From 8552753d9e3ab7662e618c54875e626a2b6926e9 Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:08:12 -0800 Subject: remove deprecated blacklist the blacklist file was deprecated by upstream in 4.5.7, remove all references to them. Debian wheezy shipped with 4.5.5.3-3 (but could use a backport) and jessie has 4.6.4.3-2 currently. --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests/interface.pp') diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..b3d66c6 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,7 +1,7 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', $rfc1918 = false, $dhcp = false, -- cgit v1.2.3 From 47f1ee74666fa00314546d01982461fa79d9da0a Mon Sep 17 00:00:00 2001 From: Matt Taggart Date: Fri, 10 Feb 2017 13:24:59 -0800 Subject: remove deprecated norfc1918 option It was deprecated in 4.2.0 http://www.shorewall.net/upgrade_issues.htm --- manifests/interface.pp | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'manifests/interface.pp') diff --git a/manifests/interface.pp b/manifests/interface.pp index b3d66c6..670e477 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -3,7 +3,6 @@ define shorewall::interface( $broadcast = 'detect', $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', - $rfc1918 = false, $dhcp = false, $order = 100 ){ @@ -17,13 +16,8 @@ define shorewall::interface( default => ',dhcp', } - $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', - } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", + line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${added_opts}", } } -- cgit v1.2.3 From a8c1abea710e88e63a64b8889fe9965e95ff1740 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:06:43 +0200 Subject: cleanup certain unsupported options --- manifests/interface.pp | 57 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 20 deletions(-) (limited to 'manifests/interface.pp') diff --git a/manifests/interface.pp b/manifests/interface.pp index 403ee74..4ec587e 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -1,29 +1,46 @@ +# manage a shorewall-interface entry +# http://www.shorewall.net/manpages/shorewall-interfaces.html define shorewall::interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $add_options = '', - $rfc1918 = false, - $dhcp = false, - $order = 100 + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $add_options = '', + $rfc1918 = false, + $dhcp = false, + $order = 100, ){ - $added_opts = $add_options ? { - '' => '', - default => ",${add_options}", - } + $added_opts = $add_options ? { + '' => '', + default => ",${add_options}", + } - $dhcp_opt = $dhcp ? { - false => '', - default => ',dhcp', - } + $dhcp_opt = $dhcp ? { + false => '', + default => ',dhcp', + } + if versioncmp($shorewall_version,'4.5') < 0 { $rfc1918_opt = $rfc1918 ? { - false => ',norfc1918', - default => '', + false => ',norfc1918', + default => '', } + } else { + $rfc1918_opt = '' + } + $all_options = "${options}${dhcp_opt}${rfc1918_opt}${added_opts}" + if versioncmp($shorewall_version,'4.5') >= 0 { + $all_options1 = regsubst($all_options,',(no)?rfc1918','') + } else { + $all_options1 = $all_options + } + if versioncmp($shorewall_major_version,'5') >= 0 { + $all_options2 = regsubst($all_options1,',blacklist','') + } else { + $all_options2 = $all_options1 + } - shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}", - } + shorewall::entry { "interfaces-${order}-${name}": + line => "${zone} ${name} ${broadcast} ${all_options2}", + } } -- cgit v1.2.3 From 6ac2e1752f2185c293360aa062b7f49facff6abe Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:21:14 +0200 Subject: manage interfaces for shorewall6 --- manifests/interface.pp | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'manifests/interface.pp') diff --git a/manifests/interface.pp b/manifests/interface.pp index 4ec587e..3a90046 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -40,7 +40,18 @@ define shorewall::interface( } shorewall::entry { "interfaces-${order}-${name}": - line => "${zone} ${name} ${broadcast} ${all_options2}", + line => "${zone} ${name} ${broadcast} ${all_options2}", + shorewall => true, + shorewall6 => false, + } + if $shorewall::with_shorewall6 { + # logmartians is not available on shorewall6 + $all_options3 = regsubst($all_options2,',logmartians','') + shorewall::entry { "interfaces-${order}-${name}_6": + line => "${zone} ${name} ${broadcast} ${all_options3}", + shorewall => false, + shorewall6 => true, + } } } -- cgit v1.2.3 From 063183d10413c9ce5acd8c6f448764b42d6a73d1 Mon Sep 17 00:00:00 2001 From: mh Date: Sat, 8 Apr 2017 13:31:00 +0200 Subject: broadcast column is not needed for shorewall6 --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests/interface.pp') diff --git a/manifests/interface.pp b/manifests/interface.pp index 3a90046..bc891c9 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -48,7 +48,7 @@ define shorewall::interface( # logmartians is not available on shorewall6 $all_options3 = regsubst($all_options2,',logmartians','') shorewall::entry { "interfaces-${order}-${name}_6": - line => "${zone} ${name} ${broadcast} ${all_options3}", + line => "${zone} ${name} ${all_options3}", shorewall => false, shorewall6 => true, } -- cgit v1.2.3 From d37b528ddfc8912d8c94cd6ee9c91d58b5b8af66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Fri, 23 Mar 2018 17:47:43 -0400 Subject: routefilter is also not a valid ipv6 option --- manifests/interface.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'manifests/interface.pp') diff --git a/manifests/interface.pp b/manifests/interface.pp index 4184db5..7e93c58 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -47,8 +47,10 @@ define shorewall::interface( if $shorewall::with_shorewall6 { # logmartians is not available on shorewall6 $all_options3 = regsubst($all_options2,',logmartians','') + # routefilter is not available in the kernel for ipv6 + $all_options4 = regsubst($all_options3,',routefilter','') shorewall::entry { "interfaces-${order}-${name}_6": - line => "${zone} ${name} ${all_options3}", + line => "${zone} ${name} ${all_options4}", shorewall => false, shorewall6 => true, } -- cgit v1.2.3 From 00d7e707917a28816ea34589318390fe4f185c73 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 24 Mar 2018 16:20:29 +0100 Subject: The blacklist option should not be set by default, it should only be added when you are actually going to blacklist things. Otherwise you get this warning from shorewall_check each day: WARNING: There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size Also, the README for this module notes that this option is deprecated upstream, and so we should remove it. --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests/interface.pp') diff --git a/manifests/interface.pp b/manifests/interface.pp index 4184db5..d6c3623 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -3,7 +3,7 @@ define shorewall::interface( $zone, $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $options = 'tcpflags,routefilter,nosmurfs,logmartians', $add_options = '', $rfc1918 = false, $dhcp = false, -- cgit v1.2.3