From d97171b8e04812c617d126a82f913b987ad292fd Mon Sep 17 00:00:00 2001 From: bertagaz Date: Fri, 27 Feb 2015 15:15:16 +0100 Subject: Add support for the mangle table. --- manifests/init.pp | 2 ++ manifests/mangle.pp | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 manifests/mangle.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index cd6488b..a567564 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -68,6 +68,8 @@ class shorewall( 'tunnel', # See http://www.shorewall.net/MultiISP.html 'rtrules', + # See http://www.shorewall.net/manpages/shorewall-mangle.html + 'mangle', ]:; } } diff --git a/manifests/mangle.pp b/manifests/mangle.pp new file mode 100644 index 0000000..e3fd1b3 --- /dev/null +++ b/manifests/mangle.pp @@ -0,0 +1,19 @@ +define shorewall::mangle( + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $user = '-', + $test = '-', + $length = '-', + $tos = '-', + $connbytes = '-', + $helper = '-', + $headers = '-', + $order = '100' +){ + shorewall::entry{"mangle-${order}-${name}": + line => "${name} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${user} ${test} ${length} ${tos} ${connbytes} ${helper} ${headers}" + } +} -- cgit v1.2.3 From 3404e5d09d41a3949c76e39f884e6a2d2db8cd48 Mon Sep 17 00:00:00 2001 From: bertagaz Date: Thu, 15 Jan 2015 12:33:41 +0100 Subject: Fix DHCP from $vmz. On newer kernel (tested on 3.16), the libvirt and shorewall iptables rules have conflicts that need to be fixed by enabling back --checksum-fill on $vmz, otherwise the VMs can't get a DHCP lease. --- manifests/rules/libvirt/host.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'manifests') diff --git a/manifests/rules/libvirt/host.pp b/manifests/rules/libvirt/host.pp index dfb753c..c226865 100644 --- a/manifests/rules/libvirt/host.pp +++ b/manifests/rules/libvirt/host.pp @@ -2,6 +2,8 @@ class shorewall::rules::libvirt::host ( $vmz = 'vmz', $masq_iface = 'eth0', $debproxy_port = 8000, + $accept_dhcp = true, + $vmz_iface = 'virbr0', ) { define shorewall::rule::accept::from_vmz ( @@ -49,6 +51,15 @@ class shorewall::rules::libvirt::host ( action => 'ACCEPT'; } + if $accept_dhcp { + shorewall::mangle { 'CHECKSUM:T': + source => '-', + destination => $vmz_iface, + proto => 'udp', + destinationport => '68'; + } + } + if $debproxy_port { shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz': proto => 'tcp', -- cgit v1.2.3 From 74ea10a6a1d4f4c1624d85d3d3795eaf819df10c Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Fri, 8 May 2015 16:00:21 -0400 Subject: Make sure MUNINCOLLECTOR join() gets an array in munin rule --- manifests/rules/munin.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/rules/munin.pp b/manifests/rules/munin.pp index 0c86abe..a20a4e0 100644 --- a/manifests/rules/munin.pp +++ b/manifests/rules/munin.pp @@ -1,10 +1,10 @@ class shorewall::rules::munin( $munin_port = '4949', - $munin_collector = '127.0.0.1', + $munin_collector = ['127.0.0.1'], $collector_source = 'net' ){ shorewall::params { 'MUNINPORT': value => $munin_port } - shorewall::params { 'MUNINCOLLECTOR': value => join($munin_collector,',') } + shorewall::params { 'MUNINCOLLECTOR': value => join(any2array($munin_collector),',') } shorewall::rule{'net-me-munin-tcp': source => "${collector_source}:\$MUNINCOLLECTOR", destination => '$FW', -- cgit v1.2.3