', group => 'root', - mode => '0644'; + mode => '0600'; } } diff --git a/manifests/config6_setting.pp b/manifests/config6_setting.pp index cd34530..5553e4f 100644 --- a/manifests/config6_setting.pp +++ b/manifests/config6_setting.pp @@ -11,7 +11,7 @@ define shorewall::config6_setting( augeas { "shorewall6_module_${name}": changes => "set /files/etc/shorewall6/shorewall6.conf/${name} ${value}", lens => 'Shellvars.lns', - incl => '/etc/shorewall/shorewall6.conf', + incl => '/etc/shorewall6/shorewall6.conf', notify => Exec['shorewall6_check'], require => Package['shorewall6']; } -- cgit v1.2.3 From 4a29f5e293b36e11d870061d4d93d7af306dcbd6 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:34:55 +0200 Subject: make dependencies a bit more clear --- manifests/base.pp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index 4fc5178..7715baa 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -66,13 +66,14 @@ class shorewall::base { command => 'shorewall check', refreshonly => true, notify => Service['shorewall'], + require => Package['shorewall'], } service{'shorewall': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall'], + require => Exec['shorewall_check'], } if $shorewall::with_shorewall6 { @@ -92,13 +93,14 @@ class shorewall::base { command => 'shorewall6 check', refreshonly => true, notify => Service['shorewall6'], + require => Package['shorewall6'], } service{'shorewall6': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Package['shorewall6'], + require => Exec['shorewall6_check'], } } -- cgit v1.2.3 From cdb82d7bde4861434cea81d7f5770164f5fff76c Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 17:46:01 +0200 Subject: make zones also for ipv6 --- manifests/entry.pp | 25 +++++++++++++++++++------ manifests/zone.pp | 34 +++++++++++++++++++++++++--------- 2 files changed, 44 insertions(+), 15 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index c8fffc7..a7321f8 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,12 +1,25 @@ +# a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, + $ensure = present, + $shorewall = true, + $shorewall6 = false, $line ){ $parts = split($name,'-') - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $shorewall { + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } + } + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } } } diff --git a/manifests/zone.pp b/manifests/zone.pp index 81e5771..8ee1b58 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -1,14 +1,30 @@ +# define a zone define shorewall::zone( - $type, - $options = '-', - $in = '-', - $out = '-', - $parent = '-', - $order = 100 + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100, ){ - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones-${order}-${name}": - line => "${real_name} ${type} ${options} ${in} ${out}" + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + shorewall::entry { "zones-${order}-${name}": + line => "${real_name} ${type} ${options} ${in} ${out}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + $type6 = $type ? { + 'ipv4' => 'ipv6', + 'ipsec' => 'ipsec6', + 'bport' => 'bport6', + default => $type, } + shorewall::entry { "zones-${order}-${name}_6": + line => "${real_name} ${type6} ${options} ${in} ${out}", + shorewall => false, + shorewall6 => true, + } + } } -- cgit v1.2.3 From d11b179b1b2f6083c0987e4650d89ad7831863e6 Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:07:44 +0200 Subject: add mgmt of files for shorewall6 --- files/boilerplate6/zones.header | 11 +++++++++++ manifests/init.pp | 3 +++ manifests/managed_file.pp | 19 +++++++++++++++++-- 3 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 files/boilerplate6/zones.header diff --git a/files/boilerplate6/zones.header b/files/boilerplate6/zones.header new file mode 100644 index 0000000..3e445c5 --- /dev/null +++ b/files/boilerplate6/zones.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/zones +# +# For information about this file, type "man shorewall6-zones" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-zones.html +# +############################################################################### +#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS + diff --git a/manifests/init.pp b/manifests/init.pp index 16d7170..eeab56f 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,6 +124,9 @@ class shorewall( 'mangle', ]:; } + Shorewall::Managed_file['zones']{ + shorewall6 => true, + } create_resources('shorewall::zone',$zones,$zones_defaults) create_resources('shorewall::interface',$interfaces,$interfaces_defaults) diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b353814..b4941a7 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,8 +1,9 @@ # manage a certain file -define shorewall::managed_file() { +define shorewall::managed_file( + $shorewall6 = false, +) { concat{ "/etc/shorewall/puppet/${name}": notify => Exec['shorewall_check'], - require => File['/etc/shorewall/puppet'], owner => 'root', group => 'root', mode => '0600'; @@ -17,4 +18,18 @@ define shorewall::managed_file() { target => "/etc/shorewall/puppet/${name}", order => '999'; } + if $shorewall6 and $shorewall::with_shorewall6 { + concat{ "/etc/shorewall6/puppet/${name}": + notify => Exec['shorewall6_check'], + owner => 'root', + group => 'root', + mode => '0600'; + } + concat::fragment { + "${name}-header": + source => "puppet:///modules/shorewall/boilerplate6/${name}.header", + target => "/etc/shorewall6/puppet/${name}", + order => '000'; + } + } } -- cgit v1.2.3 From 2c255e1fca1a5cabdc9e8dfab80e69dd4cd882ac Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:09:37 +0200 Subject: rename snippet --- manifests/managed_file.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index b4941a7..135d59a 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -26,7 +26,7 @@ define shorewall::managed_file( mode => '0600'; } concat::fragment { - "${name}-header": + "6${name}-header": source => "puppet:///modules/shorewall/boilerplate6/${name}.header", target => "/etc/shorewall6/puppet/${name}", order => '000'; -- cgit v1.2.3 From 312dd4b7b990f0fad0b55f050e4c5c8e17c7e20d Mon Sep 17 00:00:00 2001 From: mh Date: Fri, 7 Apr 2017 18:14:03 +0200 Subject: we need this --- files/boilerplate6/zones.header | 1 + 1 file changed, 1 insertion(+) diff --git a/files/boilerplate6/zones.header b/files/boilerplate6/zones.header index 3e445c5..6ebe49b 100644 --- a/files/boilerplate6/zones.header +++ b/files/boilerplate6/zones.header @@ -9,3 +9,4 @@ ############################################################################### #ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS +fw firewall -- cgit v1.2.3 From 9da596c12101c02e7cebc1d0d5d9f04952379007 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 12:41:58 +0200 Subject: group that together --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index 7715baa..d0a065f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -114,7 +114,7 @@ class shorewall::base { File['/etc/cron.daily/shorewall_check']{ content => "#!/bin/bash -output=\$(shorewall check${shorewall6_check_str} 2>&1) +output=\$((shorewall check${shorewall6_check_str}) 2>&1) if [ \$? -gt 0 ]; then echo 'Error while checking firewall!' echo \$output -- cgit v1.2.3 From af0e6b36d7c5c52f7eaa2d1827d51befd9971e98 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 12:55:24 +0200 Subject: add a full version fact and derive the maj from that one and make the fact work, even if there is no shorewall installed --- lib/facter/shorewall_major_version.rb | 3 ++- lib/facter/shorewall_version.rb | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 lib/facter/shorewall_version.rb diff --git a/lib/facter/shorewall_major_version.rb b/lib/facter/shorewall_major_version.rb index 0068b48..e247fc4 100644 --- a/lib/facter/shorewall_major_version.rb +++ b/lib/facter/shorewall_major_version.rb @@ -1,5 +1,6 @@ Facter.add("shorewall_major_version") do setcode do - Facter::Util::Resolution.exec('shorewall version').split('.').first || nil + v = Facter.value('shorewall_version') + v.nil? ? nil : v.split('.').first end end diff --git a/lib/facter/shorewall_version.rb b/lib/facter/shorewall_version.rb new file mode 100644 index 0000000..2a28828 --- /dev/null +++ b/lib/facter/shorewall_version.rb @@ -0,0 +1,5 @@ +Facter.add('shorewall_version') do + setcode do + Facter::Util::Resolution.exec('shorewall version') + end +end -- cgit v1.2.3 From a8c1abea710e88e63a64b8889fe9965e95ff1740 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:06:43 +0200 Subject: cleanup certain unsupported