improve rule handling possiblities

they can now be set to absent as well

introduce 2 outgoing ssh rules to either
disable or remove the entry at all

4 files changed, 14 insertions, 0 deletions

diff --git a/manifests/entry.pp b/manifests/entry.pp
index bd59a88..4e639bc 100644
--- a/manifests/entry.pp
+++ b/manifests/entry.pp
@@ -1,9 +1,11 @@
 define shorewall::entry(
+    $ensure = present,
     $line
 ){
    $target = "/var/lib/puppet/modules/shorewall/${name}"
    $dir = dirname($target)
    file { $target:
+        ensure => $ensure,
         content => "${line}\n",
         mode => 0600, owner => root, group => 0,
         notify => Exec["concat_${dir}"],
diff --git a/manifests/rule.pp b/manifests/rule.pp
index 0614e95..8394970 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -1,5 +1,6 @@
 # mark is new in 3.4.4
 define shorewall::rule(
+    $ensure = present,
     $action,
     $source,
     $destination,
@@ -13,6 +14,7 @@ define shorewall::rule(
     $order
 ){
     shorewall::entry{"rules.d/${order}-${name}":
+        ensure => $ensure,
         line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}",
     }
 }
diff --git a/manifests/rules/out/ssh/disable.pp b/manifests/rules/out/ssh/disable.pp
new file mode 100644
index 0000000..223bf73
--- /dev/null
+++ b/manifests/rules/out/ssh/disable.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::out::ssh::disable inherits shorewall::rules::out::ssh {
+  Shorewall::Rule['me-net-tcp_ssh']{
+    action => 'DROP',
+  }
+}
diff --git a/manifests/rules/out/ssh/remove.pp b/manifests/rules/out/ssh/remove.pp
new file mode 100644
index 0000000..bc0acf3
--- /dev/null
+++ b/manifests/rules/out/ssh/remove.pp
@@ -0,0 +1,5 @@
+class shorewall::rules::out::ssh::remove inherits shorewall::rules::out::ssh {
+  Shorewall::Rule['me-net-tcp_ssh']{
+    ensure => absent,
+  }
+}