From: intrigeri Date: Sun, 17 Oct 2010 02:45:09 +0000 (+0200) Subject: Merge remote branch 'riseup/master' X-Git-Url: https://gitweb.fluxo.info/?a=commitdiff_plain;h=f79bf97ec82e8adcf002ca6834b0df66f28e61f2;p=puppet-shorewall.git Merge remote branch 'riseup/master' Conflicts: files/debian/default manifests/init.pp templates/debian/default templates/debian_default.erb --- f79bf97ec82e8adcf002ca6834b0df66f28e61f2 diff --cc README index a0e54ec,0000000..90492dd mode 100644,000000..100644 --- a/README +++ b/README @@@ -1,93 -1,0 +1,118 @@@ ++modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x ++ +Puppet Module for Shorewall +--------------------------- +This module manages the configuration of Shorewall (http://www.shorewall.net/) + - Versions - -------- - - forked from http://git.puppet.immerda.ch/?p=module-shorewall.git;a=summary ++Copyright ++--------- ++ ++Copyright (C) 2007 David Schmitt ++adapted by immerda project group - admin+puppet(at)immerda.ch ++adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch ++Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net ++Copyright (c) 2010 intrigeri - intrigeri(at)boum.org ++See LICENSE for the full license granted to you. ++ ++Based on the work of ADNET Ghislain from AQUEOS ++at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall ++ ++Merged from: ++- git://git.puppet.immerda.ch/module-shorewall.git ++- git://labs.riseup.net/module_shorewall + +Todo +---- +- check if shorewall compiles without errors, otherwise fail ! + ++Configuration ++------------- ++ ++If you need to install a specific version of shorewall other than ++the default one that would be installed by 'ensure => present', then ++you can set the following variable and that specific version will be ++installed instead: ++ ++ $shorewall_ensure_version = "4.0.15-1" ++ +Documentation +------------- + +see also: http://reductivelabs.com/trac/puppet/wiki/Recipes/AqueosShorewall + +Example +------- + +Example from node.pp: + +node xy { + $shorewall_startup="0" # create shorewall ruleset but don't startup + include config::site-shorewall + shorewall::rule { + 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200; + 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300; + 'incoming-imap': source => 'all', destination => '$FW', action => 'IMAP/ACCEPT', order => 300; + 'incoming-smtp': source => 'all', destination => '$FW', action => 'SMTP/ACCEPT', order => 300; + } +} + + +class config::site-shorewall { + include shorewall + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + # 'MAILSERVER': value => $shorewall_mailserver; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 10; + } + + case $shorewall_rfc1918_maineth { + '': {$shorewall_rfc1918_maineth = true } + } + + case $shorewall_main_interface { + '': { $shorewall_main_interface = 'eth0' } + } + + shorewall::interface {"$shorewall_main_interface": + zone => 'net', + rfc1918 => $shorewall_rfc1918_maineth, + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } + + + # default Rules : ICMP + shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT'; + } + +} + + diff --cc manifests/base.pp index e068c35,0000000..58b753e mode 100644,000000..100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@@ -1,45 -1,0 +1,48 @@@ +class shorewall::base { + package { 'shorewall': - ensure => present, ++ ensure => $shorewall_ensure_version, + } + + # This file has to be managed in place, so shorewall can find it + file { "/etc/shorewall/shorewall.conf": + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", + "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem", + "puppet:///modules/site-shorewall/shorewall.conf", + "puppet:///modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet:///modules/shorewall/shorewall.conf.