Revert "Support exempting some users from torification measures."

This reverts commit 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a.

This stuff is not ready for the shared repo, but we want to take benefit from me
having already merged immerda's stuff into my branch and solved the conflicts.

diff --git a/README b/README
index cb4424f964cd0fd650301c49ae28dd599fd78072..0010450381617ddb4c13f9c45a43f045c05be9e8 100644 (file)
--- a/README
+++ b/README
@@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses
 is by default allowed and (obviously) not torified. This behaviour can
 be changed by setting the allow_rfc1918 parameter to false.
 
-Torify any outgoing TCP traffic but
-  - connections to RFC1918 addresses
-  - connections from users bob and alice:
+Torify any outgoing TCP traffic but connections to RFC1918 addresses:
 
-  $non_torified_users = [ 'bob', 'alice' ]
   shorewall::rules::torify {
     'torify-everything-but-lan':
   }

diff --git a/manifests/init.pp b/manifests/init.pp
index dd287678a3969bb7b0409b36b69c40b1b3b9f635..3b4b3b26a17d7866106e68a58334796f9ccfb99a 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -33,10 +33,6 @@ class shorewall(
       default => $dist_tor_user,
     }
   }
-  case $non_torified_users {
-    '': { $non_torified_users = [] }
-  }
-  $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
 
   # See http://www.shorewall.net/3.0/Documentation.htm#Zones
   shorewall::managed_file{ zones: }

diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
index b393a2a7a24019d5aa6a1b794ad3fee72b013b75..f6e62d81ac38f5aa592a004426116a64f2dcf0ce 100644 (file)
--- a/manifests/rules/torify.pp
+++ b/manifests/rules/torify.pp
@@ -18,8 +18,6 @@ define shorewall::rules::torify(
   $allow_rfc1918 = true
 ){
 
-  include shorewall::rules::torify::non_torified_users
-
   $originaldest = join($destinations,',')
 
   shorewall::rules::torify::user {

diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
new file mode 100644 (file)
index 0000000..f44c1f0
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_user.pp
@@ -0,0 +1,15 @@
+class shorewall::rules::torify::allow_tor_user {
+
+  $whitelist_rule = "allow-from-tor-user"
+  if !defined(Shorewall::Rule["$whitelist_rule"]) {
+    shorewall::rule {
+      "$whitelist_rule":
+        source      => '$FW',
+        destination => 'all',
+        user        => $shorewall::tor_user,
+        order       => 101,
+        action      => 'ACCEPT';
+    }
+  }
+
+}

diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
deleted file mode 100644 (file)
index 34e4db7..0000000
--- a/manifests/rules/torify/non_torified_user.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-define shorewall::rules::torify::non_torified_user() {
-
-  $user = $name
-
-  $whitelist_rule = "allow-from-user=${user}"
-  shorewall::rule {
-    "$whitelist_rule":
-      source      => '$FW',
-      destination => 'all',
-      user        => $user,
-      order       => 101,
-      action      => 'ACCEPT';
-  }
-
-  $nonat_rule = "dont-redirect-to-tor-user=${user}"
-  shorewall::rule {
-    "$nonat_rule":
-      source       => '$FW',
-      destination  => '-',
-      user         => $user,
-      order        => 106,
-      action       => 'NONAT';
-  }
-
-}

diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
deleted file mode 100644 (file)
index 582dfed..0000000
--- a/manifests/rules/torify/non_torified_users.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-class shorewall::rules::torify::non_torified_users {
-
-  $real_non_torified_users = $shorewall::real_non_torified_users
-
-  shorewall::rules::torify::non_torified_user {
-    $real_non_torified_users:
-  }
-
-}

diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
index fe1c5fe0fbbedbd0c52cf6711d2f0320dd717107..2bee6584dcc61ebad48f797b1955ba4c125bd7ff 100644 (file)
--- a/manifests/rules/torify/redirect_tcp_to_tor.pp
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
       default => $originaldest,
     }
 
+    $user_real = $user ? {
+      '-'     => "!${shorewall::tor_user}",
+      default => $user,
+    }
+
     $destzone = $shorewall::tor_transparent_proxy_host ? {
       '127.0.0.1' => '$FW',
       default     => 'net'
@@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
         destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
         proto        => 'tcp:syn',
         originaldest => $originaldest_real,
-        user         => $user,
+        user         => $user_real,
         order        => 110,
         action       => 'DNAT';
     }

diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
index 49c0b3460e404480a8dd993c693016f79dbb0d1f..5caccfd6131b497a6e0dd657cbd3ceda314bf435 100644 (file)
--- a/manifests/rules/torify/user.pp
+++ b/manifests/rules/torify/user.pp
@@ -7,6 +7,10 @@ define shorewall::rules::torify::user(
 
   include shorewall::rules::torify::allow_tor_transparent_proxy
 
+  if $originaldest == '-' and $user == '-' {
+    include shorewall::rules::torify::allow_tor_user
+  }
+
   shorewall::rules::torify::redirect_tcp_to_tor {
     "redirect-to-tor-user=${user}-to=${originaldest}":
       user         => $user,