summaryrefslogtreecommitdiff
path: root/manifests/rules/libvirt/host.pp
blob: dc3970d1c0faa2628d0ca5d758d993e176c5c679 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

class shorewall::rules::libvirt::host (
  $vmz           = 'vmz',
  $masq_iface    = 'eth0',
  $debproxy_port = 8000,
  $accept_dhcp   = true,
  $vmz_iface     = 'virbr0',
  ) {

  define shorewall::rule::accept::from_vmz (
    $proto           = '-',
    $destinationport = '-',
    $action          = 'ACCEPT'
    ) {
      shorewall::rule { $name:
        source          => $shorewall::rules::libvirt::host::vmz,
        destination     => '$FW',
        order           => 300,
        proto           => $proto,
        destinationport => $destinationport,
        action          => $action;
      }
    }

  shorewall::policy {
    'fw-to-vmz':
      sourcezone              =>      '$FW',
      destinationzone         =>      $vmz,
      policy                  =>      'ACCEPT',
      order                   =>      110;
    'vmz-to-net':
      sourcezone              =>      $vmz,
      destinationzone         =>      'net',
      policy                  =>      'ACCEPT',
      order                   =>      200;
    'vmz-to-all':
      sourcezone              =>      $vmz,
      destinationzone         =>      'all',
      policy                  =>      'DROP',
      shloglevel              =>      'info',
      order                   =>      800;
  }

  shorewall::rule::accept::from_vmz {
    'accept_dns_from_vmz':
      action          => 'DNS(ACCEPT)';
    'accept_tftp_from_vmz':
      action          => 'TFTP(ACCEPT)';
    'accept_puppet_from_vmz':
      proto           => 'tcp',
      destinationport => '8140',
      action          => 'ACCEPT';
  }

  if $accept_dhcp {
    shorewall::mangle { "CHECKSUM:T_${vmz_iface}":
      action          => 'CHECKSUM:T',
      source          => '-',
      destination     => $vmz_iface,
      proto           => 'udp',
      destinationport => '68';
    }
  }

  if $debproxy_port {
    shorewall::rule::accept::from_vmz { 'accept_debproxy_from_vmz':
      proto           => 'tcp',
      destinationport => $debproxy_port,
      action          => 'ACCEPT';
    }
  }

  if $masq_iface {
    shorewall::masq {
      "masq-${masq_iface}":
        interface => $masq_iface,
        source    => '10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16';
    }
  }

}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-08 03:37:37 +0000