options --- manifests/interface.pp | 57 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..4ec587e 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,29 +1,46 @@ +# manage a shorewall-interface entry +# http://www.shorewall.net/manpages/shorewall-interfaces.html define shorewall::interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $add_options = '', - $rfc1918 = false, - $dhcp = false, - $order = 100 + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $add_options = '', + $rfc1918 = false, + $dhcp = false, + $order = 100, ){ - $added_opts = $add_options ? { - '' => '', - default => ",${add_options}", - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", + } - $dhcp_opt = $dhcp ? { - false => '', - default => ',dhcp', - } + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } + if versioncmp($shorewall_version,'4.5') < 0 { $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', + false => ',norfc1918', + default => '', } + } else { + $rfc1918_opt = '' + } + $all_options = "${options}${dhcp_opt}${rfc1918_opt}${added_opts}" + if versioncmp($shorewall_version,'4.5') >= 0 { + $all_options1 = regsubst($all_options,',(no)?rfc1918','') + } else { + $all_options1 = $all_options + } + if versioncmp($shorewall_major_version,'5') >= 0 { + $all_options2 = regsubst($all_options1,',blacklist','') + } else { + $all_options2 = $all_options1 + } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", - } + shorewall::entry { "interfaces-${order}-${name}": + line => "${zone} ${name} ${broadcast} ${all_options2}", + } } -- cgit v1.2.3 From 6ac2e1752f2185c293360aa062b7f49facff6abe Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:21:14 +0200 Subject: manage interfaces for shorewall6 --- manifests/init.pp | 2 +- manifests/interface.pp | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index eeab56f..f74466b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,7 +124,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones']{ + Shorewall::Managed_file['zones','interfaces']{ shorewall6 => true, } diff --git a/manifests/interface.pp b/manifests/interface.pp index 4ec587e..3a90046 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -40,7 +40,18 @@ define shorewall::interface( } shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${all_options2}", + line => "${zone} ${name} ${broadcast} ${all_options2}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + # logmartians is not available on shorewall6 + $all_options3 = regsubst($all_options2,',logmartians','') + shorewall::entry { "interfaces-${order}-${name}_6": + line => "${zone} ${name} ${broadcast} ${all_options3}", + shorewall => false, + shorewall6 => true, + } } } -- cgit v1.2.3 From 0a9d42a755723374b32571a9ed225493b1d36f58 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:25:56 +0200 Subject: add missing file --- files/boilerplate6/interfaces.header | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 files/boilerplate6/interfaces.header diff --git a/files/boilerplate6/interfaces.header b/files/boilerplate6/interfaces.header new file mode 100644 index 0000000..be98744 --- /dev/null +++ b/files/boilerplate6/interfaces.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/interfaces +# +# For information about entries in this file, type "man shorewall6-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-interfaces.html +# +?FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS -- cgit v1.2.3 From 063183d10413c9ce5acd8c6f448764b42d6a73d1 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:31:00 +0200 Subject: broadcast column is not needed for shorewall6 --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 3a90046..bc891c9 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -48,7 +48,7 @@ define shorewall::interface( # logmartians is not available on shorewall6 $all_options3 = regsubst($all_options2,',logmartians','') shorewall::entry { "interfaces-${order}-${name}_6": - line => "${zone} ${name} ${broadcast} ${all_options3}", + line => "${zone} ${name} ${all_options3}", shorewall => false, shorewall6 => true, } -- cgit v1.2.3 From 37a69624f4828079bf7c76f34cf193ab495494a7 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:52:14 +0200 Subject: introduce params for shorewall6, by default it's just a copy of the ones for shorewall --- manifests/init.pp | 2 +- manifests/params.pp | 22 ++++++++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index f74466b..d3728e5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -124,7 +124,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces']{ + Shorewall::Managed_file['zones','interfaces','params']{ shorewall6 => true, } diff --git a/manifests/params.pp b/manifests/params.pp index 3bc5663..49ced31 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,19 @@ -define shorewall::params($value, $order='100'){ - shorewall::entry{"params-${order}-${name}": - line => "${name}=${value}", - } +# manage a shorewall param, will be used for both +# ipv4 and ipv6 if not specified differently using +# shorewall or shorwall6 booleans. +# http://www.shorewall.net/manpages/shorewall-params.html +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params( + $value, + $key = $name, + $order ='100', + $shorewall = true, + $shorewall6 = true, +){ + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"params-${order}-${name}": + line => "${key}=${value}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } -- cgit v1.2.3 From 1661427d49cc359195deb3f0f7fa3cf841807159 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:54:50 +0200 Subject: introduce params only for ipv6 and only for ipv4 --- manifests/init.pp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index d3728e5..6a7eafc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,6 +37,8 @@ class shorewall( $routestopped = {}, $routestopped_defaults = {}, $params = {}, + $params4 = {}, + $params6 = {}, $params_defaults = {}, $tcdevices = {}, $tcdevices_defaults = {}, @@ -142,6 +144,8 @@ class shorewall( create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) + create_resources('shorewall::params',$params4,merge({shorewall6 => false,},$params_defaults)) + create_resources('shorewall::params',$params6,merge({shorewall => false,},$params_defaults)) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) -- cgit v1.2.3 From e89e367f4a70b13bb2889203642ee5ec31367b75 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:59:11 +0200 Subject: add missing file --- files/boilerplate6/params.header | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 files/boilerplate6/params.header diff --git a/files/boilerplate6/params.header b/files/boilerplate6/params.header new file mode 100644 index 0000000..cf40b53 --- /dev/null +++ b/files/boilerplate6/params.header @@ -0,0 +1,23 @@ +# +# Shorewall6 -- /etc/shorewall6/params +# +# Assign any variables that you need here. +# +# It is suggested that variable names begin with an upper case letter +# to distinguish them from variables used internally within the +# Shorewall6 programs +# +# Example: +# +# NET_IF=eth0 +# NET_OPTIONS=dhcp,nosmurfs +# +# Example (/etc/shorewall6/interfaces record): +# +# net $NET_IF - $NET_OPTIONS +# +# The result will be the same as if the record had been written +# +# net eth0 - dhcp,nosmurfs +# +############################################################################### -- cgit v1.2.3 From 4b5ea4bec4b6abb6abed8005bce1c8071ef97ffa Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 14:04:39 +0200 Subject: introduce params4 and params6 helper to more easily differentiate --- manifests/init.pp | 4 ++-- manifests/params4.pp | 16 ++++++++++++++++ manifests/params6.pp | 16 ++++++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 manifests/params4.pp create mode 100644 manifests/params6.pp diff --git a/manifests/init.pp b/manifests/init.pp index 6a7eafc..826f446 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -144,8 +144,8 @@ class shorewall( create_resources('shorewall::routestopped',$routestopped, $routestopped_defaults) create_resources('shorewall::params',$params,$params_defaults) - create_resources('shorewall::params',$params4,merge({shorewall6 => false,},$params_defaults)) - create_resources('shorewall::params',$params6,merge({shorewall => false,},$params_defaults)) + create_resources('shorewall::params4',$params4,$params_defaults) + create_resources('shorewall::params6',$params6,$params_defaults) create_resources('shorewall::tcdevices',$tcdevices,$tcdevices_defaults) create_resources('shorewall::tcrules',$tcrules,$tcrules_defaults) create_resources('shorewall::tcclasses',$tcclasses,$tcclasses_defaults) diff --git a/manifests/params4.pp b/manifests/params4.pp new file mode 100644 index 0000000..fc50fa3 --- /dev/null +++ b/manifests/params4.