From c1c21b8114b0a7895716a99ccade13b338fb3c56 Mon Sep 17 00:00:00 2001 From: Matthias Imsand Date: Tue, 23 Nov 2010 18:32:45 +0100 Subject: add management for providers --- manifests/init.pp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'manifests/init.pp') diff --git a/manifests/init.pp b/manifests/init.pp index e9ba464..a5ed0af 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -49,4 +49,6 @@ class shorewall { shorewall::managed_file { routestopped: } # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } + # http://www.shorewall.net/manpages/shorewall-providers.html + shorewall::managed_file { providers: } } -- cgit v1.2.3 From 8dde08a3acbf2815e0cacdc4121f4f8fa2f6c0e5 Mon Sep 17 00:00:00 2001 From: Marcel Haerry Date: Thu, 4 Aug 2011 13:39:27 +0200 Subject: refactor things to use the concat module --- files/shorewall.conf | 2 +- files/shorewall.conf.Debian | 2 +- files/shorewall.conf.Debian.etch | 2 +- files/shorewall.conf.Gentoo | 2 +- files/shorewall.conf.Ubuntu.karmic | 2 +- manifests/base.pp | 26 ++++++++------------------ manifests/blacklist.pp | 2 +- manifests/entry.pp | 15 +++++++-------- manifests/host.pp | 2 +- manifests/init.pp | 9 --------- manifests/interface.pp | 2 +- manifests/managed_file.pp | 28 +++++++++++++--------------- manifests/masq.pp | 2 +- manifests/nat.pp | 2 +- manifests/params.pp | 2 +- manifests/policy.pp | 2 +- manifests/providers.pp | 2 +- manifests/proxyarp.pp | 2 +- manifests/rfc1918.pp | 2 +- manifests/routestopped.pp | 2 +- manifests/rule.pp | 8 ++++---- manifests/rule_section.pp | 2 +- manifests/zone.pp | 2 +- 23 files changed, 50 insertions(+), 72 deletions(-) (limited to 'manifests/init.pp') diff --git a/files/shorewall.conf b/files/shorewall.conf index 979e4ff..614e062 100644 --- a/files/shorewall.conf +++ b/files/shorewall.conf @@ -78,7 +78,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR= -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Debian b/files/shorewall.conf.Debian index c348017..4d9b255 100644 --- a/files/shorewall.conf.Debian +++ b/files/shorewall.conf.Debian @@ -79,7 +79,7 @@ SUBSYSLOCK="" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Debian.etch b/files/shorewall.conf.Debian.etch index e5c722d..5907945 100644 --- a/files/shorewall.conf.Debian.etch +++ b/files/shorewall.conf.Debian.etch @@ -77,7 +77,7 @@ SUBSYSLOCK="" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Gentoo b/files/shorewall.conf.Gentoo index 7d8049d..b99f50c 100644 --- a/files/shorewall.conf.Gentoo +++ b/files/shorewall.conf.Gentoo @@ -77,7 +77,7 @@ SUBSYSLOCK="/var/lock/subsys/shorewall" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/files/shorewall.conf.Ubuntu.karmic b/files/shorewall.conf.Ubuntu.karmic index c348017..4d9b255 100644 --- a/files/shorewall.conf.Ubuntu.karmic +++ b/files/shorewall.conf.Ubuntu.karmic @@ -79,7 +79,7 @@ SUBSYSLOCK="" MODULESDIR= # add puppet delivered files in front -CONFIG_PATH=/var/lib/puppet/modules/shorewall:/etc/shorewall:/usr/share/shorewall +CONFIG_PATH=/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall RESTOREFILE= diff --git a/manifests/base.pp b/manifests/base.pp index c5ad790..c9fa660 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -4,9 +4,10 @@ class shorewall::base { } # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ + file { + '/etc/shorewall/shorewall.conf': + # use OS specific defaults, but use Default if no other is found + source => [ "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.