diff options
| author | intrigeri <intrigeri@boum.org> | 2013-01-02 18:02:31 +0100 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2013-01-02 18:02:31 +0100 |
| commit | 5e555243c8dd93f7e5cfadacc9c3843d5f9d421c (patch) | |
| tree | ae9523884d7447e57a9a1ac91f60a39da24c8e04 | |
| parent | 88fa544a9c2f974b35a169b4e3865ccaf4f68fd1 (diff) | |
| download | puppet-shorewall-5e555243c8dd93f7e5cfadacc9c3843d5f9d421c.tar.gz puppet-shorewall-5e555243c8dd93f7e5cfadacc9c3843d5f9d421c.tar.bz2 | |
Revert "Support exempting some users from torification measures."
This reverts commit 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a.
This stuff is not ready for the shared repo, but we want to take benefit from me
having already merged immerda's stuff into my branch and solved the conflicts.
| -rw-r--r-- | README | 5 | ||||
| -rw-r--r-- | manifests/init.pp | 4 | ||||
| -rw-r--r-- | manifests/rules/torify.pp | 2 | ||||
| -rw-r--r-- | manifests/rules/torify/allow_tor_user.pp | 15 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_user.pp | 25 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_users.pp | 9 | ||||
| -rw-r--r-- | manifests/rules/torify/redirect_tcp_to_tor.pp | 7 | ||||
| -rw-r--r-- | manifests/rules/torify/user.pp | 4 |
8 files changed, 26 insertions, 45 deletions
@@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses is by default allowed and (obviously) not torified. This behaviour can be changed by setting the allow_rfc1918 parameter to false. -Torify any outgoing TCP traffic but - - connections to RFC1918 addresses - - connections from users bob and alice: +Torify any outgoing TCP traffic but connections to RFC1918 addresses: - $non_torified_users = [ 'bob', 'alice' ] shorewall::rules::torify { 'torify-everything-but-lan': } diff --git a/manifests/init.pp b/manifests/init.pp index dd28767..3b4b3b2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,10 +33,6 @@ class shorewall( default => $dist_tor_user, } } - case $non_torified_users { - '': { $non_torified_users = [] } - } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index b393a2a..f6e62d8 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,8 +18,6 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ - include shorewall::rules::torify::non_torified_users - $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp deleted file mode 100644 index 34e4db7..0000000 --- a/manifests/rules/torify/non_torified_user.pp +++ /dev/null @@ -1,25 +0,0 @@ -define shorewall::rules::torify::non_torified_user() { - - $user = $name - - $whitelist_rule = "allow-from-user=${user}" - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $user, - order => 101, - action => 'ACCEPT'; - } - - $nonat_rule = "dont-redirect-to-tor-user=${user}" - shorewall::rule { - "$nonat_rule": - source => '$FW', - destination => '-', - user => $user, - order => 106, - action => 'NONAT'; - } - -} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp deleted file mode 100644 index 582dfed..0000000 --- a/manifests/rules/torify/non_torified_users.pp +++ /dev/null @@ -1,9 +0,0 @@ -class shorewall::rules::torify::non_torified_users { - - $real_non_torified_users = $shorewall::real_non_torified_users - - shorewall::rules::torify::non_torified_user { - $real_non_torified_users: - } - -} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index fe1c5fe..2bee658 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user, + user => $user_real, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 49c0b34..5caccfd 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,6 +7,10 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, |