$operatingsystem", + "puppet:///modules/shorewall/shorewall.conf" + ], + require => Package[shorewall], + notify => Service[shorewall], + owner => root, group => 0, mode => 0644; + } + + service{shorewall: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => [ + File["/var/lib/puppet/modules/shorewall/zones"], + File["/var/lib/puppet/modules/shorewall/interfaces"], + File["/var/lib/puppet/modules/shorewall/hosts"], + File["/var/lib/puppet/modules/shorewall/policy"], + File["/var/lib/puppet/modules/shorewall/rules"], + File["/var/lib/puppet/modules/shorewall/masq"], + File["/var/lib/puppet/modules/shorewall/proxyarp"], + File["/var/lib/puppet/modules/shorewall/nat"], + File["/var/lib/puppet/modules/shorewall/blacklist"], + File["/var/lib/puppet/modules/shorewall/rfc1918"], + File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"] ++ File["/var/lib/puppet/modules/shorewall/params"], ++ File["/var/lib/puppet/modules/shorewall/tcdevices"], ++ File["/var/lib/puppet/modules/shorewall/tcrules"], ++ File["/var/lib/puppet/modules/shorewall/tcclasses"], + ], + require => Package[shorewall], + } +} diff --cc manifests/blacklist.pp index 3700ace,0000000..d2b2708 mode 100644,000000..100644 --- a/manifests/blacklist.pp +++ b/manifests/blacklist.pp @@@ -1,9 -1,0 +1,9 @@@ +define shorewall::blacklist( + $proto = '-', + $port = '-', + $order='100' +){ - shorewall::entry{"blacklist.d/${order}-${name}": ++ shorewall::entry{"blacklist.d/${order}-${title}": + line => "${name} ${proto} ${port}", + } +} diff --cc manifests/debian.pp index eab54a2,0000000..da3a398 mode 100644,000000..100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@@ -1,15 -1,0 +1,14 @@@ +class shorewall::debian inherits shorewall::base { + case $shorewall_startup { + '': { $shorewall_startup = "1" } + } + file{'/etc/default/shorewall': - #source => "puppet:///modules/shorewall/debian/default", + content => template("shorewall/debian_default.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } +} diff --cc manifests/extension_script.pp index 0000000,0000000..2b9579c new file mode 100644 --- /dev/null +++ b/manifests/extension_script.pp @@@ -1,0 -1,0 +1,14 @@@ ++# See http://shorewall.net/shorewall_extension_scripts.htm ++define extension_script($script = '') { ++ case $name { ++ 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { ++ shorewall::managed_file { "${name}": } ++ shorewall::entry { "${name}.d/500-${hostname}": ++ line => "${script}\n"; ++ } ++ } ++ '', default: { ++ err("${name}: unknown shorewall extension script") ++ } ++ } ++} diff --cc manifests/host.pp index b431efe,0000000..58dc53b mode 100644,000000..100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@@ -1,10 -1,0 +1,10 @@@ +define shorewall::host( + $zone, + $options = 'tcpflags,blacklist,norfc1918', + $order='100' +){ - shorewall::entry{"hosts.d/${order}-${name}": ++ shorewall::entry{"hosts.d/${order}-${title}": + line => "${zone} ${name} ${options}" + } +} + diff --cc manifests/init.pp index e9ba464,0bf0e9d..3e759db --- a/manifests/init.pp +++ b/manifests/init.pp @@@ -6,47 -50,292 +6,54 @@@ class shorewall case $operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } - default: { include shorewall::base } - } - - file { - "/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - mode => 0755, owner => root, group => 0; - } - - # private - define managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, + centos: { include shorewall::base } + ubuntu: { + case $lsbdistcodename { + karmic: { include shorewall::ubuntu::karmic } + default: { include shorewall::debian } + } } - file { - "${dir}/000-header": - source => "puppet://$server/modules/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet://$server/modules/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; + default: { + notice "unknown operatingsystem: $operatingsystem" - include shorewall::base ++ include shorewall::base } } - - # private - define entry ($line) { - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } + + file {"/var/lib/puppet/modules/shorewall": + ensure => directory, + force => true, + owner => root, group => 0, mode => 0755; } - + # See http://www.shorewall.net/3.0/Documentation.htm#Zones - managed_file{ zones: } - define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${title}": - line => "${real_name} ${type} ${options} ${in} ${out}" - } - } - + shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - managed_file{ interfaces: } - define interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $rfc1918 = false, - $dhcp = false, - $order = 100 - ) - { - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } - } - - entry { "interfaces.d/${order}-${title}": - line => "${zone} ${name} ${broadcast} ${options_real}", - } - } - + shorewall::managed_file{ interfaces: } # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - managed_file { hosts: } - define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${title}": - line => "${zone} ${name} ${options}" - } - } - + shorewall::managed_file { hosts: } # See http://www.shorewall.net/3.0/Documentation.htm#Policy - managed_file { policy: } - define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${title}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } - } - + shorewall::managed_file { policy: } # See http://www.shorewall.net/3.0/Documentation.htm#Rules - managed_file { rules: } - define rule_section($order) { - entry { "rules.d/${order}-${title}": - line => "SECTION ${name}", - } - } - # mark is new in 3.4.4 - define rule($action, $source, $destination, $proto = '-', - $destinationport = '-', $sourceport = '-', $originaldest = '-', - $ratelimit = '-', $user = '-', $mark = '', $order) - { - entry { "rules.d/${order}-${title}": - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } - } - + shorewall::managed_file { rules: } # See http://www.shorewall.net/3.0/Documentation.htm#Masq - managed_file{ masq: } - # mark is new in 3.4.4 - # source (= subnet) = Set of hosts that you wish to masquerade. - # address = If you specify an address here, SNAT will be used and this will be the source address. - define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${title}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } - } - + shorewall::managed_file{ masq: } # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - managed_file { proxyarp: } - define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${title}": - line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" - } - } - + shorewall::managed_file { proxyarp: } # See http://www.shorewall.net/3.0/Documentation.htm#NAT - managed_file { nat: } - define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${title}": - line => "${name} ${interface} ${internal} ${all} ${local}" - } - } - + shorewall::managed_file { nat: } # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - managed_file { blacklist: } - define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${title}": - line => "${name} ${proto} ${port}", - } - } - + shorewall::managed_file { blacklist: } # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - managed_file { rfc1918: } - define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${title}": - line => "${name} ${action}" - } - } - + shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - managed_file { routestopped: } - define routestopped($interface = '', $host = '-', $options = '', $order='100') { - $real_interface = $interface ? { - '' => $name, - default => $interface, - } - entry { "routestopped.d/${order}-${title}": - line => "${real_interface} ${host} ${options}", - } - } - + shorewall::managed_file { routestopped: } # See http://www.shorewall.net/3.0/Documentation.htm#Variables - managed_file { params: } - define params($value, $order='100'){ - entry { "params.d/${order}-${title}": - line => "${name}=${value}", - } - } - + shorewall::managed_file { params: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ - entry { "tcdevices.d/${order}-${title}": - line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", - } - } - ++ shorewall::managed_file { tcdevices: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcrules: } - define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ - entry { "tcrules.d/${order}-${title}": - line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", - } - } - ++ shorewall::managed_file { tcrules: } + # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcclasses: } - define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ - entry { "tcclasses.d/${order}-${title}": - line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", - } - } - - # See http://shorewall.net/shorewall_extension_scripts.htm - define extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - managed_file { "${name}": } - entry { "${name}.d/500-${hostname}": - line => "${script}\n"; - } - } - '', default: { - err("${name}: unknown shorewall extension script") - } - } - } -} - -class