$operatingsystem", "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", "puppet:///modules/site-shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", @@ -19,6 +20,10 @@ class shorewall::base { require => Package[shorewall], notify => Service[shorewall], owner => root, group => 0, mode => 0644; + '/etc/shorewall/puppet': + ensure => directory, + require => Package[shorewall], + owner => root, group => 0, mode => 0644; } service{shorewall: @@ -26,21 +31,6 @@ class shorewall::base { enable => true, hasstatus => true, hasrestart => true, - subscribe => [ - File["/var/lib/puppet/modules/shorewall/zones"], - File["/var/lib/puppet/modules/shorewall/interfaces"], - File["/var/lib/puppet/modules/shorewall/hosts"], - File["/var/lib/puppet/modules/shorewall/policy"], - File["/var/lib/puppet/modules/shorewall/rules"], - File["/var/lib/puppet/modules/shorewall/masq"], - File["/var/lib/puppet/modules/shorewall/proxyarp"], - File["/var/lib/puppet/modules/shorewall/nat"], - File["/var/lib/puppet/modules/shorewall/blacklist"], - File["/var/lib/puppet/modules/shorewall/rfc1918"], - File["/var/lib/puppet/modules/shorewall/routestopped"], - File["/var/lib/puppet/modules/shorewall/params"], - File["/var/lib/puppet/modules/shorewall/providers"], - ], require => Package[shorewall], } } diff --git a/manifests/blacklist.pp b/manifests/blacklist.pp index 3700ace..afbe216 100644 --- a/manifests/blacklist.pp +++ b/manifests/blacklist.pp @@ -3,7 +3,7 @@ define shorewall::blacklist( $port = '-', $order='100' ){ - shorewall::entry{"blacklist.d/${order}-${name}": + shorewall::entry{"blacklist-${order}-${name}": line => "${name} ${proto} ${port}", } } diff --git a/manifests/entry.pp b/manifests/entry.pp index 4e639bc..c8fffc7 100644 --- a/manifests/entry.pp +++ b/manifests/entry.pp @@ -2,12 +2,11 @@ define shorewall::entry( $ensure = present, $line ){ - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - ensure => $ensure, - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } + $parts = split($name,'-') + concat::fragment{$name: + ensure => $ensure, + content => "${line}\n", + order => $parts[1], + target => "/etc/shorewall/puppet/${parts[0]}", + } } diff --git a/manifests/host.pp b/manifests/host.pp index b431efe..f400223 100644 --- a/manifests/host.pp +++ b/manifests/host.pp @@ -3,7 +3,7 @@ define shorewall::host( $options = 'tcpflags,blacklist,norfc1918', $order='100' ){ - shorewall::entry{"hosts.d/${order}-${name}": + shorewall::entry{"hosts-${order}-${name}": line => "${zone} ${name} ${options}" } } diff --git a/manifests/init.pp b/manifests/init.pp index a5ed0af..2e68089 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,8 +1,5 @@ class shorewall { - include common::moduledir - module_dir { "shorewall": } - case $operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } @@ -19,12 +16,6 @@ class shorewall { } } - file {"/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - owner => root, group => 0, mode => 0755; - } - # See http://www.shorewall.net/3.0/Documentation.htm#Zones shorewall::managed_file{ zones: } # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces diff --git a/manifests/interface.pp b/manifests/interface.pp index 1cb5042..1716a7e 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -20,7 +20,7 @@ define shorewall::interface( } } - shorewall::entry { "interfaces.d/${order}-${name}": + shorewall::entry { "interfaces-${order}-${name}": line => "${zone} ${name} ${broadcast} ${options_real}", } } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 548d6f6..2f02c51 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,15 @@ define shorewall::managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet:///modules/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet:///modules/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } + concat{ "/etc/shorewall/puppet/$name": + notify => Service['shorewall'], + require => File['/etc/shorewall/puppet'], + owner => root, group => 0, mode => 0600; + } + concat::fragment { + "${name}-header": + source => "puppet:///modules/shorewall/boilerplate/${name}.header", + order => '000'; + "${name}-footer": + source => "puppet:///modules/shorewall/boilerplate/${name}.footer", + order => '999'; + } } diff --git a/manifests/masq.pp b/manifests/masq.pp index a9c9840..fb097e5 100644 --- a/manifests/masq.pp +++ b/manifests/masq.pp @@ -10,7 +10,7 @@ define shorewall::masq( $mark = '', $order='100' ){ - shorewall::entry{"masq.d/${order}-${name}": + shorewall::entry{"masq-${order}-${name}": line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" } } diff --git a/manifests/nat.pp b/manifests/nat.pp index e69c1c0..e29b784 100644 --- a/manifests/nat.pp +++ b/manifests/nat.pp @@ -5,7 +5,7 @@ define shorewall::nat( $local = 'yes', $order='100' ){ - shorewall::entry{"nat.d/${order}-${name}": + shorewall::entry{"nat-${order}-${name}": line => "${name} ${interface} ${internal} ${all} ${local}" } } diff --git a/manifests/params.pp b/manifests/params.pp index 0a1ae11..3bc5663 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,5 @@ define shorewall::params($value, $order='100'){ - shorewall::entry{"params.d/${order}-${name}": + shorewall::entry{"params-${order}-${name}": line => "${name}=${value}", } } diff --git a/manifests/policy.pp b/manifests/policy.pp index cdaab71..efee05b 100644 --- a/manifests/policy.pp +++ b/manifests/policy.pp @@ -5,7 +5,7 @@ define shorewall::policy( $limitburst = '-', $order ){ - shorewall::entry{"policy.d/${order}-${name}": + shorewall::entry{"policy-${order}-${name}": line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } } diff --git a/manifests/providers.pp b/manifests/providers.pp index 860363e..a02a494 100644 --- a/manifests/providers.pp +++ b/manifests/providers.pp @@ -9,7 +9,7 @@ define shorewall::providers( $copy = '', $order='100' ){ - shorewall::entry{"providers.d/${order}-${name}": + shorewall::entry{"providers-${order}-${name}": line => "# ${name}\n${provider} ${number} ${mark} ${duplicate} ${interface} ${gateway} ${options} ${copy}" } } diff --git a/manifests/proxyarp.pp b/manifests/proxyarp.pp index 75c853b..1af554f 100644 --- a/manifests/proxyarp.pp +++ b/manifests/proxyarp.pp @@ -5,7 +5,7 @@ define shorewall::proxyarp( $persistent = no, $order='100' ){ - shorewall::entry{"proxyarp.d/${order}-${name}": + shorewall::entry{"proxyarp-${order}-${name}": line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" } } diff --git a/manifests/rfc1918.pp b/manifests/rfc1918.pp index 6c2719c..31dce5d 100644 --- a/manifests/rfc1918.pp +++ b/manifests/rfc1918.pp @@ -2,7 +2,7 @@ define shorewall::rfc1918( $action = 'logdrop', $order='100' ){ - shorewall::entry{"rfc1918.d/${order}-${name}": + shorewall::entry{"rfc1918-${order}-${name}": line => "${name} ${action}" } } diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index dab539c..0b53a1b 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -8,7 +8,7 @@ define shorewall::routestopped( '' => $name, default => $interface, } - shorewall::entry{"routestopped.d/${order}-${name}": + shorewall::entry{"routestopped-${order}-${name}": line => "${real_interface} ${host} ${options}", } } diff --git a/manifests/rule.pp b/manifests/rule.pp index 8394970..2fe91e2 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -13,8 +13,8 @@ define shorewall::rule( $mark = '', $order ){ - shorewall::entry{"rules.d/${order}-${name}": - ensure => $ensure, - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } + shorewall::entry{"rules-${order}-${name}": + ensure => $ensure, + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", + } } diff --git a/manifests/rule_section.pp b/manifests/rule_section.pp index a885eae..82984ca 100644 --- a/manifests/rule_section.pp +++ b/manifests/rule_section.pp @@ -1,7 +1,7 @@ define shorewall::rule_section( $order ){ - shorewall::entry{"rules.d/${order}-${name}": + shorewall::entry{"rules-${order}-${name}": line => "SECTION ${name}", } } diff --git a/manifests/zone.pp b/manifests/zone.pp index fa83b0b..81e5771 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -7,7 +7,7 @@ define shorewall::zone( $order = 100 ){ $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - shorewall::entry { "zones.d/${order}-${name}": + shorewall::entry { "zones-${order}-${name}": line => "${real_name} ${type} ${options} ${in} ${out}" } } -- cgit v1.2.3 From 793fbd299e0ad91238f432abc033a575e5b08525 Mon Sep 17 00:00:00 2001 From: mh Date: Thu, 22 Dec 2011 21:30:49 +0100 Subject: workaround for bug in C6 version --- manifests/centos.pp | 10 ++++++++++ manifests/init.pp | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 manifests/centos.pp (limited to 'manifests/init.pp') diff --git a/manifests/centos.pp b/manifests/centos.pp new file mode 100644 index 0000000..815e756 --- /dev/null +++ b/manifests/centos.pp @@ -0,0 +1,10 @@ +class shorewall::centos inherits shorewall::base { + if $lsbmajdistrelease == '6' { + # workaround for + # http://comments.gmane.org/gmane.comp.security.shorewall/26991 + file{'/etc/shorewall/params': + ensure => link, + target => '/etc/shorewall/puppet/params', + } + } +} \ No newline at end of file diff --git a/manifests/init.pp b/manifests/init.pp index 2e68089..7c62222 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -3,7 +3,7 @@ class shorewall { case $operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } - centos: { include shorewall::base } + centos: { include shorewall::centos } ubuntu: { case $lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } -- cgit v1.2.3 From 5f5482a2084029382a10058a287ff85c8c16c7ac Mon Sep 17 00:00:00 2001 From: mh Date: Wed, 6 Jun 2012 01:19:34 -0300 Subject: fix for new style for 2.7 --- README | 111 ++++++++++++++++++++--------------------- manifests/base.pp | 16 +++--- manifests/centos.pp | 2 +- manifests/debian.pp | 22 ++++---- manifests/init.pp | 12 +++-- manifests/managed_file.pp | 12 ++--- manifests/routestopped.pp | 10 ++-- manifests/rules/jetty/http.pp | 2 +- manifests/rules/out/ibackup.pp | 9 ++-- manifests/rules/puppet.pp | 21 +++----- templates/debian_default.erb | 6 +-- 11 files changed, 103 insertions(+), 120 deletions(-) (limited to 'manifests/init.pp') diff --git a/README b/README index feac7fc..77a845c 100644 --- a/README +++ b/README @@ -21,8 +21,9 @@ Example Example from node.pp: node xy { - $shorewall_startup="0" # create shorewall ruleset but don't startup - include config::site-shorewall + class{'config::site_shorewall': + startup => "0" # create shorewall ruleset but don't startup + } shorewall::rule { 'incoming-ssh': source => 'all', destination => '$FW', action => 'SSH/ACCEPT', order => 200; 'incoming-puppetmaster': source => 'all', destination => '$FW', action => 'Puppetmaster/ACCEPT', order => 300; @@ -32,62 +33,60 @@ node xy { } -class config::site-shorewall { - include shorewall - - # If you want logging: - #shorewall::params { - # 'LOG': value => 'debug'; - # 'MAILSERVER': value => $shorewall_mailserver; - #} - - shorewall::zone {'net': - type => 'ipv4'; - } - - shorewall::rule_section { 'NEW': - order => 100; - } - - case $shorewall_rfc1918_maineth { - '': {$shorewall_rfc1918_maineth = true } - } - - case $shorewall_main_interface { - '': { $shorewall_main_interface = 'eth0' } - } - - shorewall::interface {"$shorewall_main_interface": - zone => 'net', - rfc1918 => $shorewall_rfc1918_maineth, - options => 'tcpflags,blacklist,nosmurfs'; - } - - shorewall::policy { - 'fw-to-fw': - sourcezone => '$FW', - destinationzone => '$FW', - policy => 'ACCEPT', - order => 100; - 'fw-to-net': - sourcezone => '$FW', - destinationzone => 'net', - policy => 'ACCEPT', - shloglevel => '$LOG', - order => 110; - 'net-to-fw': - sourcezone => 'net', - destinationzone => '$FW', - policy => 'DROP', - shloglevel => '$LOG', - order => 120; - } +class config::site_shorewall($startup = '1') { + class{'shorewall': + startup => $startup + } + + # If you want logging: + #shorewall::params { + # 'LOG': value => 'debug'; + #} + + shorewall::zone {'net': + type => 'ipv4'; + } + + shorewall::rule_section { 'NEW': + order => 100; + } + + $shorewall_main_interface hiera('shorewall_main_interface','eth0') + shorewall::interface { $shorewall_main_interface: + zone => 'net', + rfc1918 => hiera('shorewall_rfc1918_maineth',true) + options => 'tcpflags,blacklist,nosmurfs'; + } + + shorewall::policy { + 'fw-to-fw': + sourcezone => '$FW', + destinationzone => '$FW', + policy => 'ACCEPT', + order => 100; + 'fw-to-net': + sourcezone => '$FW', + destinationzone => 'net', + policy => 'ACCEPT', + shloglevel => '$LOG', + order => 