diff options
| author | drebs <drebs@riseup.net> | 2015-05-13 19:34:25 -0300 |
|---|---|---|
| committer | drebs <drebs@riseup.net> | 2015-05-15 21:23:09 -0300 |
| commit | aa8eff8a58330b3003f4c54856516530d75814fb (patch) | |
| tree | 4c92b9f3a055ecebe57fa58d7a3745bb8b7dd3a4 | |
| parent | bdc206ee9e4bb7d61f09dd7bd3f02fce7535f996 (diff) | |
| download | puppet-firewall-aa8eff8a58330b3003f4c54856516530d75814fb.tar.gz puppet-firewall-aa8eff8a58330b3003f4c54856516530d75814fb.tar.bz2 | |
[feat] allow for bridged vms
| -rw-r--r-- | manifests/init.pp | 42 |
1 files changed, 36 insertions, 6 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 4f9abef..abe731d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -5,7 +5,9 @@ class firewall( $local_net = hiera('firewall::local_net', false), $in_bandwidth = hiera('firewall::in_bandwidth', '100mbit'), $out_bandwidth = hiera('firewall::out_bandwidth', '100mbit'), - $device_options = hiera('firewall::device_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians') + $device_options = hiera('firewall::device_options', 'tcpflags,blacklist,routefilter,nosmurfs,logmartians'), + $vm_address = hiera('firewall::vm_address', '192.168.0.0/24'), + $vm_device = hiera('firewall::vm_device', false) ) { class { 'shorewall': } @@ -24,6 +26,14 @@ class firewall( options => $device_options, } + if $vm_device != false { + shorewall::interface { "${vm_device}": + zone => $zone, + rfc1918 => $rfc1918, + options => $device_options, + } + } + # # Policy # @@ -48,11 +58,21 @@ class firewall( order => 3, } + if $vm_device != false { + shorewall::policy { 'vm-fw': + sourcezone => 'vm', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 4, + } + } + + shorewall::policy { 'net-all': sourcezone => 'net', destinationzone => 'all', policy => 'DROP', - order => 4, + order => 5, } shorewall::policy { 'all-all': @@ -65,8 +85,13 @@ class firewall( # # Hosts # - shorewall::host { "${device}-subnet": - name => "${device}:192.168.0.0/24", + $real_subnet_device = $vm_device ? { + false => $device, + default => $vm_device, + } + + shorewall::host { "${real_subnet_device}-subnet": + name => "${real_subnet_device}:${vm_address}", zone => 'vm', options => '', order => '1', @@ -81,9 +106,14 @@ class firewall( } } + $real_masq_interface = $vm_device ? { + false => "${device}!${vm_address}", + default => "${device}", + } + shorewall::masq { "${device}": - interface => "${device}:!192.168.0.0/24", - source => '192.168.0.0/24', + interface => "${real_masq_interface}", + source => "${vm_address}", order => '1', } |