16 files changed, 287 insertions, 22 deletions
diff --git a/manifests/base.pp b/manifests/base.pp
index 709f4b7..937b83b 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,6 +1,6 @@
 class shorewall::base {
     package { 'shorewall':
-        ensure => present,
+        ensure => $shorewall_ensure_version,
     }
 
     # This file has to be managed in place, so shorewall can find it
diff --git a/manifests/extension_script.pp b/manifests/extension_script.pp
new file mode 100644
index 0000000..510536b
--- /dev/null
+++ b/manifests/extension_script.pp
@@ -0,0 +1,14 @@
+# See http://shorewall.net/shorewall_extension_scripts.htm
+define shorewall::extension_script($script = '') {
+    case $name {
+        'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': {
+            shorewall::managed_file { "${name}": }
+            shorewall::entry { "${name}.d/500-${hostname}":
+                line => "${script}\n";
+            }
+        }
+        '', default: {
+            err("${name}: unknown shorewall extension script")
+        }
+    }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 17ff12d..31cf5e4 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -4,8 +4,11 @@ class shorewall(
 
   case $::operatingsystem {
     gentoo: { include shorewall::gentoo }
-    debian: { include shorewall::debian }
-    centos: { include shorewall::centos }
+    debian: {
+      include shorewall::debian
+      $dist_tor_user = 'debian-tor'
+    }
+    centos: { include shorewall::base }
     ubuntu: {
     case $::lsbdistcodename {
       karmic: { include shorewall::ubuntu::karmic }
@@ -13,11 +16,28 @@ class shorewall(
       }
     }
     default: {
-      notice "unknown operatingsystem: ${::operatingsystem}"
-		  include shorewall::base
+      notice "unknown operatingsystem: $operatingsystem" 
+      include shorewall::base
     }
   }
 
+  case $tor_transparent_proxy_host {
+    '': { $tor_transparent_proxy_host = '127.0.0.1' }
+  }
+  case $tor_transparent_proxy_port {
+    '': { $tor_transparent_proxy_port = '9040' }
+  }
+  if $tor_user == '' {
+    $tor_user = $dist_tor_user ? {
+      ''      => 'tor',
+      default => $dist_tor_user,
+    }
+  }
+  case $non_torified_users {
+    '': { $non_torified_users = [] }
+  }
+  $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
+
   # See http://www.shorewall.net/3.0/Documentation.htm#Zones
   shorewall::managed_file{ zones: }
   # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
@@ -42,6 +62,12 @@ class shorewall(
   shorewall::managed_file { routestopped: }
   # See http://www.shorewall.net/3.0/Documentation.htm#Variables
   shorewall::managed_file { params: }
+  # See http://www.shorewall.net/3.0/traffic_shaping.htm
+  shorewall::managed_file { tcdevices: }
+  # See http://www.shorewall.net/3.0/traffic_shaping.htm
+  shorewall::managed_file { tcrules: }
+  # See http://www.shorewall.net/3.0/traffic_shaping.htm
+  shorewall::managed_file { tcclasses: }
   # http://www.shorewall.net/manpages/shorewall-providers.html
   shorewall::managed_file { providers: }
 }
diff --git a/manifests/interface.pp b/manifests/interface.pp
index 1716a7e..e1bca9a 100644
--- a/manifests/interface.pp
+++ b/manifests/interface.pp
@@ -2,26 +2,28 @@ define shorewall::interface(
     $zone,
     $broadcast = 'detect',
     $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians',
+    $add_options = '',
     $rfc1918 = false,
     $dhcp = false,
     $order = 100
 ){
-    if $rfc1918 {
-        if $dhcp {
-            $options_real = "${options},dhcp"
-        } else {
-            $options_real = $options
-        }
-    } else {
-        if $dhcp {
-            $options_real = "${options},norfc1918,dhcp"
-        } else {
-            $options_real = "${options},norfc1918"
-        }
+    $added_opts = $add_options ? {
+        ''      => '',
+        default => ",${add_options}",
     }
 
