[feat] allow for bridged vms

author drebs <drebs@riseup.net>

Wed, 13 May 2015 22:34:25 +0000 (19:34 -0300)

committer drebs <drebs@riseup.net>

Sat, 16 May 2015 00:23:09 +0000 (21:23 -0300)
author drebs <drebs@riseup.net>
Wed, 13 May 2015 22:34:25 +0000 (19:34 -0300)
committer drebs <drebs@riseup.net>
Sat, 16 May 2015 00:23:09 +0000 (21:23 -0300)
diff --git a/manifests/init.pp b/manifests/init.pp

index 4f9abefccbca75c1cb8484e55dc8c22b94d967af..abe731d2ffcbcab2801ddf1105ea285687294ebf 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -5,7 +5,9 @@ class firewall(
    $local_net       = hiera('firewall::local_net',      false),
    $in_bandwidth    = hiera('firewall::in_bandwidth',   '100mbit'),
    $out_bandwidth   = hiera('firewall::out_bandwidth',  '100mbit'),
-  $device_options  = hiera('firewall::device_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians')
+  $device_options  = hiera('firewall::device_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'),
+  $vm_address      = hiera('firewall::vm_address', '192.168.0.0/24'),
+  $vm_device       = hiera('firewall::vm_device', false)
  ) {
    class { 'shorewall': }
  
@@ -24,6 +26,14 @@ class firewall(
     options => $device_options,
    }
  
+  if $vm_device != false {
+    shorewall::interface { "${vm_device}":
+      zone    => $zone,
+      rfc1918 => $rfc1918,
+      options => $device_options,
+    }
+  }
+
    #
    # Policy
    #
@@ -48,11 +58,21 @@ class firewall(
      order           => 3,
    }
  
+  if $vm_device != false {
+    shorewall::policy { 'vm-fw':
+      sourcezone      => 'vm',
+      destinationzone => '$FW',
+      policy          => 'ACCEPT',
+      order           => 4,
+    }
+  }
+
+
    shorewall::policy { 'net-all':
      sourcezone      => 'net',
      destinationzone => 'all',
      policy          => 'DROP',
-    order           => 4,
+    order           => 5,
    }
  
    shorewall::policy { 'all-all':
@@ -65,8 +85,13 @@ class firewall(
    #
    # Hosts
    #
-  shorewall::host { "${device}-subnet":
-    name    => "${device}:192.168.0.0/24",
+  $real_subnet_device = $vm_device ? {
+    false => $device,
+    default => $vm_device,
+  }
+
+  shorewall::host { "${real_subnet_device}-subnet":
+    name    => "${real_subnet_device}:${vm_address}",
      zone    => 'vm',
      options => '',
      order   => '1',
@@ -81,9 +106,14 @@ class firewall(
      }
    }
  
+  $real_masq_interface = $vm_device ? {
+    false => "${device}!${vm_address}",
+    default => "${device}",
+  }
+
    shorewall::masq { "${device}":
-    interface => "${device}:!192.168.0.0/24",
-    source    => '192.168.0.0/24',
+    interface => "${real_masq_interface}",
+    source    => "${vm_address}",
      order     => '1',
    }
author	drebs <drebs@riseup.net>
	Wed, 13 May 2015 22:34:25 +0000 (19:34 -0300)
committer	drebs <drebs@riseup.net>
	Sat, 16 May 2015 00:23:09 +0000 (21:23 -0300)