summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordrebs <drebs@riseup.net>2015-05-13 19:34:25 -0300
committerdrebs <drebs@riseup.net>2015-05-15 21:23:09 -0300
commitaa8eff8a58330b3003f4c54856516530d75814fb (patch)
tree4c92b9f3a055ecebe57fa58d7a3745bb8b7dd3a4
parentbdc206ee9e4bb7d61f09dd7bd3f02fce7535f996 (diff)
downloadpuppet-firewall-aa8eff8a58330b3003f4c54856516530d75814fb.tar.gz
puppet-firewall-aa8eff8a58330b3003f4c54856516530d75814fb.tar.bz2
[feat] allow for bridged vms
-rw-r--r--manifests/init.pp42
1 files changed, 36 insertions, 6 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index 4f9abef..abe731d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -5,7 +5,9 @@ class firewall(
$local_net = hiera('firewall::local_net', false),
$in_bandwidth = hiera('firewall::in_bandwidth', '100mbit'),
$out_bandwidth = hiera('firewall::out_bandwidth', '100mbit'),
- $device_options = hiera('firewall::device_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians')
+ $device_options = hiera('firewall::device_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'),
+ $vm_address = hiera('firewall::vm_address', '192.168.0.0/24'),
+ $vm_device = hiera('firewall::vm_device', false)
) {
class { 'shorewall': }
@@ -24,6 +26,14 @@ class firewall(
options => $device_options,
}
+ if $vm_device != false {
+ shorewall::interface { "${vm_device}":
+ zone => $zone,
+ rfc1918 => $rfc1918,
+ options => $device_options,
+ }
+ }
+
#
# Policy
#
@@ -48,11 +58,21 @@ class firewall(
order => 3,
}
+ if $vm_device != false {
+ shorewall::policy { 'vm-fw':
+ sourcezone => 'vm',
+ destinationzone => '$FW',
+ policy => 'ACCEPT',
+ order => 4,
+ }
+ }
+
+
shorewall::policy { 'net-all':
sourcezone => 'net',
destinationzone => 'all',
policy => 'DROP',
- order => 4,
+ order => 5,
}
shorewall::policy { 'all-all':
@@ -65,8 +85,13 @@ class firewall(
#
# Hosts
#
- shorewall::host { "${device}-subnet":
- name => "${device}:192.168.0.0/24",
+ $real_subnet_device = $vm_device ? {
+ false => $device,
+ default => $vm_device,
+ }
+
+ shorewall::host { "${real_subnet_device}-subnet":
+ name => "${real_subnet_device}:${vm_address}",
zone => 'vm',
options => '',
order => '1',
@@ -81,9 +106,14 @@ class firewall(
}
}
+ $real_masq_interface = $vm_device ? {
+ false => "${device}!${vm_address}",
+ default => "${device}",
+ }
+
shorewall::masq { "${device}":
- interface => "${device}:!192.168.0.0/24",
- source => '192.168.0.0/24',
+ interface => "${real_masq_interface}",
+ source => "${vm_address}",
order => '1',
}