From 1337a268ffbd195ca40d59ebd24bb199b99ffc66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Apr 2009 18:43:06 -0400 Subject: add http://shorewall.net/shorewall_extension_scripts.htm extension_script define --- manifests/init.pp | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index 7c3089b..b022cd6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,6 +7,7 @@ # at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall # # Changes: +# * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm # * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and # adjust CONFIG_PATH # * remove shorewall- prefix from defines in the shorewall namespace @@ -17,7 +18,7 @@ # * add managing for masq, proxyarp, blacklist, nat, rfc1918 # adapted by immerda project group - admin+puppet(at)immerda.ch # adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch -# +# adapted by Riseup Networks - micah(shift+2)riseup.net modules_dir { "shorewall": } @@ -201,6 +202,20 @@ class shorewall { } } + # See http://shorewall.net/shorewall_extension_scripts.htm + define extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + managed_file { "${name}": } + entry { "${name}.d/500-${hostname}": + line => "${script}\n"; + } + } + '', default: { + err("${name}: unknown shorewall extension script") + } + } + } } class shorewall::base { -- cgit v1.2.3 From 7633322b490c02e2ba44faa1a0fd534577df6d82 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Apr 2009 18:47:08 -0400 Subject: add extension script headers and footers --- files/boilerplate/clear.footer | 1 + files/boilerplate/clear.header | 13 +++++++++++++ files/boilerplate/continue.footer | 1 + files/boilerplate/continue.header | 14 ++++++++++++++ files/boilerplate/init.footer | 1 + files/boilerplate/init.header | 13 +++++++++++++ files/boilerplate/initdone.footer | 1 + files/boilerplate/initdone.header | 14 ++++++++++++++ files/boilerplate/maclog.footer | 14 ++++++++++++++ files/boilerplate/maclog.header | 14 ++++++++++++++ files/boilerplate/start.footer | 14 ++++++++++++++ files/boilerplate/start.header | 12 ++++++++++++ files/boilerplate/started.footer | 14 ++++++++++++++ files/boilerplate/started.header | 20 ++++++++++++++++++++ files/boilerplate/stop.footer | 14 ++++++++++++++ files/boilerplate/stop.header | 13 +++++++++++++ files/boilerplate/stopped.footer | 14 ++++++++++++++ files/boilerplate/stopped.header | 13 +++++++++++++ 18 files changed, 200 insertions(+) create mode 100644 files/boilerplate/clear.footer create mode 100644 files/boilerplate/clear.header create mode 100644 files/boilerplate/continue.footer create mode 100644 files/boilerplate/continue.header create mode 100644 files/boilerplate/init.footer create mode 100644 files/boilerplate/init.header create mode 100644 files/boilerplate/initdone.footer create mode 100644 files/boilerplate/initdone.header create mode 100644 files/boilerplate/maclog.footer create mode 100644 files/boilerplate/maclog.header create mode 100644 files/boilerplate/start.footer create mode 100644 files/boilerplate/start.header create mode 100644 files/boilerplate/started.footer create mode 100644 files/boilerplate/started.header create mode 100644 files/boilerplate/stop.footer create mode 100644 files/boilerplate/stop.header create mode 100644 files/boilerplate/stopped.footer create mode 100644 files/boilerplate/stopped.header diff --git a/files/boilerplate/clear.footer b/files/boilerplate/clear.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/clear.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/clear.header b/files/boilerplate/clear.header new file mode 100644 index 0000000..6a39b0b --- /dev/null +++ b/files/boilerplate/clear.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Clear +# +# /etc/shorewall/stop +# +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/continue.footer b/files/boilerplate/continue.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/continue.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/continue.header b/files/boilerplate/continue.header new file mode 100644 index 0000000..d2ee48a --- /dev/null +++ b/files/boilerplate/continue.header @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Continue File +# +# /etc/shorewall/continue +# +# Add commands below that you want to be executed after shorewall has +# cleared any existing Netfilter rules and has enabled existing +# connections. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### + diff --git a/files/boilerplate/init.footer b/files/boilerplate/init.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/init.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/init.header b/files/boilerplate/init.header new file mode 100644 index 0000000..cbb0393 --- /dev/null +++ b/files/boilerplate/init.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Init File +# +# /etc/shorewall/init +# +# Add commands below that you want to be executed at the beginning of +# a "shorewall start" or "shorewall restart" command. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### + diff --git a/files/boilerplate/initdone.footer b/files/boilerplate/initdone.footer new file mode 100644 index 0000000..662ac1c --- /dev/null +++ b/files/boilerplate/initdone.footer @@ -0,0 +1 @@ +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/initdone.header b/files/boilerplate/initdone.header new file mode 100644 index 0000000..9252a3b --- /dev/null +++ b/files/boilerplate/initdone.header @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Initdone File +# +# /etc/shorewall/initdone +# +# Add commands below that you want to be executed during +# "shorewall start" or "shorewall restart" commands at the point where +# Shorewall has not yet added any perminent rules to the builtin chains. +# +# For additional information, see +# http://shorewall.net/shorewall_extension_scripts.htm +# +############################################################################### + diff --git a/files/boilerplate/maclog.footer b/files/boilerplate/maclog.footer new file mode 100644 index 0000000..b0c382a --- /dev/null +++ b/files/boilerplate/maclog.footer @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) +# +# /etc/shorewall/start +# +# Add commands below that you want executed while mac