diff options
| author | intrigeri <intrigeri@boum.org> | 2013-01-02 18:02:31 +0100 |
|---|---|---|
| committer | intrigeri <intrigeri@boum.org> | 2013-01-02 18:02:31 +0100 |
| commit | 5e555243c8dd93f7e5cfadacc9c3843d5f9d421c (patch) | |
| tree | ae9523884d7447e57a9a1ac91f60a39da24c8e04 /manifests | |
| parent | 88fa544a9c2f974b35a169b4e3865ccaf4f68fd1 (diff) | |
| download | puppet-shorewall-5e555243c8dd93f7e5cfadacc9c3843d5f9d421c.tar.gz puppet-shorewall-5e555243c8dd93f7e5cfadacc9c3843d5f9d421c.tar.bz2 | |
Revert "Support exempting some users from torification measures."
This reverts commit 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a.
This stuff is not ready for the shared repo, but we want to take benefit from me
having already merged immerda's stuff into my branch and solved the conflicts.
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/init.pp | 4 | ||||
| -rw-r--r-- | manifests/rules/torify.pp | 2 | ||||
| -rw-r--r-- | manifests/rules/torify/allow_tor_user.pp | 15 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_user.pp | 25 | ||||
| -rw-r--r-- | manifests/rules/torify/non_torified_users.pp | 9 | ||||
| -rw-r--r-- | manifests/rules/torify/redirect_tcp_to_tor.pp | 7 | ||||
| -rw-r--r-- | manifests/rules/torify/user.pp | 4 |
7 files changed, 25 insertions, 41 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index dd28767..3b4b3b2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,10 +33,6 @@ class shorewall( default => $dist_tor_user, } } - case $non_torified_users { - '': { $non_torified_users = [] } - } - $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index b393a2a..f6e62d8 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,8 +18,6 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ - include shorewall::rules::torify::non_torified_users - $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp new file mode 100644 index 0000000..f44c1f0 --- /dev/null +++ b/manifests/rules/torify/allow_tor_user.pp @@ -0,0 +1,15 @@ +class shorewall::rules::torify::allow_tor_user { + + $whitelist_rule = "allow-from-tor-user" + if !defined(Shorewall::Rule["$whitelist_rule"]) { + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $shorewall::tor_user, + order => 101, + action => 'ACCEPT'; + } + } + +} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp deleted file mode 100644 index 34e4db7..0000000 --- a/manifests/rules/torify/non_torified_user.pp +++ /dev/null @@ -1,25 +0,0 @@ -define shorewall::rules::torify::non_torified_user() { - - $user = $name - - $whitelist_rule = "allow-from-user=${user}" - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $user, - order => 101, - action => 'ACCEPT'; - } - - $nonat_rule = "dont-redirect-to-tor-user=${user}" - shorewall::rule { - "$nonat_rule": - source => '$FW', - destination => '-', - user => $user, - order => 106, - action => 'NONAT'; - } - -} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp deleted file mode 100644 index 582dfed..0000000 --- a/manifests/rules/torify/non_torified_users.pp +++ /dev/null @@ -1,9 +0,0 @@ -class shorewall::rules::torify::non_torified_users { - - $real_non_torified_users = $shorewall::real_non_torified_users - - shorewall::rules::torify::non_torified_user { - $real_non_torified_users: - } - -} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index fe1c5fe..2bee658 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } + $user_real = $user ? { + '-' => "!${shorewall::tor_user}", + default => $user, + } + $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user, + user => $user_real, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 49c0b34..5caccfd 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,6 +7,10 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy + if $originaldest == '-' and $user == '-' { + include shorewall::rules::torify::allow_tor_user + } + shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, |