-    shorewall::entry { "interfaces-${order}-${name}":
-        line => "${zone} ${name} ${broadcast} ${options_real}",
+    $dhcp_opt = $dhcp ? {
+        false   => '',
+        default => ',dhcp',
+    }
+
+    $rfc1918_opt = $rfc1918 ? {
+        false   => ',norfc1918',
+        default => '',
+    }
+
+    shorewall::entry { "interfaces.d/${order}-${name}":
+        line => "${zone} ${name} ${broadcast} ${options}${dhcp_opt}${rfc1918_opt}${added_opts}",
     }
 }
 
diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp
index cd39762..0e39d13 100644
--- a/manifests/routestopped.pp
+++ b/manifests/routestopped.pp
@@ -4,7 +4,11 @@ define shorewall::routestopped(
     $options = '',
     $order='100'
 ){
-    shorewall::entry{"routestopped-${order}-${name}":
-        line => "${interface} ${host} ${options}",
-    }
+    $real_interface = $interface ? { 
+        '' => $name,
+        default => $interface,
+    }   
+    shorewall::entry{"routestopped.d/${order}-${name}":
+        line => "${real_interface} ${host} ${options}",
+    }           
 }
diff --git a/manifests/rules/mdns.pp b/manifests/rules/mdns.pp
new file mode 100644
index 0000000..76b1fd9
--- /dev/null
+++ b/manifests/rules/mdns.pp
@@ -0,0 +1,8 @@
+class shorewall::rules::mdns {
+    shorewall::rule { 'net-me-mdns':
+        source          => 'net',
+        destination     => '$FW',
+        order           => 240,
+        action          => 'mDNS(ACCEPT)';
+    }
+}
diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
new file mode 100644
index 0000000..b393a2a
--- /dev/null
+++ b/manifests/rules/torify.pp
@@ -0,0 +1,31 @@
+# shorewall::rules::torify
+#
+# Note: shorewall::rules::torify cannot be used several times with the
+# same user listed in the $users array. This restriction applies to
+# using this define multiple times without providing a $users
+# parameter.
+#
+# Parameters:
+#
+# - users: every element of this array must be valid in shorewall
+#   rules user/group column.
+# - destinations: every element of this array must be valid in
+#   shorewall rules original destination column.
+
+define shorewall::rules::torify(
+  $users        = ['-'],
+  $destinations = ['-'],
+  $allow_rfc1918 = true
+){
+
+  include shorewall::rules::torify::non_torified_users
+
+  $originaldest = join($destinations,',')
+
+  shorewall::rules::torify::user {
+    $users:
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}
diff --git a/manifests/rules/torify/allow_tor_transparent_proxy.pp b/manifests/rules/torify/allow_tor_transparent_proxy.pp
new file mode 100644
index 0000000..3c18db6
--- /dev/null
+++ b/manifests/rules/torify/allow_tor_transparent_proxy.pp
@@ -0,0 +1,21 @@
+class shorewall::rules::torify::allow_tor_transparent_proxy {
+
+  $rule = "allow-tor-transparent-proxy"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    # A weirdness in shorewall forces us to explicitly allow traffic to
+    # net:$tor_transparent_proxy_host:$tor_transparent_proxy_port even
+    # if $FW->$FW traffic is allowed. This anyway avoids us special-casing
+    # the remote Tor transparent proxy situation.
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => "net:${shorewall::tor_transparent_proxy_host}",
+        proto           => 'tcp',
+        destinationport => $shorewall::tor_transparent_proxy_port,
+        order           => 100,
+        action          => 'ACCEPT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
new file mode 100644
index 0000000..34e4db7
--- /dev/null
+++ b/manifests/rules/torify/non_torified_user.pp
@@ -0,0 +1,25 @@
+define shorewall::rules::torify::non_torified_user() {
+
+  $user = $name
+
+  $whitelist_rule = "allow-from-user=${user}"
+  shorewall::rule {
+    "$whitelist_rule":
+      source      => '$FW',
+      destination => 'all',
+      user        => $user,
+      order       => 101,
+      action      => 'ACCEPT';
+  }
+
+  $nonat_rule = "dont-redirect-to-tor-user=${user}"
+  shorewall::rule {
+    "$nonat_rule":
+      source       => '$FW',
+      destination  => '-',
+      user         => $user,
+      order        => 106,
+      action       => 'NONAT';
+  }
+
+}
diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
new file mode 100644
index 0000000..582dfed
--- /dev/null
+++ b/manifests/rules/torify/non_torified_users.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::torify::non_torified_users {