filtering rules are +# being created. These will be executed once for each interface having +# 'maclist' speciied and it is invoked just before the logging rule is +# added to the current chain (the name of that chain will be in $CHAIN) +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/maclog.header b/files/boilerplate/maclog.header new file mode 100644 index 0000000..b0c382a --- /dev/null +++ b/files/boilerplate/maclog.header @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) +# +# /etc/shorewall/start +# +# Add commands below that you want executed while mac filtering rules are +# being created. These will be executed once for each interface having +# 'maclist' speciied and it is invoked just before the logging rule is +# added to the current chain (the name of that chain will be in $CHAIN) +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/start.footer b/files/boilerplate/start.footer new file mode 100644 index 0000000..b0c382a --- /dev/null +++ b/files/boilerplate/start.footer @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) +# +# /etc/shorewall/start +# +# Add commands below that you want executed while mac filtering rules are +# being created. These will be executed once for each interface having +# 'maclist' speciied and it is invoked just before the logging rule is +# added to the current chain (the name of that chain will be in $CHAIN) +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/start.header b/files/boilerplate/start.header new file mode 100644 index 0000000..689dff1 --- /dev/null +++ b/files/boilerplate/start.header @@ -0,0 +1,12 @@ +# +# Shorewall version 4 - Start File +# +# /etc/shorewall/start +# +# Add commands below that you want to be executed after shorewall has +# been started or restarted. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/started.footer b/files/boilerplate/started.footer new file mode 100644 index 0000000..b0c382a --- /dev/null +++ b/files/boilerplate/started.footer @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) +# +# /etc/shorewall/start +# +# Add commands below that you want executed while mac filtering rules are +# being created. These will be executed once for each interface having +# 'maclist' speciied and it is invoked just before the logging rule is +# added to the current chain (the name of that chain will be in $CHAIN) +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/started.header b/files/boilerplate/started.header new file mode 100644 index 0000000..b7704db --- /dev/null +++ b/files/boilerplate/started.header @@ -0,0 +1,20 @@ +# +# Shorewall version 4 - Started File +# +# /etc/shorewall/started +# +# Add commands below that you want to be executed after shorewall has +# been completely started or restarted. The difference between this +# extension script and /etc/shorewall/start is that this one is invoked +# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and +# after the 'shorewall' chain has been created (thus signaling that the +# firewall is completely up). +# +# This script should not change the firewall configuration directly but +# may do so indirectly by running /sbin/shorewall with the 'nolock' +# option. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/stop.footer b/files/boilerplate/stop.footer new file mode 100644 index 0000000..b0c382a --- /dev/null +++ b/files/boilerplate/stop.footer @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) +# +# /etc/shorewall/start +# +# Add commands below that you want executed while mac filtering rules are +# being created. These will be executed once for each interface having +# 'maclist' speciied and it is invoked just before the logging rule is +# added to the current chain (the name of that chain will be in $CHAIN) +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/stop.header b/files/boilerplate/stop.header new file mode 100644 index 0000000..0088abe --- /dev/null +++ b/files/boilerplate/stop.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Stop File +# +# /etc/shorewall/stop +# +# Add commands below that you want to be executed at the beginning of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE diff --git a/files/boilerplate/stopped.footer b/files/boilerplate/stopped.footer new file mode 100644 index 0000000..b0c382a --- /dev/null +++ b/files/boilerplate/stopped.footer @@ -0,0 +1,14 @@ +# +# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) +# +# /etc/shorewall/start +# +# Add commands below that you want executed while mac filtering rules are +# being created. These will be executed once for each interface having +# 'maclist' speciied and it is invoked just before the logging rule is +# added to the current chain (the name of that chain will be in $CHAIN) +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### diff --git a/files/boilerplate/stopped.header b/files/boilerplate/stopped.header new file mode 100644 index 0000000..438e5e0 --- /dev/null +++ b/files/boilerplate/stopped.header @@ -0,0 +1,13 @@ +# +# Shorewall version 4 - Stopped File +# +# /etc/shorewall/stopped +# +# Add commands below that you want to be executed at the completion of a +# "shorewall stop" command. +# +# See http://shorewall.net/shorewall_extension_scripts.htm for additional +# information. +# +############################################################################### +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE -- cgit v1.2.3 From ec529be6e985ea1fcd835069d1ef48680e0a980d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Apr 2009 22:07:02 -0400 Subject: replace footers with actual footers, previous addition accidentally added them as headers --- files/boilerplate/maclog.footer | 15 +-------------- files/boilerplate/start.footer | 15 +-------------- files/boilerplate/started.footer | 15 +-------------- files/boilerplate/stop.footer | 15 +-------------- files/boilerplate/stopped.footer | 15 +-------------- 5 files changed, 5 insertions(+), 70 deletions(-) diff --git a/files/boilerplate/maclog.footer b/files/boilerplate/maclog.footer index b0c382a..5e12d1d 100644 --- a/files/boilerplate/maclog.footer +++ b/files/boilerplate/maclog.footer @@ -1,14 +1 @@ -# -# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) -# -# /etc/shorewall/start -# -# Add commands below that you want executed while mac filtering rules are -# being created. These will be executed once for each interface having -# 'maclist' speciied and it is invoked just before the logging rule is -# added to the current chain (the name of that chain will be in $CHAIN) -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/start.footer b/files/boilerplate/start.footer index b0c382a..5e12d1d 100644 --- a/files/boilerplate/start.footer +++ b/files/boilerplate/start.footer @@ -1,14 +1 @@ -# -# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) -# -# /etc/shorewall/start -# -# Add commands below that you want executed while mac filtering rules are -# being created. These will be executed once for each interface having -# 'maclist' speciied and it is invoked just before the logging rule is -# added to the current chain (the name of that chain will be in $CHAIN) -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/started.footer b/files/boilerplate/started.footer index b0c382a..5e12d1d 100644 --- a/files/boilerplate/started.footer +++ b/files/boilerplate/started.footer @@ -1,14 +1 @@ -# -# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) -# -# /etc/shorewall/start -# -# Add commands below that you want executed while mac filtering rules are -# being created. These will be executed once for each interface having -# 'maclist' speciied and it is invoked just before the logging rule is -# added to the current chain (the name of that chain will be in $CHAIN) -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/stop.footer b/files/boilerplate/stop.footer index b0c382a..5e12d1d 100644 --- a/files/boilerplate/stop.footer +++ b/files/boilerplate/stop.footer @@ -1,14 +1 @@ -# -# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) -# -# /etc/shorewall/start -# -# Add commands below that you want executed while mac filtering rules are -# being created. These will be executed once for each interface having -# 'maclist' speciied and it is invoked just before the logging rule is -# added to the current chain (the name of that chain will be in $CHAIN) -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/stopped.footer b/files/boilerplate/stopped.footer index b0c382a..5e12d1d 100644 --- a/files/boilerplate/stopped.footer +++ b/files/boilerplate/stopped.footer @@ -1,14 +1 @@ -# -# Shorewall version 4 - Maclog File (Added in Shorewall version 3.2.5) -# -# /etc/shorewall/start -# -# Add commands below that you want executed while mac filtering rules are -# being created. These will be executed once for each interface having -# 'maclist' speciied and it is invoked just before the logging rule is -# added to the current chain (the name of that chain will be in $CHAIN) -# -# See http://shorewall.net/shorewall_extension_scripts.htm for additional -# information. -# -############################################################################### +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -- cgit v1.2.3 From 6ebd2895679be6e18595464067fb267ab2d100e0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 21 Aug 2009 17:47:17 -0300 Subject: Changing 'modules_dir' to 'module_dir' --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index b022cd6..8d60cf5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,7 +20,7 @@ # adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch # adapted by Riseup Networks - micah(shift+2)riseup.net -modules_dir { "shorewall": } +module_dir { "shorewall": } class shorewall { -- cgit v1.2.3 From 5aca8c2eaa54726ad0d4e643a50dc6a8ad9a5a97 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 23 Aug 2009 01:21:33 -0300 Subject: Using entries in the form of order-title Using entries in the form of order-title instead of order-name. As happen in cases such as hosts defined as 'eth0:0.0.0.0/0', the '/' will make the first portion to be understood as a folder. Making use of the resource title as part of the file name and leaving the resource name to the content can prevent this error. --- manifests/init.pp | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 8d60cf5..c93b260 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -71,7 +71,7 @@ class shorewall { managed_file{ zones: } define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${name}": + entry { "zones.d/${order}-${title}": line => "${real_name} ${type} ${options} ${in} ${out}" } } @@ -101,7 +101,7 @@ class shorewall { } } - entry { "interfaces.d/${order}-${name}": + entry { "interfaces.d/${order}-${title}": line => "${zone} ${name} ${broadcast} ${options_real}", } } @@ -109,7 +109,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Hosts managed_file { hosts: } define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${name}": + entry { "hosts.d/${order}-${title}": line => "${zone} ${name} ${options}" } } @@ -117,7 +117,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Policy managed_file { policy: } define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${name}": + entry { "policy.d/${order}-${title}": line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } } @@ -125,7 +125,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Rules managed_file { rules: } define rule_section($order) { - entry { "rules.d/${order}-${name}": + entry { "rules.d/${order}-${title}": line => "SECTION ${name}", } } @@ -134,7 +134,7 @@ class shorewall { $destinationport = '-', $sourceport = '-', $originaldest = '-', $ratelimit = '-', $user = '-', $mark = '', $order) { - entry { "rules.d/${order}-${name}": + entry { "rules.d/${order}-${title}": line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", } } @@ -145,7 +145,7 @@ class shorewall { # source (= subnet) = Set of hosts that you wish to masquerade. # address = If you specify an address here, SNAT will be used and this will be the source address. define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${name}": + entry { "masq.d/${order}-${title}": line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" } } @@ -153,7 +153,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp managed_file { proxyarp: } define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${name}": + entry { "proxyarp.d/${order}-${title}": line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" } } @@ -161,7 +161,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#NAT managed_file { nat: } define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${name}": + entry { "nat.d/${order}-${title}": line => "${name} ${interface} ${internal} ${all} ${local}" } } @@ -169,7 +169,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist managed_file { blacklist: } define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${name}": + entry { "blacklist.d/${order}-${title}": line => "${name} ${proto} ${port}", } } @@ -177,7 +177,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 managed_file { rfc1918: } define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${name}": + entry { "rfc1918.d/${order}-${title}": line => "${name} ${action}" } } @@ -189,7 +189,7 @@ class shorewall { '' => $name, default => $interface, } - entry { "routestopped.d/${order}-${name}": + entry { "routestopped.d/${order}-${title}": line => "${real_interface} ${host} ${options}", } } @@ -197,7 +197,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Variables managed_file { params: } define params($value, $order='100'){ - entry { "params.d/${order}-${name}": + entry { "params.d/${order}-${title}": line => "${name}=${value}", } } -- cgit v1.2.3 From 5348aafd849d59887051514a004b3c2d4730c8b3 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Aug 2009 11:28:25 -0300 Subject: Adding traffic shapping support via tcdevices, tcrules and tcclasses --- manifests/init.pp | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index c93b260..84ce030 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -202,6 +202,30 @@ class shorewall { } } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcdevices: } + define tcdevices($in_bandwidth, $out_bandwidth, $order='100'){ + entry { "tcdevices.d/${order}-${title}": + line => "${name} ${in_bandwidth} ${out_bandwidth}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcrules: } + define tcrules($source, $destination, $protocol, $ports , $order='1'){ + entry { "tcrules.d/${order}-${title}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcclasses: } + define tcclasses($rate, $ceil, $priority, $options , $order='1'){ + entry { "tcclasses.d/${order}-${title}": + line => "${name} ${order} ${rate} ${ceil} ${priority} ${options}", + } + } + # See http://shorewall.net/shorewall_extension_scripts.htm define extension_script($script = '') { case $name { -- cgit v1.2.3 From eda4f69cce2f2cd62f3288bdee9d8459c4673ce9 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Aug 2009 15:24:14 -0300 Subject: Adding boilerplate files and minor fixes --- files/boilerplate/tcclasses.footer | 1 + files/boilerplate/tcclasses.header | 9 +++++++++ files/boilerplate/tcdevices.footer | 1 + files/boilerplate/tcdevices.header | 10 ++++++++++ files/boilerplate/tcrules.footer | 1 + files/boilerplate/tcrules.header | 15 +++++++++++++++ manifests/init.pp | 12 ++++++------ 7 files changed, 43 insertions(+), 6 deletions(-) create mode 100644 files/boilerplate/tcclasses.footer create mode 100644 files/boilerplate/tcclasses.header create mode 100644 files/boilerplate/tcdevices.footer create mode 100644 files/boilerplate/tcdevices.header create mode 100644 files/boilerplate/tcrules.footer create mode 100644 files/boilerplate/tcrules.header diff --git a/files/boilerplate/tcclasses.footer b/files/boilerplate/tcclasses.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcclasses.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcclasses.header b/files/boilerplate/tcclasses.header new file mode 100644 index 0000000..025415b --- /dev/null +++ b/files/boilerplate/tcclasses.header @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - Tcclasses File +# +# For information about entries in this file, type "man shorewall-tcclasses" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS diff --git a/files/boilerplate/tcdevices.footer b/files/boilerplate/tcdevices.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcdevices.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcdevices.header b/files/boilerplate/tcdevices.header new file mode 100644 index 0000000..fe7c3d1 --- /dev/null +++ b/files/boilerplate/tcdevices.header @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Tcdevices File +# +# For information about entries in this file, type "man shorewall-tcdevices" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED +#INTERFACE INTERFACES diff --git a/files/boilerplate/tcrules.footer b/files/boilerplate/tcrules.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcrules.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcrules.header b/files/boilerplate/tcrules.header new file mode 100644 index 0000000..e0e7adc --- /dev/null +++ b/files/boilerplate/tcrules.header @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - Tcrules File +# +# For information about entries in this file, type "man shorewall-tcrules" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +###################################################################################################################### +#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) PORT(S) + diff --git a/manifests/init.pp b/manifests/init.pp index 84ce030..20093e9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -204,25 +204,25 @@ class shorewall { # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $order='100'){ + define tcdevices($in_bandwidth, $out_bandwidth, $options = '-', $redirected_interfaces = '', $order='100'){ entry { "tcdevices.d/${order}-${title}": - line => "${name} ${in_bandwidth} ${out_bandwidth}", + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", } } # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcrules: } - define tcrules($source, $destination, $protocol, $ports , $order='1'){ + define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '-', $order='1'){ entry { "tcrules.d/${order}-${title}": - line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports}", + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", } } # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcclasses: } - define tcclasses($rate, $ceil, $priority, $options , $order='1'){ + define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ entry { "tcclasses.d/${order}-${title}": - line => "${name} ${order} ${rate} ${ceil} ${priority} ${options}", + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", } } -- cgit v1.2.3 From 1c75011f2509264f5e0a4afbad811470d77099ae Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Aug 2009 16:04:00 -0300 Subject: Changing default values for some traffic shapping defintions / updating changelog --- manifests/init.