From 6bc54f031b9ae12fe428c83e70733c8b2ff4c67a Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Sat, 7 Jan 2012 06:09:54 +0100
Subject: Support exempting some users from torification measures.

---
 manifests/init.pp                             |  4 ++++
 manifests/rules/torify.pp                     |  2 ++
 manifests/rules/torify/allow_tor_user.pp      | 15 ---------------
 manifests/rules/torify/non_torified_user.pp   | 25 +++++++++++++++++++++++++
 manifests/rules/torify/non_torified_users.pp  |  9 +++++++++
 manifests/rules/torify/redirect_tcp_to_tor.pp |  7 +------
 manifests/rules/torify/user.pp                |  4 ----
 7 files changed, 41 insertions(+), 25 deletions(-)
 delete mode 100644 manifests/rules/torify/allow_tor_user.pp
 create mode 100644 manifests/rules/torify/non_torified_user.pp
 create mode 100644 manifests/rules/torify/non_torified_users.pp

(limited to 'manifests')

diff --git a/manifests/init.pp b/manifests/init.pp
index f69a6f2..e5456d0 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -34,6 +34,10 @@ class shorewall {
       default => $dist_tor_user,
     }
   }
+  case $non_torified_users {
+    '': { $non_torified_users = [] }
+  }
+  $real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
 
   file {"/var/lib/puppet/modules/shorewall":
     ensure => directory,
diff --git a/manifests/rules/torify.pp b/manifests/rules/torify.pp
index f6e62d8..b393a2a 100644
--- a/manifests/rules/torify.pp
+++ b/manifests/rules/torify.pp
@@ -18,6 +18,8 @@ define shorewall::rules::torify(
   $allow_rfc1918 = true
 ){
 
+  include shorewall::rules::torify::non_torified_users
+
   $originaldest = join($destinations,',')
 
   shorewall::rules::torify::user {
diff --git a/manifests/rules/torify/allow_tor_user.pp b/manifests/rules/torify/allow_tor_user.pp
deleted file mode 100644
index f44c1f0..0000000
--- a/manifests/rules/torify/allow_tor_user.pp
+++ /dev/null
@@ -1,15 +0,0 @@
-class shorewall::rules::torify::allow_tor_user {
-
-  $whitelist_rule = "allow-from-tor-user"
-  if !defined(Shorewall::Rule["$whitelist_rule"]) {
-    shorewall::rule {
-      "$whitelist_rule":
-        source      => '$FW',
-        destination => 'all',
-        user        => $shorewall::tor_user,
-        order       => 101,
-        action      => 'ACCEPT';
-    }
-  }
-
-}
diff --git a/manifests/rules/torify/non_torified_user.pp b/manifests/rules/torify/non_torified_user.pp
new file mode 100644
index 0000000..34e4db7
--- /dev/null
+++ b/manifests/rules/torify/non_torified_user.pp
@@ -0,0 +1,25 @@
+define shorewall::rules::torify::non_torified_user() {
+
+  $user = $name
+
+  $whitelist_rule = "allow-from-user=${user}"
+  shorewall::rule {
+    "$whitelist_rule":
+      source      => '$FW',
+      destination => 'all',
+      user        => $user,
+      order       => 101,
+      action      => 'ACCEPT';
+  }
+
+  $nonat_rule = "dont-redirect-to-tor-user=${user}"
+  shorewall::rule {
+    "$nonat_rule":
+      source       => '$FW',
+      destination  => '-',
+      user         => $user,
+      order        => 106,
+      action       => 'NONAT';
+  }
+
+}
diff --git a/manifests/rules/torify/non_torified_users.pp b/manifests/rules/torify/non_torified_users.pp
new file mode 100644
index 0000000..582dfed
--- /dev/null
+++ b/manifests/rules/torify/non_torified_users.pp
@@ -0,0 +1,9 @@
+class shorewall::rules::torify::non_torified_users {
+
+  $real_non_torified_users = $shorewall::real_non_torified_users
+
+  shorewall::rules::torify::non_torified_user {
+    $real_non_torified_users:
+  }
+
+}
diff --git a/manifests/rules/torify/redirect_tcp_to_tor.pp b/manifests/rules/torify/redirect_tcp_to_tor.pp
index 2bee658..fe1c5fe 100644
--- a/manifests/rules/torify/redirect_tcp_to_tor.pp
+++ b/manifests/rules/torify/redirect_tcp_to_tor.pp
@@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
       default => $originaldest,
     }
 
-    $user_real = $user ? {
-      '-'     => "!${shorewall::tor_user}",
-      default => $user,
-    }
-
     $destzone = $shorewall::tor_transparent_proxy_host ? {
       '127.0.0.1' => '$FW',
       default     => 'net'
@@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
         destination  => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
         proto        => 'tcp:syn',
         originaldest => $originaldest_real,
-        user         => $user_real,
+        user         => $user,
         order        => 110,
         action       => 'DNAT';
     }
diff --git a/manifests/rules/torify/user.pp b/manifests/rules/torify/user.pp
index 5caccfd..49c0b34 100644
--- a/manifests/rules/torify/user.pp
+++ b/manifests/rules/torify/user.pp
@@ -7,10 +7,6 @@ define shorewall::rules::torify::user(
 
   include shorewall::rules::torify::allow_tor_transparent_proxy
 
-  if $originaldest == '-' and $user == '-' {
-    include shorewall::rules::torify::allow_tor_user
-  }
-
   shorewall::rules::torify::redirect_tcp_to_tor {
     "redirect-to-tor-user=${user}-to=${originaldest}":
       user         => $user,
-- 
cgit v1.2.3