aboutsummaryrefslogtreecommitdiff
path: root/manifests/rules
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2012-01-07 06:09:54 +0100
committerintrigeri <intrigeri@boum.org>2012-11-11 23:11:49 +0100
commit6bc54f031b9ae12fe428c83e70733c8b2ff4c67a (patch)
tree6fa93a250d68067c079b2fb9c2feb29f81f61e37 /manifests/rules
parent911cc18e594bb5a3ab642ebb24615a0447050c32 (diff)
downloadpuppet-shorewall-6bc54f031b9ae12fe428c83e70733c8b2ff4c67a.tar.gz
puppet-shorewall-6bc54f031b9ae12fe428c83e70733c8b2ff4c67a.tar.bz2
Support exempting some users from torification measures.
Diffstat (limited to 'manifests/rules')
-rw-r--r--manifests/rules/torify.pp2
-rw-r--r--manifests/rules/torify/allow_tor_user.pp15
-rw-r--r--manifests/rules/torify/non_torified_user.pp25
-rw-r--r--manifests/rules/torify/non_torified_users.pp9
-rw-r--r--manifests/rules/torify/redirect_tcp_to_tor.pp7
-rw-r--r--manifests/rules/torify/user.pp4
6 files changed, 37 insertions, 25 deletions
diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
index f6e62d8..b393a2a 100644
--- a/manifests/rules/torify.pp
+++ b/manifests/rules/torify.pp
@@ -18,6 +18,8 @@ define shorewall::rules::torify(
$allow_rfc1918 = true
){
+ include shorewall::rules::torify::non_torified_users
+
$originaldest = join($destinations,',')
shorewall::rules::torify::user {
diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
deleted file mode 100644
index f44c1f0..0000000
--- a/manifests/rules/torify/allow_tor_user.pp
+++ /dev/null
@@ -1,15 +0,0 @@
-class shorewall::rules::torify::allow_tor_user {
-
- $whitelist_rule = "allow-from-tor-user"
- if !defined(Shorewall::Rule["$whitelist_rule"]) {
- shorewall::rule {
- "$whitelist_rule":
- source => '$FW',
- destination => 'all',
- user => $shorewall::tor_user,
- order => 101,
- action => 'ACCEPT';
- }
- }
-
-}
diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
new file mode 100644
index 0000000..34e4db7
--- /dev/null
+++ b/manifests/rules/torify/non_torified_user.pp
@@ -0,0 +1,25 @@
+define shorewall::rules::torify::non_torified_user() {
+
+ $user = $name
+
+ $whitelist_rule = "allow-from-user=${user}"
+ shorewall::rule {
+ "$whitelist_rule":
+ source => '$FW',
+ destination => 'all',
+ user => $user,
+ order => 101,
+ action => 'ACCEPT';
+ }
+
+ $nonat_rule = "dont-redirect-to-tor-user=${user}"
+ shorewall::rule {
+ "$nonat_rule":
+ source => '$FW',
+ destination => '-',
+ user => $user,
+ order => 106,
+ action => 'NONAT';
+ }
+
+}
diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
new file mode 100644
index 0000000..582dfed
--- /dev/null
+++ b/manifests/rules/torify/non_torified_users.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::torify::non_torified_users {
+
+ $real_non_torified_users = $shorewall::real_non_torified_users
+
+ shorewall::rules::torify::non_torified_user {
+ $real_non_torified_users:
+ }
+
+}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
index 2bee658..fe1c5fe 100644
--- a/manifests/rules/torify/redirect_tcp_to_tor.pp
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
default => $originaldest,
}
- $user_real = $user ? {
- '-' => "!${shorewall::tor_user}",
- default => $user,
- }
-
$destzone = $shorewall::tor_transparent_proxy_host ? {
'127.0.0.1' => '$FW',
default => 'net'
@@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
proto => 'tcp:syn',
originaldest => $originaldest_real,
- user => $user_real,
+ user => $user,
order => 110,
action => 'DNAT';
}
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
index 5caccfd..49c0b34 100644
--- a/manifests/rules/torify/user.pp
+++ b/manifests/rules/torify/user.pp
@@ -7,10 +7,6 @@ define shorewall::rules::torify::user(
include shorewall::rules::torify::allow_tor_transparent_proxy
- if $originaldest == '-' and $user == '-' {
- include shorewall::rules::torify::allow_tor_user
- }
-
shorewall::rules::torify::redirect_tcp_to_tor {
"redirect-to-tor-user=${user}-to=${originaldest}":
user => $user,