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv4 +# http://www.shorewall.net/manpages/shorewall-params.html +define shorewall::params4( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/params6.pp b/manifests/params6.pp new file mode 100644 index 0000000..58c1f86 --- /dev/null +++ b/manifests/params6.pp @@ -0,0 +1,16 @@ +# manage a shorewall param, only for ipv6 +# http://www.shorewall.net/manpages6/shorewall6-params.html +define shorewall::params6( + $value, + $key = $name, + $order ='100', +){ + shorewall::params{ + $name: + key => $key, + value => $value, + order => $order, + shorewall => false, + shorewall6 => true, + } +} -- cgit v1.2.3 From 75f0f1dbaa0827f64fb0d21db8f4a89296f177e0 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 14:07:07 +0200 Subject: migrate to dedicated params --- manifests/rules/munin.pp | 27 +++++++++++++++------------ manifests/rules/puppet.pp | 3 ++- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index a20a4e0..252f2ed 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,16 +1,19 @@ +# outgoing munin rules class shorewall::rules::munin( - $munin_port = '4949', - $munin_collector = ['127.0.0.1'], + $munin_port = '4949', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ - shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } - shorewall::rule{'net-me-munin-tcp': - source => "${collector_source}:\$MUNINCOLLECTOR", - destination => '$FW', - proto => 'tcp', - destinationport => '$MUNINPORT', - order => 240, - action => 'ACCEPT'; - } + shorewall::params4{ + 'MUNINPORT': value => $munin_port; + 'MUNINCOLLECTOR': value => join(any2array($munin_collector),','); + } + shorewall::rule{'net-me-munin-tcp': + source => "${collector_source}:\$MUNINCOLLECTOR", + destination => '$FW', + proto => 'tcp', + destinationport => '$MUNINPORT', + order => 240, + action => 'ACCEPT'; + } } diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 84e7d81..ee920b0 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,9 +1,10 @@ +# outgoing puppet params class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_port = 8140, $puppetserver_signport = 8141 ){ - shorewall::params{ + shorewall::params4{ 'PUPPETSERVER': value => $puppetserver; 'PUPPETSERVER_PORT': value => $puppetserver_port; 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; -- cgit v1.2.3 From f7fec4c4a6faef8d5d75ebdb73ed8fdd374d0184 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 12:43:08 +0200 Subject: make output nicer --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index d0a065f..abf477b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -117,7 +117,7 @@ class shorewall::base { output=\$((shorewall check${shorewall6_check_str}) 2>&1) if [ \$? -gt 0 ]; then echo 'Error while checking firewall!' - echo \$output + echo \"\${output}\" exit 1 fi exit 0 -- cgit v1.2.3 From 28a72736071330261ba8fa9dd5ca4e1202c1247f Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 18:57:53 +0200 Subject: make it possible to manage rules for ipv4 & ipv6 + add some more modern headers for certain versions --- files/boilerplate6/rules.header | 11 +++++++++ manifests/init.pp | 6 ++++- manifests/rule.pp | 49 ++++++++++++++++++++++++++++------------- manifests/rule4.pp | 43 ++++++++++++++++++++++++++++++++++++ manifests/rule6.pp | 43 ++++++++++++++++++++++++++++++++++++ manifests/rule_section.pp | 4 +++- 6 files changed, 139 insertions(+), 17 deletions(-) create mode 100644 files/boilerplate6/rules.header create mode 100644 manifests/rule4.pp create mode 100644 manifests/rule6.pp diff --git a/files/boilerplate6/rules.header b/files/boilerplate6/rules.header new file mode 100644 index 0000000..91e57a8 --- /dev/null +++ b/files/boilerplate6/rules.header @@ -0,0 +1,11 @@ +# +# Shorewall6 -- /etc/shorewall6/rules +# +# For information on the settings in this file, type "man shorewall6-rules" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-rules.html +# +############################################################################################################################################################## +#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER + diff --git a/manifests/init.pp b/manifests/init.pp index 826f446..9320944 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,8 @@ class shorewall( $policy = {}, $policy_defaults = {}, $rules = {}, + $rules4 = {}, + $rules6 = {}, $rules_defaults = {}, $rulesections = {}, $rulesections_defaults = {}, @@ -126,7 +128,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces','params']{ + Shorewall::Managed_file['zones','interfaces','params','rules']{ shorewall6 => true, } @@ -135,6 +137,8 @@ class shorewall( create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) + create_resources('shorewall::rule4',$rules4,$rules_defaults) + create_resources('shorewall::rule6',$rules6,$rules_defaults) create_resources('shorewall::rule_section',$rulesections,$rulesections_defaults) create_resources('shorewall::masq',$masq,$masq_defaults) create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults) diff --git a/manifests/rule.pp b/manifests/rule.pp index 2fe91e2..39f0ef9 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,20 +1,39 @@ -# mark is new in 3.4.4 +# http://www.shorewall.net/manpages/shorewall-rules.html +# http://www.shorewall.net/manpages6/shorewall6-rules.html define shorewall::rule( - $ensure = present, - $action, - $source, - $destination, - $proto = '-', - $destinationport = '-', - $sourceport = '-', - $originaldest = '-', - $ratelimit = '-', - $user = '-', - $mark = '', - $order + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $shorewall = true, + $shorewall6 = false, + $ensure = 'present', ){ + if versioncmp($shorewall_version,'4.5.7') >= 0 { + $line = " ${connlimit} ${time} ${headers} ${switch} ${helper}" + } elsif versioncmp($shorewall_version,'4.4.24') >= 0 { + # el6 + $line = " ${connlimit} ${time} ${headers} ${switch}" + } else { + # el5 + $line = '' + } shorewall::entry{"rules-${order}-${name}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", + shorewall => $shorewall, + shorewall6 => $shorewall6, } } diff --git a/manifests/rule4.pp b/manifests/rule4.pp new file mode 100644 index 0000000..08df395 --- /dev/null +++ b/manifests/rule4.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages/shorewall-rules.html +define shorewall::rule4( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => true, + shorewall6 => false, + } +} diff --git a/manifests/rule6.pp b/manifests/rule6.pp new file mode 100644 index 0000000..eb6b741 --- /dev/null +++ b/manifests/rule6.pp @@ -0,0 +1,43 @@ +# http://www.shorewall.net/manpages6/shorewall6-rules.html +define shorewall::rule6( + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '-', + $connlimit = '-', + $time = '-', + $headers = '-', + $switch = '-', + $helper = '-', + $order = '500', + $ensure = 'present', +){ + shorewall::rule{ + $name: + ensure => $ensure, + action => $action, + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + sourceport => $sourceport, + originaldest => $originaldest, + ratelimit => $ratelimit, + user => $user, + mark => $mark, + connlimit => $connlimit, + time => $time, + headers => $headers, + switch => $switch, + helper => $helper, + order => $order, + shorewall => false, + shorewall6 => true, + } +} diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 0a8b4bb..24b3dfb 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -9,6 +9,8 @@ define shorewall::rule_section( } shorewall::entry{"rules-${order}-${name}": - line => "${rule_section_prefix}SECTION ${name}", + line => "${rule_section_prefix}SECTION ${name}", + shorewall => true, + shorewall6 => true, } } -- cgit v1.2.3 From 60b1ac3ad8fc6ed5277ca7f3cb0cdd52df5f6875 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 9 Apr 2017 19:11:37 +0200 Subject: minor linting --- manifests/gentoo.pp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp index 7b307a4..b3fd670 100644 --- a/manifests/gentoo.pp +++ b/manifests/gentoo.pp @@ -1,5 +1,6 @@ +# gentoo specific things class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package['shorewall']{ + category => 'net-firewall', + } } -- cgit v1.2.3 From 31a4479652a881ed0a6b5eee7454f317b4f6bd80 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 15 Apr 2017 13:33:39 +0200 Subject: linting --- manifests/masq.pp | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/manifests/masq.pp b/manifests/masq.pp index fb097e5..1ecbe35 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -2,16 +2,17 @@ # source (= subnet) = Set of hosts that you wish to masquerade. # address = If you specify an address here, SNAT will be used and this will be the source address. define shorewall::masq( - $interface, - $source, $address = '-', - $proto = '-', - $port = '-', - $ipsec = '-', - $mark = '', - $order='100' + $interface, + $source, + $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '-', + $order = '100', ){ - shorewall::entry{"masq-${order}-${name}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } + shorewall::entry{"masq-${order}-${name}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } } -- cgit v1.2.3 From 0c9ec55f15475e5f4dd464aa5bb3e5e4c2c2f794 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 14:28:18 +0200 Subject: suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall --- manifests/params6.