aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-10-09Merge branch 'feature/mangle-support-multiple-rules-with-same-action' into ↵Micah
'master' Feature/mangle support multiple rules with same action This allows one to support multiple networks in libvirt. See merge request !4
2015-07-16shorewall::rules::libvirt::host: adjust to changes in shorewall::mangle.intrigeri
That is, make the resource's title more unique by including the destination interface in it, and accordingly pass the desired action via the new, dedicated parameter.
2015-07-16shorewall::mangle: allow specifying the ACTION explicitly.intrigeri
Previously, it was using $name, which prevented adding multiple mangle rules that share a common ACTION, with different parameters.
2015-07-08fixed code indentation, added gitlab shared remotevarac
2015-07-08moved README to README.md so it hopefully renders as markdown in gitlab nowvarac
2015-05-08Make sure MUNINCOLLECTOR join() gets an array in munin ruleJerome Charaoui
2015-04-17Add GPLv3 licenseMicah Anderson
2015-03-02Merge branch 'bugfix/Fix_DHCP_for_libvirt' into 'master'Jerome Charaoui
Fix dhcp for libvirt This branch uses the mangle table support added by the feature/Add_support_for_mangle_table branch to fix the libvirt DHCP when broken by recent kernel. It fills the checksum of this kind of packets on the libvirt interface. This patch shouldn't break older setup, and is implemented so that it can be disabled. See merge request !2
2015-03-02Merge branch 'feature/Add_support_for_mangle_table' into 'master'Jerome Charaoui
Add support for mangle table. When using the kernel from Debian Wheezy-backports (3.16.0-0.bpo.4-amd64), we encoutered a bug where shorewall was breaking the libvirt DHCP if restarted after it. It seems that one has to add a rule in the POSTROUTING chain of the mangle table to --checksum-fill the DHCP packets for them to be properly catch by the VMs DHCP clients. So we had to add support of the mangle table to the shared puppet module to fix that. This patch does just that, and is meant to be used by the other branch I'll propose after. See merge request !1
2015-02-27Fix DHCP from $vmz.bertagaz
On newer kernel (tested on 3.16), the libvirt and shorewall iptables rules have conflicts that need to be fixed by enabling back --checksum-fill on $vmz, otherwise the VMs can't get a DHCP lease.
2015-02-27Add support for the mangle table.bertagaz
2013-06-14Merge remote-tracking branch 'intrigeri/feature/libvirt-host'Micah Anderson
2013-03-23lintingmh
2013-03-23only manage the config_path if we do not manage the config filemh
2013-03-23linting the init.ppmh
2013-03-23use the centos class on centos based systemsmh
2013-03-23with the latest updates on EL6 this is neededmh
2013-03-02fixed leftovers from concat_file in rtrules.pp and tunnel.ppvarac
2013-02-23remove the class requirement in the augeas block, it is handled by the ↵Micah Anderson
top-level require
2013-02-23change the 'include augeas' to a 'require augeas'Micah Anderson
2013-02-20add requirement for augeas moduleMicah Anderson
2013-02-12augeas definition needs to make sure the shorewall package is installed ↵Micah Anderson
before it tries to run
2013-02-09Linting.intrigeri
2013-02-09Allow not setting up masquerading in libvirt::host.intrigeri
2013-02-09libvirt::host: make debproxy port configurable.intrigeri
2013-01-24fix missing dependency on augeasMicah Anderson
make sure that the augeas class has been applied before attempting to do any augeas operations. without this, you will non-deterministically get: err: /Stage[main]/Shorewall::Base/Augeas[shorewall_module_config_path]: Could not evaluate: Save failed with return code false
2013-01-02cleanup a merge issuemh
2013-01-02provide an easy option to still manage the source of the central conf filemh
2013-01-02Merge remote-tracking branch 'riseup/master'mh
Conflicts: files/shorewall.conf.CentOS.6 files/shorewall.conf.Debian.wheezy
2013-01-02Merge remote-tracking branch 'varac/master'mh
Conflicts: files/boilerplate/providers.footer files/boilerplate/providers.header manifests/base.pp manifests/providers.pp
2013-01-02Merge remote-tracking branch 'sarava/master'mh
Conflicts: manifests/base.pp manifests/init.pp
2013-01-02Revert "Support exempting some users from torification measures."intrigeri
This reverts commit 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a. This stuff is not ready for the shared repo, but we want to take benefit from me having already merged immerda's stuff into my branch and solved the conflicts.
2013-01-02Revert "Allow redirecting DNS requests to Tor for specific users or globally."intrigeri
This reverts commit 0c28fa636653f395c756f56c93f8c78fddfcee00. This stuff is not ready for the shared repo, but we want to take benefit from me having already merged immerda's stuff into my branch and solved the conflicts.
2013-01-02Merge remote-tracking branch 'immerda/master'intrigeri
2013-01-01make it possible to exent nets for ipsecmh
2012-12-30Merge remote-tracking branch 'immerda/master'intrigeri
2012-12-11Because the puppet shorewall module uses concat::fragment assembly to put theMicah Anderson
final results in /etc/shorewall/puppet, we have to make sure the shorewall.conf is pointing to that directory to get those configurations. This commit fixes that.
2012-12-04actually it is not possible to provide the site-shorewall sources forMicah Anderson
shorewall.conf, because if they do not exist, you will get a puppet error. this commit removes them, and updates the README to provide instructions for how you can do it the old way, if you want
2012-12-04Stop shipping the default shorewall.conf file, instead we should let theMicah Anderson
operatingsystem package install its default config (this lets us stop having to keep this file updated), and instead tell people to configure their shorewall.conf file using the augeas method. It is possible still to distribute a shorewall.conf from a site-shorewall directory, however if the file is distributed, then it is not possible to use the augeas method. https://labs.riseup.net/code/issues/2738
2012-12-02Merge branch 'feature/libvirt-host'intrigeri
2012-12-02libvirt::host: don't accept FTP from VMs.intrigeri
It was meant to provide preseeding files over FTP, but the Debian installer has been supporting TFTP for a while, so no additional software is needed.
2012-11-25added providervarac
2012-11-25rtrules: added default priorityvarac
2012-11-25add rtrulesvarac
2012-11-11Update Wheezy's shorewall.conf to use the new configuration directory.intrigeri
Managed configuration files now live in /etc/shorewall/puppet.
2012-11-11Merge branch 'feature/torify-dns' into old-masterintrigeri
2012-11-11Merge branch 'feature/torification-exception' into old-masterintrigeri
2012-11-11Merge branch 'feature/libvirt-host' into old-masterintrigeri
2012-11-11Support exempting some users from torification measures.intrigeri
2012-11-11Allow redirecting DNS requests to Tor for specific users or globally.intrigeri