Stop shipping the default shorewall.conf file, instead we should let the

operatingsystem package install its default config (this lets us stop having to
keep this file updated), and instead tell people to configure their
shorewall.conf file using the augeas method.

It is possible still to distribute a shorewall.conf from a site-shorewall
directory, however if the file is distributed, then it is not possible to use
the augeas method.

https://labs.riseup.net/code/issues/2738

1 files changed, 26 insertions, 0 deletions

diff --git a/README b/README
index 0010450..50a2bb9 100644
--- a/README
+++ b/README
@@ -35,6 +35,32 @@ installed instead:
 
     $shorewall_ensure_version = "4.0.15-1"
 
+The main shorewall.conf is not managed by this module, rather the default one
+that your operatingsystem provides is used, and any modifications you wish to do
+to it should be configured with augeas, for example, to set IP_FORWARDING=Yes in
+shorewall.conf, simply do this:
+
+  augeas { 'enable_ip_forwarding':
+    changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
+    lens    => 'Shellvars.lns',
+    incl    => '/etc/shorewall/shorewall.conf',
+    notify  => Service[shorewall];
+  }
+
+NOTE: this requires the augeas ruby bindings newer than 0.7.3. 
+
+If you need to, you can provide an entire shorewall.conf by placing it in one of
+the following locations:
+
+  "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem",
+  "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf",
+  "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename",
+  "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem",
+  "puppet:///modules/site-shorewall/shorewall.conf"
+
+NOTE: if you distribute a file, you cannot also use augeas, puppet and augeas
+will fight forever
+
 Documentation
 -------------