+
+  $real_non_torified_users = $shorewall::real_non_torified_users
+
+  shorewall::rules::torify::non_torified_user {
+    $real_non_torified_users:
+  }
+
+}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
new file mode 100644
index 0000000..fe1c5fe
--- /dev/null
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -0,0 +1,35 @@
+define shorewall::rules::torify::redirect_tcp_to_tor(
+  $user = '-',
+  $originaldest = '-'
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "redirect-to-tor-user=${user}-to=${originaldest_sha1}"
+
+  if !defined(Shorewall::Rule["$rule"]) {
+
+    $originaldest_real = $originaldest ? {
+      '-'     => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+      default => $originaldest,
+    }
+
+    $destzone = $shorewall::tor_transparent_proxy_host ? {
+      '127.0.0.1' => '$FW',
+      default     => 'net'
+    }
+    
+    shorewall::rule {
+      "$rule":
+        source       => '$FW',
+        destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
+        proto        => 'tcp:syn',
+        originaldest => $originaldest_real,
+        user         => $user,
+        order        => 110,
+        action       => 'DNAT';
+    }
+
+  }
+
+}
diff --git a/manifests/rules/torify/reject_non_tor.pp b/manifests/rules/torify/reject_non_tor.pp
new file mode 100644
index 0000000..80240ec
--- /dev/null
+++ b/manifests/rules/torify/reject_non_tor.pp
@@ -0,0 +1,32 @@
+define shorewall::rules::torify::reject_non_tor(
+  $user = '-',
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  # hash the destination as it may contain slashes
+  $originaldest_sha1 = sha1($originaldest)
+  $rule = "reject-non-tor-from-${user}-to=${originaldest_sha1}"
+
+  if $originaldest == '-' {
+    $originaldest_real = $allow_rfc1918 ? {
+      false   => '!127.0.0.1',
+      default => '!127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16',
+    }
+  } else {
+    $originaldest_real = $originaldest
+  }
+
+  if !defined(Shorewall::Rule["$rule"]) {
+    shorewall::rule {
+      "$rule":
+        source          => '$FW',
+        destination     => 'all',
+        originaldest    => $originaldest_real,
+        user            => $user,
+        order           => 120,
+        action          => 'REJECT';
+    }
+  }
+
+}
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
new file mode 100644
index 0000000..49c0b34
--- /dev/null
+++ b/manifests/rules/torify/user.pp
@@ -0,0 +1,23 @@
+define shorewall::rules::torify::user(
+  $originaldest = '-',
+  $allow_rfc1918 = true
+){
+
+  $user = $name
+
+  include shorewall::rules::torify::allow_tor_transparent_proxy
+
+  shorewall::rules::torify::redirect_tcp_to_tor {
+    "redirect-to-tor-user=${user}-to=${originaldest}":
+      user         => $user,
+      originaldest => $originaldest
+  }
+
+  shorewall::rules::torify::reject_non_tor {
+    "reject-non-tor-user=${user}-to=${originaldest}":
+      user          => "$user",
+      originaldest  => $originaldest,
+      allow_rfc1918 => $allow_rfc1918;
+  }
+
+}
diff --git a/manifests/tcclasses.pp b/manifests/tcclasses.pp
new file mode 100644
index 0000000..2126bb7
--- /dev/null
+++ b/manifests/tcclasses.pp
@@ -0,0 +1,12 @@
+define shorewall::tcclasses(
+    $interface,
+    $rate,
+    $ceil,
+    $priority,
+    $options = '',
+    $order = '1'
+){
+    shorewall::entry { "tcclasses.d/${order}-${title}":
+        line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}",
+    }
+}
diff --git a/manifests/tcdevices.pp b/manifests/tcdevices.pp
new file mode 100644
index 0000000..54c9665
--- /dev/null
+++ b/manifests/tcdevices.pp
@@ -0,0 +1,11 @@
+define shorewall::tcdevices(
+    $in_bandwidth,
+    $out_bandwidth,
+    $options = '',
+    $redirected_interfaces = '',
+    $order = '100'
+){
+    shorewall::entry { "tcdevices.d/${order}-${title}":
+        line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}",
+    }
+}
diff --git a/manifests/tcrules.pp b/manifests/tcrules.pp
new file mode 100644
index 0000000..a888d20
--- /dev/null
+++ b/manifests/tcrules.pp
@@ -0,0 +1,12 @@
+define shorewall::tcrules(
+    $source,
+    $destination,
+    $protocol = 'all',
+    $ports,
+    $client_ports = '',
+    $order = '1'
+){
+    shorewall::entry { "tcrules.d/${order}-${title}":
+        line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}",
+    }
+}