Revert "Support exempting some users from torification measures."

This reverts commit 6cb88973f53aa7d92414797dd21952c1c1d5da98.

diff --git a/README b/README
index cb4424f964cd0fd650301c49ae28dd599fd78072..0010450381617ddb4c13f9c45a43f045c05be9e8 100644 (file)
--- a/README
+++ b/README
@@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses
 is by default allowed and (obviously) not torified. This behaviour can
 be changed by setting the allow_rfc1918 parameter to false.
 
-Torify any outgoing TCP traffic but
-  - connections to RFC1918 addresses
-  - connections from users bob and alice:
+Torify any outgoing TCP traffic but connections to RFC1918 addresses:
 
-  $non_torified_users = [ 'bob', 'alice' ]
   shorewall::rules::torify {
     'torify-everything-but-lan':
   }

diff --git a/manifests/init.pp b/manifests/init.pp
index dd287678a3969bb7b0409b36b69c40b1b3b9f635..3b4b3b26a17d7866106e68a58334796f9ccfb99a 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -33,10 +33,6 @@ class shorewall(
       default => $dist_tor_user,
     }
   }
-  case $non_torified_users {
-    '': { $non_torified_users = [] }
-  }
-  $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
 
   # See http://www.shorewall.net/3.0/Documentation.htm#Zones
   shorewall::managed_file{ zones: }

diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
index b393a2a7a24019d5aa6a1b794ad3fee72b013b75..f6e62d81ac38f5aa592a004426116a64f2dcf0ce 100644 (file)
--- a/manifests/rules/torify.pp
+++ b/manifests/rules/torify.pp
@@ -18,8 +18,6 @@ define shorewall::rules::torify(
   $allow_rfc1918 = true
 ){
 
-  include shorewall::rules::torify::non_torified_users
-
   $originaldest = join($destinations,',')
 
   shorewall::rules::torify::user {

diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
new file mode 100644 (file)
index 0000000..f44c1f0
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_user.pp
@@ -0,0 +1,15 @@
+class shorewall::rules::torify::allow_tor_user {
+
+  $whitelist_rule = "allow-from-tor-user"
+  if !defined(Shorewall::Rule["$whitelist_rule"]) {
+    shorewall::rule {
+      "$whitelist_rule":
+        source      => '$FW',
+        destination => 'all',
+        user        => $shorewall::tor_user,
+        order       => 101,
+        action      => 'ACCEPT';
+    }
+  }
+
+}

diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
deleted file mode 100644 (file)
index 34e4db7..0000000
--- a/manifests/rules/torify/non_torified_user.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-define shorewall::rules::torify::non_torified_user() {
-
-  $user = $name
-
-  $whitelist_rule = "allow-from-user=${user}"
-  shorewall::rule {
-    "$whitelist_rule":
-      source      => '$FW',
-      destination => 'all',
-      user        => $user,
-      order       => 101,
-      action      => 'ACCEPT';
-  }
-
-  $nonat_rule = "dont-redirect-to-tor-user=${user}"
-  shorewall::rule {
-    "$nonat_rule":
-      source       => '$FW',
-      destination  => '-',
-      user         => $user,
-      order        => 106,
-      action       => 'NONAT';
-  }
-
-}

diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
deleted file mode 100644 (file)
index 582dfed..0000000
--- a/manifests/rules/torify/non_torified_users.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-class shorewall::rules::torify::non_torified_users {
-
-  $real_non_torified_users = $shorewall::real_non_torified_users
-
-  shorewall::rules::torify::non_torified_user {
-    $real_non_torified_users:
-  }
-
-}

diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
index fe1c5fe0fbbedbd0c52cf6711d2f0320dd717107..2bee6584dcc61ebad48f797b1955ba4c125bd7ff 100644 (file)
--- a/manifests/rules/torify/redirect_tcp_to_tor.pp
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
       default => $originaldest,
     }
 
+    $user_real = $user ? {
+      '-'     => "!${shorewall::tor_user}",
+      default => $user,
+    }
+
     $destzone = $shorewall::tor_transparent_proxy_host ? {
       '127.0.0.1' => '$FW',
       default     => 'net'
@@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
         destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
         proto        => 'tcp:syn',
         originaldest => $originaldest_real,
-        user         => $user,
+        user         => $user_real,
         order        => 110,
         action       => 'DNAT';
     }

diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
index 49c0b3460e404480a8dd993c693016f79dbb0d1f..5caccfd6131b497a6e0dd657cbd3ceda314bf435 100644 (file)
--- a/manifests/rules/torify/user.pp
+++ b/manifests/rules/torify/user.pp
@@ -7,6 +7,10 @@ define shorewall::rules::torify::user(
 
   include shorewall::rules::torify::allow_tor_transparent_proxy
 
+  if $originaldest == '-' and $user == '-' {
+    include shorewall::rules::torify::allow_tor_user
+  }
+
   shorewall::rules::torify::redirect_tcp_to_tor {
     "redirect-to-tor-user=${user}-to=${originaldest}":
       user         => $user,