diff options
| author | Micah Anderson <micah@riseup.net> | 2012-06-20 13:47:45 -0400 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2012-06-20 13:47:45 -0400 |
| commit | f3448f4210260c1cfee72ae709a1ae0b8902d0d4 (patch) | |
| tree | ea545e1ba4352be8b3a6b940d2e5be7a0a373ae9 | |
| parent | c3452c911c5dba8b53b558169774d83c3e1908e4 (diff) | |
| download | puppet-shorewall-f3448f4210260c1cfee72ae709a1ae0b8902d0d4.tar.gz puppet-shorewall-f3448f4210260c1cfee72ae709a1ae0b8902d0d4.tar.bz2 | |
Revert "Support exempting some users from torification measures."
This reverts commit 6cb88973f53aa7d92414797dd21952c1c1d5da98.
| -rw-r--r-- | README | 5 | ||||
| -rw-r--r-- | manifests/init.pp | 4 | ||||
| -rw-r--r-- | manifests/rules/torify.pp | 2 | ||||
| -rw-r--r-- | manifests/rules/torify/allow_tor_user.pp | 15 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_user.pp | 25 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_users.pp | 9 | ||||
| -rw-r--r-- | manifests/rules/torify/redirect_tcp_to_tor.pp | 7 | ||||
| -rw-r--r-- | manifests/rules/torify/user.pp | 4 |
8 files changed, 26 insertions, 45 deletions
@@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses is by default allowed and (obviously) not torified. This behaviour can be changed by setting the allow_rfc1918 parameter to false. -Torify any outgoing TCP traffic but - - connections to RFC1918 addresses - - connections from users bob and alice: +Torify any outgoing TCP traffic but connections to RFC1918 addresses: - $non_torified_users = [ 'bob', 'alice' ] shorewall::rules::torify { 'torify-everything-but-lan': } diff --git a/manifests/init.pp b/manifests/init.pp index dd28767..3b4b3b2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,10 +33,6 @@ class shorewall( default => $dist_tor_user, } } - case $non_torified_users { - '': { $non_torified_users = [] } - } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index b393a2a..f6e62d8 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,8 +18,6 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ - include shorewall::rules::torify::non_torified_users - $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp deleted file mode 100644 index 34e4db7..0000000 --- a/manifests/rules/torify/non_torified_user.pp +++ /dev/null @@ -1,25 +0,0 @@ -define shorewall::rules::torify::non_torified_user() { - - $user = $name - - $whitelist_rule = "allow-from-user=${user}" - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $user, - order => 101, - action => 'ACCEPT'; - } - - $nonat_rule = "dont-redirect-to-tor-user=${user}" - shorewall::rule { - "$nonat_rule": - source => '$FW', - destination => '-', - user => $user, - order => 106, - action => 'NONAT'; - } - -} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp deleted file mode 100644 index 582dfed..0000000 --- a/manifests/rules/torify/non_torified_users.pp +++ /dev/null @@ -1,9 +0,0 @@ -class shorewall::rules::torify::non_torified_users { - - $real_non_torified_users = $shorewall::real_non_torified_users - - shorewall::rules::torify::non_torified_user { - $real_non_torified_users: - } - -} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index fe1c5fe..2bee658 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user, + user => $user_real, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 49c0b34..5caccfd 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,6 +7,10 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, |