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/params6.pp b/manifests/params6.pp index 58c1f86..2fd117c 100644 --- a/manifests/params6.pp +++ b/manifests/params6.pp @@ -6,7 +6,7 @@ define shorewall::params6( $order ='100', ){ shorewall::params{ - $name: + "${name}_IP6": key => $key, value => $value, order => $order, -- cgit v1.2.3 From e2f07459474470aeea73e6160ecf2652bc9ae6bf Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 14:54:00 +0200 Subject: suffix it with _IP6, so we can have duplicate definitions with IPv4 shorewall --- manifests/rule6.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rule6.pp b/manifests/rule6.pp index eb6b741..77a945f 100644 --- a/manifests/rule6.pp +++ b/manifests/rule6.pp @@ -19,7 +19,7 @@ define shorewall::rule6( $ensure = 'present', ){ shorewall::rule{ - $name: + "${name}_IP6": ensure => $ensure, action => $action, source => $source, -- cgit v1.2.3 From 591b48169ba18c8f9d8337aa2626d716e6866476 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 15:16:08 +0200 Subject: enable shorewall6 rules by default --- manifests/rule.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/rule.pp b/manifests/rule.pp index 39f0ef9..12c4858 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -18,7 +18,7 @@ define shorewall::rule( $helper = '-', $order = '500', $shorewall = true, - $shorewall6 = false, + $shorewall6 = true, $ensure = 'present', ){ if versioncmp($shorewall_version,'4.5.7') >= 0 { @@ -30,10 +30,11 @@ define shorewall::rule( # el5 $line = '' } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 shorewall::entry{"rules-${order}-${name}": ensure => $ensure, line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}${line}", shorewall => $shorewall, - shorewall6 => $shorewall6, + shorewall6 => $with_shorewall6, } } -- cgit v1.2.3 From c2bf7e71d8598dbb05b5dee9f452b6332e9e916e Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 15:28:26 +0200 Subject: make it possibble to disable ipv6 for these rules --- manifests/rules/munin.pp | 4 +++- manifests/rules/out/puppet.pp | 21 ++++++++++++--------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 252f2ed..9496138 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -2,7 +2,8 @@ class shorewall::rules::munin( $munin_port = '4949', $munin_collector = ['127.0.0.1'], - $collector_source = 'net' + $collector_source = 'net', + $shorewall6 = true, ){ shorewall::params4{ 'MUNINPORT': value => $munin_port; @@ -14,6 +15,7 @@ class shorewall::rules::munin( proto => 'tcp', destinationport => '$MUNINPORT', order => 240, + shorewall6 => $shorewall6, action => 'ACCEPT'; } } diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index cbe8cce..827e23a 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -1,7 +1,9 @@ +# outgoing puppet traffic class shorewall::rules::out::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver = "puppet.${::domain}", + $puppetserver_port = 8140, + $puppetserver_signport = 8141, + $shorewall6 = true, ) { class{'shorewall::rules::puppet': puppetserver => $puppetserver, @@ -10,11 +12,12 @@ class shorewall::rules::out::puppet( } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': - source => '$FW', - destination => 'net:$PUPPETSERVER', - proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', - order => 340, - action => 'ACCEPT'; + source => '$FW', + destination => 'net:$PUPPETSERVER', + proto => 'tcp', + destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + order => 340, + shorewall6 => $shorewall6, + action => 'ACCEPT'; } } -- cgit v1.2.3 From 1bcdc4ad9340b1468e4bb14e0b7f1ea8bea73c7f Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:12:59 +0200 Subject: manage policies for shorewall6 --- manifests/init.pp | 4 ++++ manifests/policy.pp | 24 ++++++++++++++++-------- manifests/policy4.pp | 22 ++++++++++++++++++++++ manifests/policy6.pp | 22 ++++++++++++++++++++++ 4 files changed, 64 insertions(+), 8 deletions(-) create mode 100644 manifests/policy4.pp create mode 100644 manifests/policy6.pp diff --git a/manifests/init.pp b/manifests/init.pp index 9320944..52de35c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -19,6 +19,8 @@ class shorewall( $hosts = {}, $hosts_defaults = {}, $policy = {}, + $policy4 = {}, + $policy6 = {}, $policy_defaults = {}, $rules = {}, $rules4 = {}, @@ -136,6 +138,8 @@ class shorewall( create_resources('shorewall::interface',$interfaces,$interfaces_defaults) create_resources('shorewall::host',$hosts,$hosts_defaults) create_resources('shorewall::policy',$policy,$policy_defaults) + create_resources('shorewall::policy4',$policy4,$policy_defaults) + create_resources('shorewall::policy6',$policy6,$policy_defaults) create_resources('shorewall::rule',$rules,$rules_defaults) create_resources('shorewall::rule4',$rules4,$rules_defaults) create_resources('shorewall::rule6',$rules6,$rules_defaults) diff --git a/manifests/policy.pp b/manifests/policy.pp index efee05b..892a3d3 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -1,12 +1,20 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +# http://www.shorewall.net/manpages6/shorewall6-policy.html define shorewall::policy( - $sourcezone, - $destinationzone, - $policy, $shloglevel = '-', - $limitburst = '-', - $order + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', + $shorewall = true, + $shorewall6 = true, ){ - shorewall::entry{"policy-${order}-${name}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } + $with_shorewall6 = $shorewall6 and $shorewall::with_shorewall6 + shorewall::entry{"policy-${order}-${name}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + shorewall => $shorewall, + shorewall6 => $with_shorewall6, + } } diff --git a/manifests/policy4.pp b/manifests/policy4.pp new file mode 100644 index 0000000..301d9af --- /dev/null +++ b/manifests/policy4.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages/shorewall-policy.html +define shorewall::policy4( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => true, + shorewall6 => false, + } +} + diff --git a/manifests/policy6.pp b/manifests/policy6.pp new file mode 100644 index 0000000..1a4735f --- /dev/null +++ b/manifests/policy6.pp @@ -0,0 +1,22 @@ +# http://www.shorewall.net/manpages6/shorewall6-policy.html +define shorewall::policy6( + $sourcezone, + $destinationzone, + $policy, + $order, + $shloglevel = '-', + $limitburst = '-', +){ + shorewall::policy{ + $name: + sourcezone => $sourcezone, + destinationzone => $destinationzone, + policy => $policy, + order => $order, + shloglevel => $shloglevel, + limitburst => $limitburst, + shorewall => false, + shorewall6 => true, + } +} + -- cgit v1.2.3 From 8782101a26279b109f7742d244f23fd245cd3f72 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:18:18 +0200 Subject: we should start managing also that file --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 52de35c..93f71f7 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -130,7 +130,7 @@ class shorewall( 'mangle', ]:; } - Shorewall::Managed_file['zones','interfaces','params','rules']{ + Shorewall::Managed_file['zones','interfaces','params','rules','policy']{ shorewall6 => true, } -- cgit v1.2.3 From 265cf2afa424b5bf9c48b6e8512308d8911a1eca Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 25 Apr 2017 17:24:50 +0200 Subject: add missing file --- files/boilerplate6/policy.header | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 files/boilerplate6/policy.header diff --git a/files/boilerplate6/policy.header b/files/boilerplate6/policy.header new file mode 100644 index 0000000..aee2ff0 --- /dev/null +++ b/files/boilerplate6/policy.header @@ -0,0 +1,10 @@ +# +# Shorewall6 -- /etc/shorewall6/policy +# +# For information about entries in this file, type "man shorewall6-policy" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-policy.html +# +############################################################################### +#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT -- cgit v1.2.3 From 80aa7d6546d122ccba0b2acc8befa3f20bd08ffd Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:33:25 +0200 Subject: add missing package for EL6 --- manifests/centos.