110; + 'net-to-fw': + sourcezone => 'net', + destinationzone => '$FW', + policy => 'DROP', + shloglevel => '$LOG', + order => 120; + } - # default Rules : ICMP - shorewall::rule { 'allicmp-to-host': source => 'all', destination => '$FW', order => 200, action => 'AllowICMPs/ACCEPT'; - } - + # default Rules : ICMP + shorewall::rule { + 'allicmp-to-host': + source => 'all', + destination => '$FW', + order => 200, + action => 'AllowICMPs/ACCEPT'; + } } diff --git a/manifests/base.pp b/manifests/base.pp index d3fdec7..709f4b7 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -8,14 +8,14 @@ class shorewall::base { '/etc/shorewall/shorewall.conf': # use OS specific defaults, but use Default if no other is found source => [ - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf.${operatingsystem}", - "puppet:///modules/site-shorewall/${fqdn}/shorewall.conf", - "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", - "puppet:///modules/site-shorewall/shorewall.conf.${operatingsystem}", - "puppet:///modules/site-shorewall/shorewall.conf", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbdistcodename}", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}.${lsbmajdistrelease}", - "puppet:///modules/shorewall/shorewall.conf.${operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/${::fqdn}/shorewall.conf", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/site_shorewall/shorewall.conf.${::operatingsystem}", + "puppet:///modules/site_shorewall/shorewall.conf", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbdistcodename}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}.${::lsbmajdistrelease}", + "puppet:///modules/shorewall/shorewall.conf.${::operatingsystem}", "puppet:///modules/shorewall/shorewall.conf" ], require => Package[shorewall], diff --git a/manifests/centos.pp b/manifests/centos.pp index c61e03c..7968b69 100644 --- a/manifests/centos.pp +++ b/manifests/centos.pp @@ -1,5 +1,5 @@ class shorewall::centos inherits shorewall::base { - if $lsbmajdistrelease == '6' { + if $::lsbmajdistrelease == '6' { # workaround for # http://comments.gmane.org/gmane.comp.security.shorewall/26991 file{'/etc/shorewall/params': diff --git a/manifests/debian.pp b/manifests/debian.pp index eab54a2..c7ed607 100644 --- a/manifests/debian.pp +++ b/manifests/debian.pp @@ -1,15 +1,11 @@ class shorewall::debian inherits shorewall::base { - case $shorewall_startup { - '': { $shorewall_startup = "1" } - } - file{'/etc/default/shorewall': - #source => "puppet:///modules/shorewall/debian/default", - content => template("shorewall/debian_default.erb"), - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + content => template("shorewall/debian_default.erb"), + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } diff --git a/manifests/init.pp b/manifests/init.pp index 7c62222..17ff12d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,17 +1,19 @@ -class shorewall { +class shorewall( + $startup = '1' +) { - case $operatingsystem { + case $::operatingsystem { gentoo: { include shorewall::gentoo } debian: { include shorewall::debian } centos: { include shorewall::centos } ubuntu: { - case $lsbdistcodename { + case $::lsbdistcodename { karmic: { include shorewall::ubuntu::karmic } default: { include shorewall::debian } } } default: { - notice "unknown operatingsystem: $operatingsystem" + notice "unknown operatingsystem: ${::operatingsystem}" include shorewall::base } } @@ -38,7 +40,7 @@ class shorewall { shorewall::managed_file { rfc1918: } # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped shorewall::managed_file { routestopped: } - # See http://www.shorewall.net/3.0/Documentation.htm#Variables + # See http://www.shorewall.net/3.0/Documentation.htm#Variables shorewall::managed_file { params: } # http://www.shorewall.net/manpages/shorewall-providers.html shorewall::managed_file { providers: } diff --git a/manifests/managed_file.pp b/manifests/managed_file.pp index 0beb221..d564daa 100644 --- a/manifests/managed_file.pp +++ b/manifests/managed_file.pp @@ -1,17 +1,17 @@ define shorewall::managed_file () { - concat{ "/etc/shorewall/puppet/$name": + concat{ "/etc/shorewall/puppet/${name}": notify => Service['shorewall'], require => File['/etc/shorewall/puppet'], owner => root, group => 0, mode => 0600; - } + } concat::fragment { "${name}-header": source => "puppet:///modules/shorewall/boilerplate/${name}.header", - target => "/etc/shorewall/puppet/$name", + target => "/etc/shorewall/puppet/${name}", order => '000'; "${name}-footer": source => "puppet:///modules/shorewall/boilerplate/${name}.footer", - target => "/etc/shorewall/puppet/$name", + target => "/etc/shorewall/puppet/${name}", order => '999'; - } -} + } +} diff --git a/manifests/routestopped.pp b/manifests/routestopped.pp index 0b53a1b..cd39762 100644 --- a/manifests/routestopped.pp +++ b/manifests/routestopped.pp @@ -1,14 +1,10 @@ define shorewall::routestopped( - $interface = '', + $interface = $name, $host = '-', $options = '', $order='100' ){ - $real_interface = $interface ? { - '' => $name, - default => $interface, - } shorewall::entry{"routestopped-${order}-${name}": - line => "${real_interface} ${host} ${options}", - } + line => "${interface} ${host} ${options}", + } } diff --git a/manifests/rules/jetty/http.pp b/manifests/rules/jetty/http.pp index be19622..4c0652b 100644 --- a/manifests/rules/jetty/http.pp +++ b/manifests/rules/jetty/http.pp @@ -2,7 +2,7 @@ class shorewall::rules::jetty::http { # dnat shorewall::rule { 'dnat-http-to-jetty': - destination => "net:${ipaddress}:8080", + destination => "net:${::ipaddress}:8080", destinationport => '80', source => 'net', proto => 'tcp', order => 140, action => 'DNAT'; } diff --git a/manifests/rules/out/ibackup.pp b/manifests/rules/out/ibackup.pp index ec12c8b..48714af 100644 --- a/manifests/rules/out/ibackup.pp +++ b/manifests/rules/out/ibackup.pp @@ -1,10 +1,9 @@ -class shorewall::rules::out::ibackup { - case $shorewall_ibackup_host { - '': { fail("You need to define \$shorewall_ibackup_host for ${fqdn}") } - } +class shorewall::rules::out::ibackup( + $backup_host = hiera('shorewall_ibackup_host') +) { shorewall::rule { 'me-net-tcp_backupssh': source => '$FW', - destination => "net:${shorewall_ibackup_host}", + destination => "net:${backup_host}", proto => 'tcp', destinationport => 'ssh', order => 240, diff --git a/manifests/rules/puppet.pp b/manifests/rules/puppet.pp index b53c726..c6fc09b 100644 --- a/manifests/rules/puppet.pp +++ b/manifests/rules/puppet.pp @@ -1,16 +1,11 @@ -class shorewall::rules::puppet { - case $shorewall_puppetserver { - '': { $shorewall_puppetserver = "puppet.${domain}" } - } - case $shorewall_puppetserver_port { - '': { $shorewall_puppetserver_port = '8140' } - } - case $shorewall_puppetserver_signport { - '': { $shorewall_puppetserver_signport = '8141' } - } +class shorewall::rules::puppet( + $puppetserver = hiera('shorewall_puppetserver',"puppet.${domain}"), + $puppetserver_port = hiera('shorewall_puppetserver_port',8140) , + $puppetserver_signport = hiera('shorewall_puppetserver_signport',8141) , +) { shorewall::params{ - 'PUPPETSERVER': value => $shorewall_puppetserver; - 'PUPPETSERVER_PORT': value => $shorewall_puppetserver_port; - 'PUPPETSERVER_SIGN_PORT': value => $shorewall_puppetserver_signport; + 'PUPPETSERVER': value => $puppetserver; + 'PUPPETSERVER_PORT': value => $puppetserver_port; + 'PUPPETSERVER_SIGN_PORT': value => $puppetserver_signport; } } diff --git a/templates/debian_default.erb b/templates/debian_default.erb index 96621f5..ec64cbe 100644 --- a/templates/debian_default.erb +++ b/templates/debian_default.erb @@ -3,11 +3,7 @@ # This file is brought to you by puppet -<% if shorewall_startup == "0" -%> -startup=0 -<% else -%> -startup=1 -<% end -%> +startup=<%= scope.lookupvar('shorewall::startup') == "0" ? '0' : '1' %> # if your Shorewall configuration requires detection of the ip address of a ppp # interface, you must list such interfaces in "wait_interface" to get Shorewall to -- cgit v1.2.3