shorewall::base { - - if $shorewall_ensure_version == '' { $shorewall_ensure_version = 'present' } - package { 'shorewall': - ensure => $shorewall_ensure_version, - } - - # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf", - "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem", - "puppet://$fileserver/shorewall/shorewall.conf", - "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/modules/shorewall/shorewall.conf.Default" - ], - mode => 0644, owner => root, group => 0, - require => Package[shorewall], - notify => Service[shorewall], - } - - service{ shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - subscribe => [ - File["/var/lib/puppet/modules/shorewall/zones"], - File["/var/lib/puppet/modules/shorewall/interfaces"], - File["/var/lib/puppet/modules/shorewall/hosts"], - File["/var/lib/puppet/modules/shorewall/policy"], - File["/var/lib/puppet/modules/shorewall/rules"], - File["/var/lib/puppet/modules/shorewall/masq"], - File["/var/lib/puppet/modules/shorewall/proxyarp"], - File["/var/lib/puppet/modules/shorewall/nat"], - File["/var/lib/puppet/modules/shorewall/blacklist"], - File["/var/lib/puppet/modules/shorewall/rfc1918"], - File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"], - File["/var/lib/puppet/modules/shorewall/tcdevices"], - File["/var/lib/puppet/modules/shorewall/tcrules"], - File["/var/lib/puppet/modules/shorewall/tcclasses"], - ], - require => Package[shorewall], - } -} - -class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } -} - -class shorewall::debian inherits shorewall::base { - - # prepare variables to use in templates - case $shorewall_startboot { - '': { $shorewall_startboot = '1' } - } ++ shorewall::managed_file { tcclasses: } + - file { '/etc/default/shorewall': - content => template("shorewall/debian/default"), - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall'] { - status => '/sbin/shorewall status' - } } diff --cc manifests/interface.pp index 1cb5042,0000000..56b6db4 mode 100644,000000..100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@@ -1,27 -1,0 +1,27 @@@ +define shorewall::interface( + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $rfc1918 = false, + $dhcp = false, + $order = 100 +){ + if $rfc1918 { + if $dhcp { + $options_real = "${options},dhcp" + } else { + $options_real = $options + } + } else { + if $dhcp { + $options_real = "${options},norfc1918,dhcp" + } else { + $options_real = "${options},norfc1918" + } + } + - shorewall::entry { "interfaces.d/${order}-${name}": ++ shorewall::entry { "interfaces.d/${order}-${title}": + line => "${zone} ${name} ${broadcast} ${options_real}", + } +} + diff --cc manifests/masq.pp index a9c9840,0000000..646cec5 mode 100644,000000..100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@@ -1,17 -1,0 +1,17 @@@ +# mark is new in 3.4.4 +# source (= subnet) = Set of hosts that you wish to masquerade. +# address = If you specify an address here, SNAT will be used and this will be the source address. +define shorewall::masq( + $interface, + $source, $address = '-', + $proto = '-', + $port = '-', + $ipsec = '-', + $mark = '', + $order='100' +){ - shorewall::entry{"masq.d/${order}-${name}": ++ shorewall::entry{"masq.d/${order}-${title}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } +} + diff --cc manifests/nat.pp index e69c1c0,0000000..d2f214f mode 100644,000000..100644 --- a/manifests/nat.pp +++ b/manifests/nat.pp @@@ -1,11 -1,0 +1,11 @@@ +define shorewall::nat( + $interface, + $internal, + $all = 'no', + $local = 'yes', + $order='100' +){ - shorewall::entry{"nat.d/${order}-${name}": ++ shorewall::entry{"nat.d/${order}-${title}": + line => "${name} ${interface} ${internal} ${all} ${local}" + } +} diff --cc manifests/params.pp index 0a1ae11,0000000..33521d7 mode 100644,000000..100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@@ -1,5 -1,0 +1,5 @@@ +define shorewall::params($value, $order='100'){ - shorewall::entry{"params.d/${order}-${name}": ++ shorewall::entry{"params.d/${order}-${title}": + line => "${name}=${value}", + } +} diff --cc manifests/policy.pp index cdaab71,0000000..aab6f7a mode 100644,000000..100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@@ -1,12 -1,0 +1,12 @@@ +define