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/centos.pp b/manifests/centos.pp index ff8c6ad..09f34e7 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -9,5 +9,11 @@ class shorewall::centos inherits shorewall::base { require => Package['shorewall'], notify => Exec['shorewall_check'], } + if $shorewall::with_shorewall6 { + package{'perl-Socket6': + ensure => 'installed', + before => Package['shorewall6'], + } + } } } -- cgit v1.2.3 From db26643a43b74f5718f81a821316d6a58855b371 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:37:05 +0200 Subject: also support EL6 style files --- files/boilerplate6/interfaces.header.CentOS.6 | 12 ++++++++++++ manifests/managed_file.pp | 3 ++- 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 files/boilerplate6/interfaces.header.CentOS.6 diff --git a/files/boilerplate6/interfaces.header.CentOS.6 b/files/boilerplate6/interfaces.header.CentOS.6 new file mode 100644 index 0000000..944bd94 --- /dev/null +++ b/files/boilerplate6/interfaces.header.CentOS.6 @@ -0,0 +1,12 @@ +# +# Shorewall6 version 4 - Interfaces File +# +# For information about entries in this file, type "man shorewall6-interfaces" +# +# The manpage is also online at +# http://www.shorewall.net/manpages6/shorewall6-interfaces.html +# +############################################################################### +FORMAT 2 +############################################################################### +#ZONE INTERFACE OPTIONS diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 135d59a..4251a8f 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -27,7 +27,8 @@ define shorewall::managed_file( } concat::fragment { "6${name}-header": - source => "puppet:///modules/shorewall/boilerplate6/${name}.header", + source => [ "puppet:///modules/shorewall/boilerplate6/${name}.header.${operatingsystem}.${operatingsystemmajrelease}", + "puppet:///modules/shorewall/boilerplate6/${name}.header",], target => "/etc/shorewall6/puppet/${name}", order => '000'; } -- cgit v1.2.3 From a5e5276a42745bde23800fb5a614363924351323 Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 17:37:55 +0200 Subject: this is IPv4 only so far --- manifests/rules/out/ekeyd.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/rules/out/ekeyd.pp b/manifests/rules/out/ekeyd.pp index 8acdaad..c437f6a 100644 --- a/manifests/rules/out/ekeyd.pp +++ b/manifests/rules/out/ekeyd.pp @@ -1,5 +1,5 @@ define shorewall::rules::out::ekeyd($host) { - shorewall::rule { "me-${name}-tcp_ekeyd": + shorewall::rule4{ "me-${name}-tcp_ekeyd": source => '$FW', destination => "${name}:${host}", proto => 'tcp', -- cgit v1.2.3 From 4112e79844623b76e0fc47e647a38f99c6d60d9e Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 1 May 2017 21:08:58 +0200 Subject: correct snippet --- files/boilerplate6/interfaces.header.CentOS.6 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/files/boilerplate6/interfaces.header.CentOS.6 b/files/boilerplate6/interfaces.header.CentOS.6 index 944bd94..2e5bd3d 100644 --- a/files/boilerplate6/interfaces.header.CentOS.6 +++ b/files/boilerplate6/interfaces.header.CentOS.6 @@ -1,12 +1,11 @@ # -# Shorewall6 version 4 - Interfaces File +# Shorewall6 -- /etc/shorewall6/interfaces # # For information about entries in this file, type "man shorewall6-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages6/shorewall6-interfaces.html # -############################################################################### FORMAT 2 ############################################################################### #ZONE INTERFACE OPTIONS -- cgit v1.2.3 From dbc02ed9a962ef85739094f4a3cbd4ad009d0dde Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 8 May 2017 22:12:02 +0200 Subject: don't notify the service --- manifests/blrules.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/blrules.pp b/manifests/blrules.pp index 7f3953b..f37e5ed 100644 --- a/manifests/blrules.pp +++ b/manifests/blrules.pp @@ -26,7 +26,7 @@ class shorewall::blrules ( file{'/etc/shorewall/puppet/blrules': content => template('shorewall/blrules.erb'), require => Package['shorewall'], - notify => Service['shorewall'], + notify => Exec['shorewall_check'], owner => root, group => 0, mode => '0644'; -- cgit v1.2.3 From 33b575da9deec3f41896b8e2dfe9e6a89e57e83c Mon Sep 17 00:00:00 2001 From: mh Date: Mon, 8 May 2017 22:13:01 +0200 Subject: try to be extra cautious when restarting and do it with the try, so nothing breaks if something is broken that is not connected at compile time --- manifests/base.pp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/manifests/base.pp b/manifests/base.pp index abf477b..c96e48f 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -65,10 +65,11 @@ class shorewall::base { exec{'shorewall_check': command => 'shorewall check', refreshonly => true, - notify => Service['shorewall'], require => Package['shorewall'], - } - service{'shorewall': + } ~> exec{'shorewall_try': + command => 'shorewall try /etc/shorewall/puppet', + refreshonly => true, + } -> service{'shorewall': ensure => running, enable => true, hasstatus => true, @@ -92,15 +93,15 @@ class shorewall::base { exec{'shorewall6_check': command => 'shorewall6 check', refreshonly => true, - notify => Service['shorewall6'], require => Package['shorewall6'], - } - service{'shorewall6': + } ~> exec{'shorewall6_try': + command => 'shorewall6 try /etc/shorewall6/puppet', + refreshonly => true, + } -> service{'shorewall6': ensure => running, enable => true, hasstatus => true, hasrestart => true, - require => Exec['shorewall6_check'], } } -- cgit v1.2.3 From 49d8591a1d027ee44b839c364dffe4624f264c2b Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 21 May 2017 13:14:56 +0200 Subject: remove an unnecessary dep --- manifests/base.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index c96e48f..48451ae 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -74,7 +74,6 @@ class shorewall::base { enable => true, hasstatus => true, hasrestart => true, - require => Exec['shorewall_check'], } if $shorewall::with_shorewall6 { -- cgit v1.2.3 From 7332777829c19a63ce3d9bc50a2ddd40b940743a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 23 Jun 2017 12:03:17 -0400 Subject: fix filename rename --- files/boilerplate/tunnel.footer | 1 + files/boilerplate/tunnel.header | 10 ++++++++++ files/boilerplate/tunnels.footer | 1 - files/boilerplate/tunnels.header | 10 ---------- 4 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 files/boilerplate/tunnel.footer create mode 100644 files/boilerplate/tunnel.header delete mode 100644 files/boilerplate/tunnels.footer delete mode 100644 files/boilerplate/tunnels.header diff --git a/files/boilerplate/tunnel.footer b/files/boilerplate/tunnel.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tunnel.