Age | Commit message (Collapse) | Author |
|
'master'
Feature/mangle support multiple rules with same action
This allows one to support multiple networks in libvirt.
See merge request !4
|
|
That is, make the resource's title more unique by including the destination
interface in it, and accordingly pass the desired action via the new,
dedicated parameter.
|
|
Previously, it was using $name, which prevented adding multiple mangle
rules that share a common ACTION, with different parameters.
|
|
|
|
|
|
|
|
|
|
Fix dhcp for libvirt
This branch uses the mangle table support added by the feature/Add_support_for_mangle_table branch to fix the libvirt DHCP when broken by recent kernel. It fills the checksum of this kind of packets on the libvirt interface.
This patch shouldn't break older setup, and is implemented so that it can be disabled.
See merge request !2
|
|
Add support for mangle table.
When using the kernel from Debian Wheezy-backports (3.16.0-0.bpo.4-amd64), we encoutered a bug where shorewall was breaking the libvirt DHCP if restarted after it.
It seems that one has to add a rule in the POSTROUTING chain of the mangle table to --checksum-fill the DHCP packets for them to be properly catch by the VMs DHCP clients.
So we had to add support of the mangle table to the shared puppet module to fix that.
This patch does just that, and is meant to be used by the other branch I'll propose after.
See merge request !1
|
|
On newer kernel (tested on 3.16), the libvirt and shorewall iptables
rules have conflicts that need to be fixed by enabling back
--checksum-fill on $vmz, otherwise the VMs can't get a DHCP lease.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
top-level require
|
|
|
|
|
|
before it tries to run
|
|
|
|
|
|
|
|
make sure that the augeas class has been applied before attempting to do any
augeas operations. without this, you will non-deterministically get:
err: /Stage[main]/Shorewall::Base/Augeas[shorewall_module_config_path]: Could not evaluate: Save failed with return code false
|
|
|
|
|
|
Conflicts:
files/shorewall.conf.CentOS.6
files/shorewall.conf.Debian.wheezy
|
|
Conflicts:
files/boilerplate/providers.footer
files/boilerplate/providers.header
manifests/base.pp
manifests/providers.pp
|
|
Conflicts:
manifests/base.pp
manifests/init.pp
|
|
This reverts commit 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a.
This stuff is not ready for the shared repo, but we want to take benefit from me
having already merged immerda's stuff into my branch and solved the conflicts.
|
|
This reverts commit 0c28fa636653f395c756f56c93f8c78fddfcee00.
This stuff is not ready for the shared repo, but we want to take benefit from me
having already merged immerda's stuff into my branch and solved the conflicts.
|
|
|
|
|
|
|
|
final results in /etc/shorewall/puppet, we have to make sure the shorewall.conf
is pointing to that directory to get those configurations. This commit fixes that.
|
|
shorewall.conf, because if they do not exist, you will get a puppet error.
this commit removes them, and updates the README to provide instructions for how
you can do it the old way, if you want
|
|
operatingsystem package install its default config (this lets us stop having to
keep this file updated), and instead tell people to configure their
shorewall.conf file using the augeas method.
It is possible still to distribute a shorewall.conf from a site-shorewall
directory, however if the file is distributed, then it is not possible to use
the augeas method.
https://labs.riseup.net/code/issues/2738
|
|
|
|
It was meant to provide preseeding files over FTP,
but the Debian installer has been supporting TFTP for a while,
so no additional software is needed.
|
|
|
|
|
|
|
|
Managed configuration files now live in /etc/shorewall/puppet.
|
|
|
|
|
|
|
|
|
|
|