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 20093e9..c083dd0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,6 +7,7 @@ # at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall # # Changes: +# * added support for traffic shapping: http://www.shorewall.net/traffic_shaping.htm # * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm # * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and # adjust CONFIG_PATH @@ -204,7 +205,7 @@ class shorewall { # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $options = '-', $redirected_interfaces = '', $order='100'){ + define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ entry { "tcdevices.d/${order}-${title}": line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", } @@ -212,7 +213,7 @@ class shorewall { # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcrules: } - define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '-', $order='1'){ + define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ entry { "tcrules.d/${order}-${title}": line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", } -- cgit v1.2.3 From 1b9d7e2942508c7c27c61eb10ffadee322ca40a9 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Aug 2009 10:00:54 -0300 Subject: Subscribing service shorewall to tcdevices, tcrules and tcclasses files --- manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/init.pp b/manifests/init.pp index c083dd0..321d598 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -284,7 +284,10 @@ class shorewall::base { Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"] + Exec["concat_/var/lib/puppet/modules/shorewall/params"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], ], require => Package[shorewall], } -- cgit v1.2.3 From e7fea248ab907913685639dcd2d496bfa02149cf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 14 Sep 2009 09:47:41 -0400 Subject: fix formatting to be the standard indentations according to the emacs/vim puppet modes --- manifests/init.pp | 518 +++++++++++++++++++++++++++--------------------------- 1 file changed, 259 insertions(+), 259 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 321d598..4e44547 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,288 +25,288 @@ module_dir { "shorewall": } class shorewall { - case $operatingsystem { - gentoo: { include shorewall::gentoo } - debian: { include shorewall::debian } - default: { include shorewall::base } - } + case $operatingsystem { + gentoo: { include shorewall::gentoo } + debian: { include shorewall::debian } + default: { include shorewall::base } + } + + file { + "/var/lib/puppet/modules/shorewall": + ensure => directory, + force => true, + mode => 0755, owner => root, group => 0; + } + # private + define managed_file () { + $dir = "/var/lib/puppet/modules/shorewall/${name}.d" + concatenated_file { "/var/lib/puppet/modules/shorewall/$name": + dir => $dir, + mode => 0600, + } file { - "/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - mode => 0755, owner => root, group => 0; + "${dir}/000-header": + source => "puppet://$server/shorewall/boilerplate/${name}.header", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; + "${dir}/999-footer": + source => "puppet://$server/shorewall/boilerplate/${name}.footer", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; } - - # private - define managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet://$server/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet://$server/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } - } - - # private - define entry ($line) { - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - managed_file{ zones: } - define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${title}": - line => "${real_name} ${type} ${options} ${in} ${out}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - managed_file{ interfaces: } - define interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $rfc1918 = false, - $dhcp = false, - $order = 100 - ) - { - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } - } - - entry { "interfaces.d/${order}-${title}": - line => "${zone} ${name} ${broadcast} ${options_real}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - managed_file { hosts: } - define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${title}": - line => "${zone} ${name} ${options}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - managed_file { policy: } - define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${title}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - managed_file { rules: } - define rule_section($order) { - entry { "rules.d/${order}-${title}": - line => "SECTION ${name}", - } - } - # mark is new in 3.4.4 - define rule($action, $source, $destination, $proto = '-', - $destinationport = '-', $sourceport = '-', $originaldest = '-', - $ratelimit = '-', $user = '-', $mark = '', $order) - { - entry { "rules.d/${order}-${title}": - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - managed_file{ masq: } - # mark is new in 3.4.4 - # source (= subnet) = Set of hosts that you wish to masquerade. - # address = If you specify an address here, SNAT will be used and this will be the source address. - define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${title}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - managed_file { proxyarp: } - define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${title}": - line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - managed_file { nat: } - define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${title}": - line => "${name} ${interface} ${internal} ${all} ${local}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - managed_file { blacklist: } - define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${title}": - line => "${name} ${proto} ${port}", - } + } + + # private + define entry ($line) { + $target = "/var/lib/puppet/modules/shorewall/${name}" + $dir = dirname($target) + file { $target: + content => "${line}\n", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"], + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + managed_file{ zones: } + define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + entry { "zones.d/${order}-${title}": + line => "${real_name} ${type} ${options} ${in} ${out}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + managed_file{ interfaces: } + define interface( + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $rfc1918 = false, + $dhcp = false, + $order = 100 + ) + { + if $rfc1918 { + if $dhcp { + $options_real = "${options},dhcp" + } else { + $options_real = $options } - - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - managed_file { rfc1918: } - define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${title}": - line => "${name} ${action}" - } + } else { + if $dhcp { + $options_real = "${options},norfc1918,dhcp" + } else { + $options_real = "${options},norfc1918" + } } - - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - managed_file { routestopped: } - define routestopped($interface = '', $host = '-', $options = '', $order='100') { - $real_interface = $interface ? { - '' => $name, - default => $interface, - } - entry { "routestopped.d/${order}-${title}": - line => "${real_interface} ${host} ${options}", - } + + entry { "interfaces.d/${order}-${title}": + line => "${zone} ${name} ${broadcast} ${options_real}", } - - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - managed_file { params: } - define params($value, $order='100'){ - entry { "params.d/${order}-${title}": - line => "${name}=${value}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + managed_file { hosts: } + define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { + entry { "hosts.d/${order}-${title}": + line => "${zone} ${name} ${options}" } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ - entry { "tcdevices.d/${order}-${title}": - line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + managed_file { policy: } + define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { + entry { "policy.d/${order}-${title}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcrules: } - define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ - entry { "tcrules.d/${order}-${title}": - line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + managed_file { rules: } + define rule_section($order) { + entry { "rules.d/${order}-${title}": + line => "SECTION ${name}", } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcclasses: } - define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ - entry { "tcclasses.d/${order}-${title}": - line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", - } + } + # mark is new in 3.4.4 + define rule($action, $source, $destination, $proto = '-', + $destinationport = '-', $sourceport = '-', $originaldest = '-', + $ratelimit = '-', $user = '-', $mark = '', $order) + { + entry { "rules.d/${order}-${title}": + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", } + } - # See http://shorewall.net/shorewall_extension_scripts.htm - define extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - managed_file { "${name}": } - entry { "${name}.d/500-${hostname}": - line => "${script}\n"; - } - } - '', default: { - err("${name}: unknown shorewall extension script") + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + managed_file{ masq: } + # mark is new in 3.4.4 + # source (= subnet) = Set of hosts that you wish to masquerade. + # address = If you specify an address here, SNAT will be used and this will be the source address. + define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { + entry { "masq.d/${order}-${title}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + managed_file { proxyarp: } + define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { + entry { "proxyarp.d/${order}-${title}": + line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + managed_file { nat: } + define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { + entry { "nat.d/${order}-${title}": + line => "${name} ${interface} ${internal} ${all} ${local}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + managed_file { blacklist: } + define blacklist($proto = '-', $port = '-', $order='100') { + entry { "blacklist.d/${order}-${title}": + line => "${name} ${proto} ${port}", + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + managed_file { rfc1918: } + define rfc1918($action = 'logdrop', $order='100') { + entry { "rfc1918.d/${order}-${title}": + line => "${name} ${action}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + managed_file { routestopped: } + define routestopped($interface = '', $host = '-', $options = '', $order='100') { + $real_interface = $interface ? { + '' => $name, + default => $interface, + } + entry { "routestopped.d/${order}-${title}": + line => "${real_interface} ${host} ${options}", + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + managed_file { params: } + define params($value, $order='100'){ + entry { "params.d/${order}-${title}": + line => "${name}=${value}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcdevices: } + define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ + entry { "tcdevices.d/${order}-${title}": + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcrules: } + define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ + entry { "tcrules.d/${order}-${title}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcclasses: } + define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ + entry { "tcclasses.d/${order}-${title}": + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", + } + } + + # See http://shorewall.net/shorewall_extension_scripts.htm + define extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + managed_file { "${name}": } + entry { "${name}.d/500-${hostname}": + line => "${script}\n"; } } + '', default: { + err("${name}: unknown shorewall extension script") + } } + } } class shorewall::base { + + package { 'shorewall': + ensure => present, + } - package { 'shorewall': - ensure => present, - } - - # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/shorewall.conf", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/shorewall/shorewall.conf.Default" - ], - mode => 0644, owner => root, group => 0, - require => Package[shorewall], - notify => Service[shorewall], - } + # This file has to be managed in place, so shorewall can find it + file { "/etc/shorewall/shorewall.conf": + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/shorewall.conf", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/shorewall/shorewall.conf.Default" + ], + mode => 0644, owner => root, group => 0, + require => Package[shorewall], + notify => Service[shorewall], + } - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - subscribe => [ - Exec["concat_/var/lib/puppet/modules/shorewall/zones"], - Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], - Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], - Exec["concat_/var/lib/puppet/modules/shorewall/policy"], - Exec["concat_/var/lib/puppet/modules/shorewall/rules"], - Exec["concat_/var/lib/puppet/modules/shorewall/masq"], - Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], - Exec["concat_/var/lib/puppet/modules/shorewall/nat"], - Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], - Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], - Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], - ], - require => Package[shorewall], - } + service{ shorewall: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => [ + Exec["concat_/var/lib/puppet/modules/shorewall/zones"], + Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], + Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], + Exec["concat_/var/lib/puppet/modules/shorewall/policy"], + Exec["concat_/var/lib/puppet/modules/shorewall/rules"], + Exec["concat_/var/lib/puppet/modules/shorewall/masq"], + Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], + Exec["concat_/var/lib/puppet/modules/shorewall/nat"], + Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], + Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], + Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], + Exec["concat_/var/lib/puppet/modules/shorewall/params"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], + ], + require => Package[shorewall], + } } class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package[shorewall]{ + category => 'net-firewall', + } } class shorewall::debian inherits shorewall::base { - file{'/etc/default/shorewall': - source => "puppet://$server/shorewall/debian/default", - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + source => "puppet://$server/shorewall/debian/default", + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } -- cgit v1.2.3 From d39943732684a1e216419b65d86fed86566b1d83 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 14 Sep 2009 10:15:10 -0400 Subject: move debian/default from files to templates template out the startup value in the debian/default so that it can be specified in puppet make it possible to specify a different shorewall version if desired, default is to use 'present' add additional documentation and move copyright information up to the top --- files/debian/default | 24 ------------------------ manifests/init.pp | 47 ++++++++++++++++++++++++++++++++++++++--------- templates/debian/default | 25 +++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 33 deletions(-) delete mode 100644 files/debian/default create mode 100644 templates/debian/default diff --git a/files/debian/default b/files/debian/default deleted file mode 100644 index ba89cdc..0000000 --- a/files/debian/default +++ /dev/null @@ -1,24 +0,0 @@ -# prevent startup with default configuration -# set the following varible to 1 in order to allow Shorewall to start - -startup=1 - -# if your Shorewall configuration requires detection of the ip address of a ppp -# interface, you must list such interfaces in "wait_interface" to get Shorewall to -# wait until the interface is configured. Otherwise the script will fail because -# it won't be able to detect the IP address. -# -# Example: -# wait_interface="ppp0" -# or -# wait_interface="ppp0 ppp1" -# or, if you have defined in /etc/shorewall/params -# wait_interface= - -# -# Startup options -# - -OPTIONS="" - -# EOF diff --git a/manifests/init.pp b/manifests/init.pp index 4e44547..444aa94 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,12 +1,37 @@ # # modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x # Copyright (C) 2007 David Schmitt +# adapted by immerda project group - admin+puppet(at)immerda.ch +# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch +# Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net # See LICENSE for the full license granted to you. # # Based on the work of ADNET Ghislain from AQUEOS # at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall # +# +# If you need to install a specific version of shorewall other than +# the default one that would be installed by 'ensure => present', then +# you can set the following variable and that specific version will be +# installed instead: +# +# $shorewall_ensure_version = "4.0.15-1" +# +# Debian specific settings: +# +# To set any of the following, simply set them as variables in y our manifests +# before the class is included, for example: +# +# $shorewall_startboot = 1 +# +# shorewall_startboot: specify if shorewall should be enabled at boot +# valid options are: 1 (start at boot), 0 (do not start), +# Default: 1 -> start at boot +# # Changes: +# * added Debian support to specify if shorewall should be enabled on boot or not +# * added support for specifying shorewall package version +# * updated indentation and formatting to standardize on puppet emacs/vim modes # * added support for traffic shapping: http://www.shorewall.net/traffic_shaping.htm # * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm # * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and @@ -17,9 +42,6 @@ # * add 000-header and 999-footer files for all managed_files # * added rule_section define and a few more parameters for rules # * add managing for masq, proxyarp, blacklist, nat, rfc1918 -# adapted by immerda project group - admin+puppet(at)immerda.ch -# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch -# adapted by