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnel.header b/files/boilerplate/tunnel.header new file mode 100644 index 0000000..7bfd966 --- /dev/null +++ b/files/boilerplate/tunnel.header @@ -0,0 +1,10 @@ +# +# Shorewall -- /etc/shorewall/tunnels +# +# For information about entries in this file, type "man shorewall-tunnels" +# +# The manpage is also online at +# http://www.shorewall.net/manpages/shorewall-tunnels.html +# +############################################################################### +#TYPE ZONE GATEWAY GATEWAY_ZONE diff --git a/files/boilerplate/tunnels.footer b/files/boilerplate/tunnels.footer deleted file mode 100644 index 5e12d1d..0000000 --- a/files/boilerplate/tunnels.footer +++ /dev/null @@ -1 +0,0 @@ -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tunnels.header b/files/boilerplate/tunnels.header deleted file mode 100644 index 7bfd966..0000000 --- a/files/boilerplate/tunnels.header +++ /dev/null @@ -1,10 +0,0 @@ -# -# Shorewall -- /etc/shorewall/tunnels -# -# For information about entries in this file, type "man shorewall-tunnels" -# -# The manpage is also online at -# http://www.shorewall.net/manpages/shorewall-tunnels.html -# -############################################################################### -#TYPE ZONE GATEWAY GATEWAY_ZONE -- cgit v1.2.3 From 93ce8e5ec63440dd7ec5586785f24a7609ae48ca Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 5 Jul 2017 14:03:24 +0200 Subject: make ensure a noop for concat::framet, as from puppetlabs-concat 4.0.1 on this is removed and concat purges non-managed fragments --- manifests/entry.pp | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index a7321f8..ccd3305 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -5,21 +5,23 @@ define shorewall::entry( $shorewall6 = false, $line ){ - $parts = split($name,'-') - if $shorewall { - concat::fragment{$name: - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall/puppet/${parts[0]}", + if $ensure == 'present' { + $parts = split($name,'-') + if $shorewall { + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } } - } - if $shorewall6 and $shorewall::with_shorewall6 { - concat::fragment{"shorewall6_${name}": - ensure => $ensure, - content => "${line}\n", - order => $parts[1], - target => "/etc/shorewall6/puppet/${parts[0]}", + if $shorewall6 and $shorewall::with_shorewall6 { + concat::fragment{"shorewall6_${name}": + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall6/puppet/${parts[0]}", + } } } } -- cgit v1.2.3 From 06f09ecfbfbdd4c59e31bbcabcc356d2b7a50e9d Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 5 Jul 2017 14:04:01 +0200 Subject: linting --- manifests/entry.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index ccd3305..b8768b0 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,9 +1,9 @@ # a core wrapper for all kinds of entries define shorewall::entry( - $ensure = present, - $shorewall = true, - $shorewall6 = false, - $line + $line, + $ensure = present, + $shorewall = true, + $shorewall6 = false, ){ if $ensure == 'present' { $parts = split($name,'-') -- cgit v1.2.3 From aa9d865f8d9a841cc7d4bef70aa5481816a9649e Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 6 Jul 2017 08:07:08 +0200 Subject: to make the previous commit work, we should also remove the ensure from fragment --- manifests/entry.pp | 2 -- 1 file changed, 2 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index b8768b0..b6ce702 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -9,7 +9,6 @@ define shorewall::entry( $parts = split($name,'-') if $shorewall { concat::fragment{$name: - ensure => $ensure, content => "${line}\n", order => $parts[1], target => "/etc/shorewall/puppet/${parts[0]}", @@ -17,7 +16,6 @@ define shorewall::entry( } if $shorewall6 and $shorewall::with_shorewall6 { concat::fragment{"shorewall6_${name}": - ensure => $ensure, content => "${line}\n", order => $parts[1], target => "/etc/shorewall6/puppet/${parts[0]}", -- cgit v1.2.3 From b92b6930ca6c10c89b8f59cce393643eb32248e5 Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 19 Jul 2017 17:05:48 +0200 Subject: add mosh support --- manifests/rules/mosh.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 manifests/rules/mosh.pp diff --git a/manifests/rules/mosh.pp b/manifests/rules/mosh.pp new file mode 100644 index 0000000..1cd3486 --- /dev/null +++ b/manifests/rules/mosh.pp @@ -0,0 +1,11 @@ +# enable mosh support +class shorewall::rules::mosh { + shorewall::rule { 'net-me-mosh-udp': + source => 'net', + destination => '$FW', + proto => 'udp', + destinationport => '60000:61000', + order => 240, + action => 'ACCEPT'; + } +} -- cgit v1.2.3 From 4b9c6e1714857a702add52b1176eb65d347ac71d Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 3 Aug 2017 10:17:00 +0200 Subject: make it possible to set v6 and v6 puppetserver --- manifests/rules/puppet.pp | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index ee920b0..6cb0282 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,12 +1,30 @@ # outgoing puppet params class shorewall::rules::puppet( - $puppetserver = "puppet.${::domain}", - $puppetserver_port = 8140, + $puppetserver = "puppet.${::domain}", + $puppetserver_v6 = undef, + $puppetserver_port = 8140, $puppetserver_signport = 8141 ){ - shorewall::params4{ - 'PUPPETSERVER': value => $puppetserver; + shorewall::params{ 'PUPPETSERVER_PORT': value => $puppetserver_port; 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } + if is_ipv4_address($puppetserver){ + shorewall::params4{ + 'PUPPETSERVER': value => $puppetserver; + } + if $puppetserver_v6 { + shorewall::params6{ + 'PUPPETSERVER': value => $puppetserver; + } + } + } elsif is_ipv6_address($puppetserver){ + shorewall::params6{ + 'PUPPETSERVER': value => $puppetserver; + } + } else { + shorewall::params{ + 'PUPPETSERVER': value => $puppetserver; + } + } } -- cgit v1.2.3 From 48fad255975ccbe9b58bb1e17882a4357f8721ab Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 19:15:12 +0200 Subject: workaround a bug in facter that sets ipaddress6 to ipv4 addresses --- manifests/init.pp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 93f71f7..7f9676d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -68,6 +68,16 @@ class shorewall( $merged_settings = merge($def_settings,$settings) + # workaround https://tickets.puppetlabs.com/browse/FACT-1739 + if $shorewall6 == 'auto' { + if $ipaddress6 and $ipaddress6 =~ /:/ { + $with_shorewall6 = true + } else { + $with_shorewall6 = false + } + } else { + $with_shorewall6 = str2bool($shorewall6) + } $with_shorewall6 = $shorewall6 ? { 'auto' => $ipaddress6 ? { undef => false, -- cgit v1.2.3 From fb533f32279e4479431a37b4245a6e2f1d17e32b Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 20:29:56 +0200 Subject: delete the old way --- manifests/init.pp | 7 ------- 1 file changed, 7 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 7f9676d..cf7d5b8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -78,13 +78,6 @@ class shorewall( } else { $with_shorewall6 = str2bool($shorewall6) } - $with_shorewall6 = $shorewall6 ? { - 'auto' => $ipaddress6 ? { - undef => false, - default => true, - }, - default => str2bool($shorewall6), - } case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } -- cgit v1.2.3 From aee37040009edb28105f06ebc615f4b55d5d56a9 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 24 Aug 2017 21:14:20 +0200 Subject: make sure we also en/disable it based on the right setting --- manifests/init.pp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index cf7d5b8..61187f0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -57,17 +57,6 @@ class shorewall( $daily_check = true, ) { - $disable_ipv6 = $ipaddress6 ? { - undef => 'Yes', - default => 'No', - } - $def_settings = { - 'LOG_MARTIANS' => 'No', - 'DISABLE_IPV6' => $disable_ipv6, - } - - $merged_settings = merge($def_settings,$settings) - # workaround https://tickets.puppetlabs.com/browse/FACT-1739 if $shorewall6 == 'auto' { if $ipaddress6 and $ipaddress6 =~ /:/ { @@ -79,6 +68,17 @@ class shorewall( $with_shorewall6 = str2bool($shorewall6) } + $disable_ipv6 = $with_shorewall6 ? { + false => 'Yes', + default => 'No', + } + $def_settings = { + 'LOG_MARTIANS' => 'No', + 'DISABLE_IPV6' => $disable_ipv6, + } + + $merged_settings = merge($def_settings,$settings) + case $::operatingsystem { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } -- cgit v1.2.3 From 1643fc0f14aaf4a31f18af8adcf682298a9c8aca Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 12:50:31 +0200 Subject: there is no ipv6 support there yet --- manifests/rules/out/ibackup.pp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 856bcdb..9827426 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,5 +1,7 @@ class shorewall::rules::out::ibackup( - $backup_host + $backup_host, + $shorewall4 = true, + $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', @@ -7,6 +9,8 @@ class shorewall::rules::out::ibackup( proto => 'tcp', destinationport => 'ssh', order => 240, - action => 'ACCEPT'; + action => 'ACCEPT', + shorewall4 => $shorewall4, + shorewall6 => $shorewall6, } } -- cgit v1.2.3 From 398b8b94cbeedf08615c926a5a37974bca002943 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 12:52:56 +0200 Subject: fix param name --- manifests/rules/out/ibackup.