From 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a Mon Sep 17 00:00:00 2001 From: intrigeri Date: Sat, 7 Jan 2012 06:09:54 +0100 Subject: Support exempting some users from torification measures. --- manifests/init.pp | 4 ++++ manifests/rules/torify.pp | 2 ++ manifests/rules/torify/allow_tor_user.pp | 15 --------------- manifests/rules/torify/non_torified_user.pp | 25 +++++++++++++++++++++++++ manifests/rules/torify/non_torified_users.pp | 9 +++++++++ manifests/rules/torify/redirect_tcp_to_tor.pp | 7 +------ manifests/rules/torify/user.pp | 4 ---- 7 files changed, 41 insertions(+), 25 deletions(-) delete mode 100644 manifests/rules/torify/allow_tor_user.pp create mode 100644 manifests/rules/torify/non_torified_user.pp create mode 100644 manifests/rules/torify/non_torified_users.pp (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index f69a6f2..e5456d0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -34,6 +34,10 @@ class shorewall { default => $dist_tor_user, } } + case $non_torified_users { + '': { $non_torified_users = [] } + } + $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ]) file {"/var/lib/puppet/modules/shorewall": ensure => directory, diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp index f6e62d8..b393a2a 100644 --- a/manifests/rules/torify.pp +++ b/manifests/rules/torify.pp @@ -18,6 +18,8 @@ define shorewall::rules::torify( $allow_rfc1918 = true ){ + include shorewall::rules::torify::non_torified_users + $originaldest = join($destinations,',') shorewall::rules::torify::user { diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp deleted file mode 100644 index f44c1f0..0000000 --- a/manifests/rules/torify/allow_tor_user.pp +++ /dev/null @@ -1,15 +0,0 @@ -class shorewall::rules::torify::allow_tor_user { - - $whitelist_rule = "allow-from-tor-user" - if !defined(Shorewall::Rule["$whitelist_rule"]) { - shorewall::rule { - "$whitelist_rule": - source => '$FW', - destination => 'all', - user => $shorewall::tor_user, - order => 101, - action => 'ACCEPT'; - } - } - -} diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp new file mode 100644 index 0000000..34e4db7 --- /dev/null +++ b/manifests/rules/torify/non_torified_user.pp @@ -0,0 +1,25 @@ +define shorewall::rules::torify::non_torified_user() { + + $user = $name + + $whitelist_rule = "allow-from-user=${user}" + shorewall::rule { + "$whitelist_rule": + source => '$FW', + destination => 'all', + user => $user, + order => 101, + action => 'ACCEPT'; + } + + $nonat_rule = "dont-redirect-to-tor-user=${user}" + shorewall::rule { + "$nonat_rule": + source => '$FW', + destination => '-', + user => $user, + order => 106, + action => 'NONAT'; + } + +} diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp new file mode 100644 index 0000000..582dfed --- /dev/null +++ b/manifests/rules/torify/non_torified_users.pp @@ -0,0 +1,9 @@ +class shorewall::rules::torify::non_torified_users { + + $real_non_torified_users = $shorewall::real_non_torified_users + + shorewall::rules::torify::non_torified_user { + $real_non_torified_users: + } + +} diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp index 2bee658..fe1c5fe 100644 --- a/manifests/rules/torify/redirect_tcp_to_tor.pp +++ b/manifests/rules/torify/redirect_tcp_to_tor.pp @@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor( default => $originaldest, } - $user_real = $user ? { - '-' => "!${shorewall::tor_user}", - default => $user, - } - $destzone = $shorewall::tor_transparent_proxy_host ? { '127.0.0.1' => '$FW', default => 'net' @@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor( destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}", proto => 'tcp:syn', originaldest => $originaldest_real, - user => $user_real, + user => $user, order => 110, action => 'DNAT'; } diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp index 5caccfd..49c0b34 100644 --- a/manifests/rules/torify/user.pp +++ b/manifests/rules/torify/user.pp @@ -7,10 +7,6 @@ define shorewall::rules::torify::user( include shorewall::rules::torify::allow_tor_transparent_proxy - if $originaldest == '-' and $user == '-' { - include shorewall::rules::torify::allow_tor_user - } - shorewall::rules::torify::redirect_tcp_to_tor { "redirect-to-tor-user=${user}-to=${originaldest}": user => $user, -- cgit v1.2.3