shorewall::policy( + $sourcezone, + $destinationzone, + $policy, $shloglevel = '-', + $limitburst = '-', + $order +){ - shorewall::entry{"policy.d/${order}-${name}": ++ shorewall::entry{"policy.d/${order}-${title}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", + } +} + diff --cc manifests/proxyarp.pp index 75c853b,0000000..07b6434 mode 100644,000000..100644 --- a/manifests/proxyarp.pp +++ b/manifests/proxyarp.pp @@@ -1,11 -1,0 +1,11 @@@ +define shorewall::proxyarp( + $interface, + $external, + $haveroute = yes, + $persistent = no, + $order='100' + ){ - shorewall::entry{"proxyarp.d/${order}-${name}": ++ shorewall::entry{"proxyarp.d/${order}-${title}": + line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" + } +} diff --cc manifests/rfc1918.pp index 6c2719c,0000000..527c8d0 mode 100644,000000..100644 --- a/manifests/rfc1918.pp +++ b/manifests/rfc1918.pp @@@ -1,8 -1,0 +1,8 @@@ +define shorewall::rfc1918( + $action = 'logdrop', + $order='100' +){ - shorewall::entry{"rfc1918.d/${order}-${name}": ++ shorewall::entry{"rfc1918.d/${order}-${title}": + line => "${name} ${action}" + } +} diff --cc manifests/routestopped.pp index dab539c,0000000..63dc1c4 mode 100644,000000..100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@@ -1,14 -1,0 +1,14 @@@ +define shorewall::routestopped( + $interface = '', + $host = '-', + $options = '', + $order='100' +){ + $real_interface = $interface ? { + '' => $name, + default => $interface, + } - shorewall::entry{"routestopped.d/${order}-${name}": ++ shorewall::entry{"routestopped.d/${order}-${title}": + line => "${real_interface} ${host} ${options}", + } +} diff --cc manifests/rule.pp index 8394970,0000000..d2188df mode 100644,000000..100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@@ -1,20 -1,0 +1,20 @@@ +# mark is new in 3.4.4 +define shorewall::rule( + $ensure = present, + $action, + $source, + $destination, + $proto = '-', + $destinationport = '-', + $sourceport = '-', + $originaldest = '-', + $ratelimit = '-', + $user = '-', + $mark = '', + $order +){ - shorewall::entry{"rules.d/${order}-${name}": ++ shorewall::entry{"rules.d/${order}-${title}": + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + } +} diff --cc manifests/rule_section.pp index a885eae,0000000..2163dd5 mode 100644,000000..100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@@ -1,7 -1,0 +1,7 @@@ +define shorewall::rule_section( + $order +){ - shorewall::entry{"rules.d/${order}-${name}": ++ shorewall::entry{"rules.d/${order}-${title}": + line => "SECTION ${name}", + } +} diff --cc manifests/tcclasses.pp index 0000000,0000000..2126bb7 new file mode 100644 --- /dev/null +++ b/manifests/tcclasses.pp @@@ -1,0 -1,0 +1,12 @@@ ++define shorewall::tcclasses( ++ $interface, ++ $rate, ++ $ceil, ++ $priority, ++ $options = '', ++ $order = '1' ++){ ++ shorewall::entry { "tcclasses.d/${order}-${title}": ++ line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", ++ } ++} diff --cc manifests/tcdevices.pp index 0000000,0000000..54c9665 new file mode 100644 --- /dev/null +++ b/manifests/tcdevices.pp @@@ -1,0 -1,0 +1,11 @@@ ++define shorewall::tcdevices( ++ $in_bandwidth, ++ $out_bandwidth, ++ $options = '', ++ $redirected_interfaces = '', ++ $order = '100' ++){ ++ shorewall::entry { "tcdevices.d/${order}-${title}": ++ line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", ++ } ++} diff --cc manifests/tcrules.pp index 0000000,0000000..a888d20 new file mode 100644 --- /dev/null +++ b/manifests/tcrules.pp @@@ -1,0 -1,0 +1,12 @@@ ++define shorewall::tcrules( ++ $source, ++ $destination, ++ $protocol = 'all', ++ $ports, ++ $client_ports = '', ++ $order = '1' ++){ ++ shorewall::entry { "tcrules.d/${order}-${title}": ++ line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", ++ } ++} diff --cc manifests/zone.pp index fa83b0b,0000000..aeab972 mode 100644,000000..100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@@ -1,14 -1,0 +1,14 @@@ +define shorewall::zone( + $type, + $options = '-', + $in = '-', + $out = '-', + $parent = '-', + $order = 100 +){ + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones.d/${order}-${name}": ++ shorewall::entry { "zones.d/${order}-${title}": + line => "${real_name} ${type} ${options} ${in} ${out}" + } +} +