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index 9827426..17cc314 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,6 +1,6 @@ class shorewall::rules::out::ibackup( $backup_host, - $shorewall4 = true, + $shorewall = true, $shorewall6 = false, ){ shorewall::rule { 'me-net-tcp_backupssh': @@ -10,7 +10,7 @@ class shorewall::rules::out::ibackup( destinationport => 'ssh', order => 240, action => 'ACCEPT', - shorewall4 => $shorewall4, + shorewall => $shorewall, shorewall6 => $shorewall6, } } -- cgit v1.2.3 From 983ae4c5bc61b09422b671123e670d62cb4e2e59 Mon Sep 17 00:00:00 2001 From: mh Date: Tue, 29 Aug 2017 22:14:33 +0200 Subject: correctly set shorewall6 option for puppetserver config --- manifests/rules/out/puppet.pp | 1 + manifests/rules/puppet.pp | 24 +++++++++++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 827e23a..2444dcb 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -9,6 +9,7 @@ class shorewall::rules::out::puppet( puppetserver => $puppetserver, puppetserver_port => $puppetserver_port, puppetserver_signport => $puppetserver_signport, + shorewall6 => $shorewall6, } # we want to connect to the puppet server shorewall::rule { 'me-net-puppet_tcp': diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index 6cb0282..dcb88f5 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -3,28 +3,38 @@ class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_v6 = undef, $puppetserver_port = 8140, - $puppetserver_signport = 8141 + $puppetserver_signport = 8141, + $shorewall6 = true, ){ shorewall::params{ - 'PUPPETSERVER_PORT': value => $puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; + 'PUPPETSERVER_PORT': + value => $puppetserver_port, + shorewall6 => $shorewall6; + 'PUPPETSERVER_SIGN_PORT': + value => $puppetserver_signport, + shorewall6 => $shorewall6, } if is_ipv4_address($puppetserver){ shorewall::params4{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver; } if $puppetserver_v6 { shorewall::params6{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver_v6; } } } elsif is_ipv6_address($puppetserver){ shorewall::params6{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver; } } else { shorewall::params{ - 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER': + value => $puppetserver, + shorewall6 => $shorewall6; } } } -- cgit v1.2.3 From 213a4254c03db1477f584972519b1fe3b351074b Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 30 Aug 2017 00:39:26 +0200 Subject: make ipv6 tuneable --- manifests/rules/out/imap.pp | 24 ++++++++++++++---------- manifests/rules/out/pop3.pp | 24 ++++++++++++++---------- 2 files changed, 28 insertions(+), 20 deletions(-) diff --git a/manifests/rules/out/imap.pp b/manifests/rules/out/imap.pp index f1313d2..0cbee50 100644 --- a/manifests/rules/out/imap.pp +++ b/manifests/rules/out/imap.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::imap { - shorewall::rule { - 'me-net-tcp_imap_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => '143,993', - order => 260, - action => 'ACCEPT'; - } +# outgoing imap +class shorewall::rules::out::imap( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_imap_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => '143,993', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } diff --git a/manifests/rules/out/pop3.pp b/manifests/rules/out/pop3.pp index ebd4828..ea66bf7 100644 --- a/manifests/rules/out/pop3.pp +++ b/manifests/rules/out/pop3.pp @@ -1,11 +1,15 @@ -class shorewall::rules::out::pop3 { - shorewall::rule { - 'me-net-tcp_pop3_s': - source => '$FW', - destination => 'net', - proto => 'tcp', - destinationport => 'pop3,pop3s', - order => 260, - action => 'ACCEPT'; - } +# outoging oper3 +class shorewall::rules::out::pop3( + $shorewall6 = true, +) { + shorewall::rule { + 'me-net-tcp_pop3_s': + source => '$FW', + destination => 'net', + proto => 'tcp', + destinationport => 'pop3,pop3s', + order => 260, + action => 'ACCEPT', + shorewall6 => $shorewall6, + } } -- cgit v1.2.3 From cb6b6b7f85b39374897ccb8fd8b219809f35d9ba Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Sep 2017 11:59:03 +0200 Subject: make sure shorewall6 is started after shorewall as inserting fw rules into iptables can't be properly serialized. This is a backport of a fix that went into shorewall 5.1.6 by commit 0603f8e355b19ca88d2a7ad6f181767092e02e00 in the shorewall repository. --- manifests/base.pp | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/manifests/base.pp b/manifests/base.pp index 48451ae..cc8090b 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -24,6 +24,24 @@ class shorewall::base { package{'shorewall6': ensure => 'installed' } + # serialize systemd where it's not yet done + if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { + include ::systemd + file{ + '/etc/systemd/system/shorewall6.service.d': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0644'; + '/etc/systemd/system/shorewall6.service.d/after-ipv4.conf': + content => "[Unit]\nAfter=shorewall.service\n", + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec['systemctl-daemon-reload'], + } + Exec['systemctl-daemon-reload'] -> Service['shorewall6'] + } file { '/etc/shorewall6/shorewall6.conf': require => Package['shorewall6'], -- cgit v1.2.3 From 9a8057158e7a08a3da86fee163e8d955193e6900 Mon Sep 17 00:00:00 2001 From: mh Date: Sun, 24 Sep 2017 12:01:09 +0200 Subject: linting --- manifests/base.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index cc8090b..51e99bf 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -22,7 +22,7 @@ class shorewall::base { } if $shorewall::with_shorewall6 { package{'shorewall6': - ensure => 'installed' + ensure => 'installed', } # serialize systemd where it's not yet done if (versioncmp($facts['shorewall_version'],'5.1.6') < 0) and (versioncmp($facts['os']['release']['major'],'6') > 0) { -- cgit v1.2.3 From fab57483f46bab58275063081c5e4e6f7db9d2ab Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 2 Nov 2017 16:27:01 +0100 Subject: switch to the new facts hash --- manifests/init.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 61187f0..c286ba5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -8,7 +8,7 @@ class shorewall( $ensure_version = 'present', $tor_transparent_proxy_host = '127.0.0.1', $tor_transparent_proxy_port = '9040', - $tor_user = $::operatingsystem ? { + $tor_user = $facts['operatingsystem'] ? { 'Debian' => 'debian-tor', default => 'tor' }, @@ -59,7 +59,7 @@ class shorewall( # workaround https://tickets.puppetlabs.com/browse/FACT-1739 if $shorewall6 == 'auto' { - if $ipaddress6 and $ipaddress6 =~ /:/ { + if $facts['ipaddress6'] and $facts['ipaddress6'] =~ /:/ { $with_shorewall6 = true } else { $with_shorewall6 = false @@ -79,12 +79,12 @@ class shorewall( $merged_settings = merge($def_settings,$settings) - case $::operatingsystem { + case $facts['operatingsystem'] { 'Gentoo': { include ::shorewall::gentoo } 'Debian','Ubuntu': { include ::shorewall::debian } 'CentOS': { include ::shorewall::centos } default: { - notice "unknown operatingsystem: ${::operatingsystem}" + notice "unknown operatingsystem: ${facts['operatingsystem']}" include ::shorewall::base } } -- cgit v1.2.3 From 851c51659961724a1457e3de1bbe9591390b1e82 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Wed, 22 Nov 2017 17:01:00 -0500 Subject: Don't pass $ensure parameter to concat::fragment It has been removed in the latest version of puppetlabs-concat --- manifests/entry.pp | 2 -- manifests/rule.pp | 2 -- 2 files changed, 4 deletions(-) diff --git a/manifests/entry.pp b/manifests/entry.pp index c8fffc7..ab61351 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -1,10 +1,8 @@ define shorewall::entry( - $ensure = present, $line ){ $parts = split($name,'-') concat::fragment{$name: - ensure => $ensure, content => "${line}\n", order => $parts[1], target => "/etc/shorewall/puppet/${parts[0]}", diff --git a/manifests/rule.pp b/manifests/rule.pp index 2fe91e2..b80c584 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,6 +1,5 @@ # mark is new in 3.4.4 define shorewall::rule( - $ensure = present, $action, $source, $destination, @@ -14,7 +13,6 @@ define shorewall::rule( $order ){ shorewall::entry{"rules-${order}-${name}": - ensure => $ensure, line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", } } -- cgit v1.2.3 From 532d79cba8f01cfc3bcd16ae83741aac08bab80f Mon Sep 17 00:00:00 2001 From: intrigeri Date: Tue, 9 Jan 2018 21:36:59 +0000 Subject: Don't transitively pass $ensure parameter to concat::fragment Follow up on commit 851c51659961724a1457e3de1bbe9591390b1e82. --- manifests/rules/gitdaemon/absent.pp | 5 ----- manifests/rules/out/ssh/remove.pp | 5 ----- 2 files changed, 10 deletions(-) delete mode 100644 manifests/rules/gitdaemon/absent.pp delete mode 100644 manifests/rules/out/ssh/remove.pp diff --git a/manifests/rules/gitdaemon/absent.pp b/manifests/rules/gitdaemon/absent.pp deleted file mode 100644 index ade6fba..0000000 --- a/manifests/rules/gitdaemon/absent.