Riseup Networks - micah(shift+2)riseup.net module_dir { "shorewall": } @@ -244,11 +266,12 @@ class shorewall { } class shorewall::base { - + + if $shorewall_ensure_version == '' { $shorewall_ensure_version = 'present' } package { 'shorewall': - ensure => present, + ensure => $shorewall_ensure_version, } - + # This file has to be managed in place, so shorewall can find it file { "/etc/shorewall/shorewall.conf": # use OS specific defaults, but use Default if no other is found @@ -300,13 +323,19 @@ class shorewall::gentoo inherits shorewall::base { } class shorewall::debian inherits shorewall::base { - file{'/etc/default/shorewall': - source => "puppet://$server/shorewall/debian/default", + + # prepare variables to use in templates + case $shorewall_startboot { + '': { $shorewall_startboot = '1' } + } + + file { '/etc/default/shorewall': + content => template("shorewall/debian/default"), require => Package['shorewall'], notify => Service['shorewall'], owner => root, group => 0, mode => 0644; } - Service['shorewall']{ + Service['shorewall'] { status => '/sbin/shorewall status' } } diff --git a/templates/debian/default b/templates/debian/default new file mode 100644 index 0000000..1aaad8c --- /dev/null +++ b/templates/debian/default @@ -0,0 +1,25 @@ +# prevent startup with default configuration +# set the following varible to 1 in order to allow Shorewall to start + + +startup=<%=shorewall_startboot -%> + +# if your Shorewall configuration requires detection of the ip address of a ppp +# interface, you must list such interfaces in "wait_interface" to get Shorewall to +# wait until the interface is configured. Otherwise the script will fail because +# it won't be able to detect the IP address. +# +# Example: +# wait_interface="ppp0" +# or +# wait_interface="ppp0 ppp1" +# or, if you have defined in /etc/shorewall/params +# wait_interface= + +# +# Startup options +# + +OPTIONS="" + +# EOF -- cgit v1.2.3 From 4725d23ab0f03d6fffeb725741de870b3facb72a Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Fri, 9 Oct 2009 10:59:17 -0400 Subject: modify service subscriptions to avoid needless restarts --- manifests/init.pp | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 444aa94..aa6eb61 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -296,21 +296,21 @@ class shorewall::base { hasstatus => true, hasrestart => true, subscribe => [ - Exec["concat_/var/lib/puppet/modules/shorewall/zones"], - Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], - Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], - Exec["concat_/var/lib/puppet/modules/shorewall/policy"], - Exec["concat_/var/lib/puppet/modules/shorewall/rules"], - Exec["concat_/var/lib/puppet/modules/shorewall/masq"], - Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], - Exec["concat_/var/lib/puppet/modules/shorewall/nat"], - Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], - Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], - Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], + File["/var/lib/puppet/modules/shorewall/zones"], + File["/var/lib/puppet/modules/shorewall/interfaces"], + File["/var/lib/puppet/modules/shorewall/hosts"], + File["/var/lib/puppet/modules/shorewall/policy"], + File["/var/lib/puppet/modules/shorewall/rules"], + File["/var/lib/puppet/modules/shorewall/masq"], + File["/var/lib/puppet/modules/shorewall/proxyarp"], + File["/var/lib/puppet/modules/shorewall/nat"], + File["/var/lib/puppet/modules/shorewall/blacklist"], + File["/var/lib/puppet/modules/shorewall/rfc1918"], + File["/var/lib/puppet/modules/shorewall/routestopped"], + File["/var/lib/puppet/modules/shorewall/params"], + File["/var/lib/puppet/modules/shorewall/tcdevices"], + File["/var/lib/puppet/modules/shorewall/tcrules"], + File["/var/lib/puppet/modules/shorewall/tcclasses"], ], require => Package[shorewall], } -- cgit v1.2.3 From 33df59d5016a503c21495eedcc4c9e3cabf9e28c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 23 Nov 2009 14:25:01 -0500 Subject: switch to 0.25 module style source references --- manifests/init.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index aa6eb61..fbb8032 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -69,11 +69,11 @@ class shorewall { } file { "${dir}/000-header": - source => "puppet://$server/shorewall/boilerplate/${name}.header", + source => "puppet://$server/modules/shorewall/boilerplate/${name}.header", mode => 0600, owner => root, group => 0, notify => Exec["concat_${dir}"]; "${dir}/999-footer": - source => "puppet://$server/shorewall/boilerplate/${name}.footer", + source => "puppet://$server/modules/shorewall/boilerplate/${name}.footer", mode => 0600, owner => root, group => 0, notify => Exec["concat_${dir}"]; } @@ -281,9 +281,9 @@ class shorewall::base { "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", "puppet://$server/files/shorewall/shorewall.conf", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/shorewall/shorewall.conf.Default" + "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/modules/shorewall/shorewall.conf.Default" ], mode => 0644, owner => root, group => 0, require => Package[shorewall], -- cgit v1.2.3 From c49625a4cd14a53d91b7d12aea88201a211a26a2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 23 Nov 2009 15:48:18 -0500 Subject: switch the shorewall.conf source first hits to use the $fileserver/shorewall location. this enables you to put these files in your local fileserver area, without modifying the shorewall module. if you dont need to do this, then the shorewall module defaults will be used instead --- manifests/init.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index fbb8032..0bf0e9d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -276,11 +276,11 @@ class shorewall::base { file { "/etc/shorewall/shorewall.conf": # use OS specific defaults, but use Default if no other is found source => [ - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/shorewall.conf", + "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf", + "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem", + "puppet://$fileserver/shorewall/shorewall.conf", "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem", "puppet://$server/modules/shorewall/shorewall.conf.Default" -- cgit v1.2.3