improve rule handling possiblities

they can now be set to absent as well

introduce 2 outgoing ssh rules to either
disable or remove the entry at all

diff --git a/manifests/entry.pp b/manifests/entry.pp
index bd59a882b59554f8dfc0876aa4e73fe0411f4958..4e639bcfa434f79e6972c4a985beb8e35748ca90 100644 (file)
--- a/manifests/entry.pp
+++ b/manifests/entry.pp
@@ -1,9 +1,11 @@
 define shorewall::entry(
+    $ensure = present,
     $line
 ){
    $target = "/var/lib/puppet/modules/shorewall/${name}"
    $dir = dirname($target)
    file { $target:
+        ensure => $ensure,
         content => "${line}\n",
         mode => 0600, owner => root, group => 0,
         notify => Exec["concat_${dir}"],

diff --git a/manifests/rule.pp b/manifests/rule.pp
index 0614e95ae8ce95430bdf24403fb37334bce31dfb..8394970cfe8ec8e2743bc06dec7ae879dcd53b99 100644 (file)
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -1,5 +1,6 @@
 # mark is new in 3.4.4
 define shorewall::rule(
+    $ensure = present,
     $action,
     $source,
     $destination,
@@ -13,6 +14,7 @@ define shorewall::rule(
     $order
 ){
     shorewall::entry{"rules.d/${order}-${name}":
+        ensure => $ensure,
         line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
     }
 }

diff --git a/manifests/rules/out/ssh/disable.pp b/manifests/rules/out/ssh/disable.pp
new file mode 100644 (file)
index 0000000..223bf73
--- /dev/null
+++ b/manifests/rules/out/ssh/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::out::ssh::disable inherits shorewall::rules::out::ssh {
+  Shorewall::Rule['me-net-tcp_ssh']{
+    action => 'DROP',
+  }
+}

diff --git a/manifests/rules/out/ssh/remove.pp b/manifests/rules/out/ssh/remove.pp
new file mode 100644 (file)
index 0000000..bc0acf3
--- /dev/null
+++ b/manifests/rules/out/ssh/remove.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::out::ssh::remove inherits shorewall::rules::out::ssh {
+  Shorewall::Rule['me-net-tcp_ssh']{
+    ensure => absent,
+  }
+}