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::rules::gitdaemon::absent inherits shorewall::rules::gitdaemon { - Shorewall::Rule['net-me-tcp_gitdaemon']{ - ensure => absent, - } -} diff --git a/manifests/rules/out/ssh/remove.pp b/manifests/rules/out/ssh/remove.pp deleted file mode 100644 index bc0acf3..0000000 --- a/manifests/rules/out/ssh/remove.pp +++ /dev/null @@ -1,5 +0,0 @@ -class shorewall::rules::out::ssh::remove inherits shorewall::rules::out::ssh { - Shorewall::Rule['me-net-tcp_ssh']{ - ensure => absent, - } -} -- cgit v1.2.3 From 8d57c328374b6badc4accd454315b4457965d9e1 Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Fri, 16 Feb 2018 15:11:22 -0500 Subject: Remove $puppetserver_signport, fixes #8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ng  lavamind: this is an acient relict, where there was a problem signing through apache ng  and then we had a mongrel running on that port --- manifests/rules/out/puppet.pp | 4 +--- manifests/rules/puppet.pp | 4 ---- manifests/rules/puppet/master.pp | 2 +- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/manifests/rules/out/puppet.pp b/manifests/rules/out/puppet.pp index 2444dcb..ac13bbb 100644 --- a/manifests/rules/out/puppet.pp +++ b/manifests/rules/out/puppet.pp @@ -2,13 +2,11 @@ class shorewall::rules::out::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_port = 8140, - $puppetserver_signport = 8141, $shorewall6 = true, ) { class{'shorewall::rules::puppet': puppetserver => $puppetserver, puppetserver_port => $puppetserver_port, - puppetserver_signport => $puppetserver_signport, shorewall6 => $shorewall6, } # we want to connect to the puppet server @@ -16,7 +14,7 @@ class shorewall::rules::out::puppet( source => '$FW', destination => 'net:$PUPPETSERVER', proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + destinationport => '$PUPPETSERVER_PORT', order => 340, shorewall6 => $shorewall6, action => 'ACCEPT'; diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index dcb88f5..3c90370 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -3,16 +3,12 @@ class shorewall::rules::puppet( $puppetserver = "puppet.${::domain}", $puppetserver_v6 = undef, $puppetserver_port = 8140, - $puppetserver_signport = 8141, $shorewall6 = true, ){ shorewall::params{ 'PUPPETSERVER_PORT': value => $puppetserver_port, shorewall6 => $shorewall6; - 'PUPPETSERVER_SIGN_PORT': - value => $puppetserver_signport, - shorewall6 => $shorewall6, } if is_ipv4_address($puppetserver){ shorewall::params4{ diff --git a/manifests/rules/puppet/master.pp b/manifests/rules/puppet/master.pp index 925979c..56b9f0b 100644 --- a/manifests/rules/puppet/master.pp +++ b/manifests/rules/puppet/master.pp @@ -3,7 +3,7 @@ class shorewall::rules::puppet::master { source => 'net', destination => '$FW', proto => 'tcp', - destinationport => '$PUPPETSERVER_PORT,$PUPPETSERVER_SIGN_PORT', + destinationport => '$PUPPETSERVER_PORT', order => 240, action => 'ACCEPT'; } -- cgit v1.2.3 From d37b528ddfc8912d8c94cd6ee9c91d58b5b8af66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 23 Mar 2018 17:47:43 -0400 Subject: routefilter is also not a valid ipv6 option --- manifests/interface.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 4184db5..7e93c58 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -47,8 +47,10 @@ define shorewall::interface( if $shorewall::with_shorewall6 { # logmartians is not available on shorewall6 $all_options3 = regsubst($all_options2,',logmartians','') + # routefilter is not available in the kernel for ipv6 + $all_options4 = regsubst($all_options3,',routefilter','') shorewall::entry { "interfaces-${order}-${name}_6": - line => "${zone} ${name} ${all_options3}", + line => "${zone} ${name} ${all_options4}", shorewall => false, shorewall6 => true, } -- cgit v1.2.3 From 00d7e707917a28816ea34589318390fe4f185c73 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 24 Mar 2018 16:20:29 +0100 Subject: The blacklist option should not be set by default, it should only be added when you are actually going to blacklist things. Otherwise you get this warning from shorewall_check each day: WARNING: There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size Also, the README for this module notes that this option is deprecated upstream, and so we should remove it. --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 4184db5..d6c3623 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -3,7 +3,7 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', $rfc1918 = false, $dhcp = false, -- cgit v1.2.3 From 37bb199434a193dbcd2ad8e42bc5cb024718b884 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 24 Mar 2018 16:39:33 +0100 Subject: This fixes the ?SECTION change. The change requiring ? before SECTION happened in 4.6.0. Our check was only looking at the major version to see if it was 4, and if so, it would not add the ?. This was too imprecise and would not add the ? in versions of shorewall 4.6 and greater. So this commit will change that check to be more specific. --- README.md | 1 - manifests/rule_section.pp | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 4cb1a8a..4cb8b05 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,6 @@ the following: * the rfc1918 file and norfc1918 option are deprecated * the tcrules file is deprecated, replaced by mangled * the routestopped file is deprecated and replaced by stoppedrules -* as of shorewall 4.6.0, SECTION headers need a leading '?' You should migrate your own calls to this module to move to the currently supported methods, we will be dropping support for deprecated features as diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index 24b3dfb..620af89 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -2,7 +2,7 @@ define shorewall::rule_section( $order, ){ - if versioncmp($shorewall_major_version,'4') > 0 { + if versioncmp($shorewall_version,'4.6.0') > 0 { $rule_section_prefix = '?' } else { $rule_section_prefix = '' -- cgit v1.2.3 From f5b60662a9f68ed559a421aef0bc3912cb7e99d1 Mon Sep 17 00:00:00 2001 From: intrigeri Date: Thu, 5 Apr 2018 14:50:47 +0000 Subject: Puppet 4 compatibility. --- manifests/rules/libvirt/host.pp | 19 ++----------------- manifests/rules/libvirt/host/from_vmz.pp | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 17 deletions(-) create mode 100644 manifests/rules/libvirt/host/from_vmz.pp diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dc3970d..090a9ca 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -6,21 +6,6 @@ class shorewall::rules::libvirt::host ( $vmz_iface = 'virbr0', ) { - define shorewall::rule::accept::from_vmz ( - $proto = '-', - $destinationport = '-', - $action = 'ACCEPT' - ) { - shorewall::rule { $name: - source => $shorewall::rules::libvirt::host::vmz, - destination => '$FW', - order => 300, - proto => $proto, - destinationport => $destinationport, - action => $action; - } - } - shorewall::policy { 'fw-to-vmz': sourcezone => '$FW', @@ -40,7 +25,7 @@ class shorewall::rules::libvirt::host ( order => 800; } - shorewall::rule::accept::from_vmz { + shorewall::rules::libvirt::host::from_vmz { 'accept_dns_from_vmz': action => 'DNS(ACCEPT)'; 'accept_tftp_from_vmz': @@ -62,7 +47,7 @@ class shorewall::rules::libvirt::host ( } if $debproxy_port { - shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': + shorewall::rules::libvirt::host::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', destinationport => $debproxy_port, action => 'ACCEPT'; diff --git a/manifests/rules/libvirt/host/from_vmz.pp b/manifests/rules/libvirt/host/from_vmz.pp new file mode 100644 index 0000000..f25c333 --- /dev/null +++ b/manifests/rules/libvirt/host/from_vmz.pp @@ -0,0 +1,14 @@ +define shorewall::rules::libvirt::host::from_vmz ( + $proto = '-', + $destinationport = '-', + $action = 'ACCEPT' +) { + shorewall::rule { $name: + source => $shorewall::rules::libvirt::host::vmz, + destination => '$FW', + order => 300, + proto => $proto, + destinationport => $destinationport, + action => $action; + } +} -- cgit v1.2.3 From cabbf434c1778cb4e8fe2f7f726a012f707cd2a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Charaoui?= Date: Wed, 2 May 2018 20:28:50 +0000 Subject: Add missing parameter in host.pp --- manifests/host.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/host.pp b/manifests/host.pp index 2a088ac..d0994fc 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -1,5 +1,6 @@ define shorewall::host( $zone, + $host, $options = 'tcpflags', $order='100' ){ -- cgit v1.2.3