From 1337a268ffbd195ca40d59ebd24bb199b99ffc66 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 7 Apr 2009 18:43:06 -0400 Subject: add http://shorewall.net/shorewall_extension_scripts.htm extension_script define --- manifests/init.pp | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 7c3089b..b022cd6 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,6 +7,7 @@ # at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall # # Changes: +# * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm # * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and # adjust CONFIG_PATH # * remove shorewall- prefix from defines in the shorewall namespace @@ -17,7 +18,7 @@ # * add managing for masq, proxyarp, blacklist, nat, rfc1918 # adapted by immerda project group - admin+puppet(at)immerda.ch # adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch -# +# adapted by Riseup Networks - micah(shift+2)riseup.net modules_dir { "shorewall": } @@ -201,6 +202,20 @@ class shorewall { } } + # See http://shorewall.net/shorewall_extension_scripts.htm + define extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + managed_file { "${name}": } + entry { "${name}.d/500-${hostname}": + line => "${script}\n"; + } + } + '', default: { + err("${name}: unknown shorewall extension script") + } + } + } } class shorewall::base { -- cgit v1.2.3 From 6ebd2895679be6e18595464067fb267ab2d100e0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Fri, 21 Aug 2009 17:47:17 -0300 Subject: Changing 'modules_dir' to 'module_dir' --- manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index b022cd6..8d60cf5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,7 +20,7 @@ # adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch # adapted by Riseup Networks - micah(shift+2)riseup.net -modules_dir { "shorewall": } +module_dir { "shorewall": } class shorewall { -- cgit v1.2.3 From 5aca8c2eaa54726ad0d4e643a50dc6a8ad9a5a97 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sun, 23 Aug 2009 01:21:33 -0300 Subject: Using entries in the form of order-title Using entries in the form of order-title instead of order-name. As happen in cases such as hosts defined as 'eth0:0.0.0.0/0', the '/' will make the first portion to be understood as a folder. Making use of the resource title as part of the file name and leaving the resource name to the content can prevent this error. --- manifests/init.pp | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 8d60cf5..c93b260 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -71,7 +71,7 @@ class shorewall { managed_file{ zones: } define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${name}": + entry { "zones.d/${order}-${title}": line => "${real_name} ${type} ${options} ${in} ${out}" } } @@ -101,7 +101,7 @@ class shorewall { } } - entry { "interfaces.d/${order}-${name}": + entry { "interfaces.d/${order}-${title}": line => "${zone} ${name} ${broadcast} ${options_real}", } } @@ -109,7 +109,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Hosts managed_file { hosts: } define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${name}": + entry { "hosts.d/${order}-${title}": line => "${zone} ${name} ${options}" } } @@ -117,7 +117,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Policy managed_file { policy: } define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${name}": + entry { "policy.d/${order}-${title}": line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } } @@ -125,7 +125,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Rules managed_file { rules: } define rule_section($order) { - entry { "rules.d/${order}-${name}": + entry { "rules.d/${order}-${title}": line => "SECTION ${name}", } } @@ -134,7 +134,7 @@ class shorewall { $destinationport = '-', $sourceport = '-', $originaldest = '-', $ratelimit = '-', $user = '-', $mark = '', $order) { - entry { "rules.d/${order}-${name}": + entry { "rules.d/${order}-${title}": line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", } } @@ -145,7 +145,7 @@ class shorewall { # source (= subnet) = Set of hosts that you wish to masquerade. # address = If you specify an address here, SNAT will be used and this will be the source address. define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${name}": + entry { "masq.d/${order}-${title}": line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" } } @@ -153,7 +153,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp managed_file { proxyarp: } define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${name}": + entry { "proxyarp.d/${order}-${title}": line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" } } @@ -161,7 +161,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#NAT managed_file { nat: } define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${name}": + entry { "nat.d/${order}-${title}": line => "${name} ${interface} ${internal} ${all} ${local}" } } @@ -169,7 +169,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist managed_file { blacklist: } define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${name}": + entry { "blacklist.d/${order}-${title}": line => "${name} ${proto} ${port}", } } @@ -177,7 +177,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 managed_file { rfc1918: } define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${name}": + entry { "rfc1918.d/${order}-${title}": line => "${name} ${action}" } } @@ -189,7 +189,7 @@ class shorewall { '' => $name, default => $interface, } - entry { "routestopped.d/${order}-${name}": + entry { "routestopped.d/${order}-${title}": line => "${real_interface} ${host} ${options}", } } @@ -197,7 +197,7 @@ class shorewall { # See http://www.shorewall.net/3.0/Documentation.htm#Variables managed_file { params: } define params($value, $order='100'){ - entry { "params.d/${order}-${name}": + entry { "params.d/${order}-${title}": line => "${name}=${value}", } } -- cgit v1.2.3 From 5348aafd849d59887051514a004b3c2d4730c8b3 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Aug 2009 11:28:25 -0300 Subject: Adding traffic shapping support via tcdevices, tcrules and tcclasses --- manifests/init.pp | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index c93b260..84ce030 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -202,6 +202,30 @@ class shorewall { } } + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcdevices: } + define tcdevices($in_bandwidth, $out_bandwidth, $order='100'){ + entry { "tcdevices.d/${order}-${title}": + line => "${name} ${in_bandwidth} ${out_bandwidth}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcrules: } + define tcrules($source, $destination, $protocol, $ports , $order='1'){ + entry { "tcrules.d/${order}-${title}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcclasses: } + define tcclasses($rate, $ceil, $priority, $options , $order='1'){ + entry { "tcclasses.d/${order}-${title}": + line => "${name} ${order} ${rate} ${ceil} ${priority} ${options}", + } + } + # See http://shorewall.net/shorewall_extension_scripts.htm define extension_script($script = '') { case $name { -- cgit v1.2.3 From eda4f69cce2f2cd62f3288bdee9d8459c4673ce9 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Aug 2009 15:24:14 -0300 Subject: Adding boilerplate files and minor fixes --- files/boilerplate/tcclasses.footer | 1 + files/boilerplate/tcclasses.header | 9 +++++++++ files/boilerplate/tcdevices.footer | 1 + files/boilerplate/tcdevices.header | 10 ++++++++++ files/boilerplate/tcrules.footer | 1 + files/boilerplate/tcrules.header | 15 +++++++++++++++ manifests/init.pp | 12 ++++++------ 7 files changed, 43 insertions(+), 6 deletions(-) create mode 100644 files/boilerplate/tcclasses.footer create mode 100644 files/boilerplate/tcclasses.header create mode 100644 files/boilerplate/tcdevices.footer create mode 100644 files/boilerplate/tcdevices.header create mode 100644 files/boilerplate/tcrules.footer create mode 100644 files/boilerplate/tcrules.header (limited to 'manifests') diff --git a/files/boilerplate/tcclasses.footer b/files/boilerplate/tcclasses.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcclasses.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcclasses.header b/files/boilerplate/tcclasses.header new file mode 100644 index 0000000..025415b --- /dev/null +++ b/files/boilerplate/tcclasses.header @@ -0,0 +1,9 @@ +# +# Shorewall version 4 - Tcclasses File +# +# For information about entries in this file, type "man shorewall-tcclasses" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS diff --git a/files/boilerplate/tcdevices.footer b/files/boilerplate/tcdevices.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcdevices.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcdevices.header b/files/boilerplate/tcdevices.header new file mode 100644 index 0000000..fe7c3d1 --- /dev/null +++ b/files/boilerplate/tcdevices.header @@ -0,0 +1,10 @@ +# +# Shorewall version 4 - Tcdevices File +# +# For information about entries in this file, type "man shorewall-tcdevices" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# +############################################################################### +#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED +#INTERFACE INTERFACES diff --git a/files/boilerplate/tcrules.footer b/files/boilerplate/tcrules.footer new file mode 100644 index 0000000..5e12d1d --- /dev/null +++ b/files/boilerplate/tcrules.footer @@ -0,0 +1 @@ +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/files/boilerplate/tcrules.header b/files/boilerplate/tcrules.header new file mode 100644 index 0000000..e0e7adc --- /dev/null +++ b/files/boilerplate/tcrules.header @@ -0,0 +1,15 @@ +# +# Shorewall version 4 - Tcrules File +# +# For information about entries in this file, type "man shorewall-tcrules" +# +# See http://shorewall.net/traffic_shaping.htm for additional information. +# For usage in selecting among multiple ISPs, see +# http://shorewall.net/MultiISP.html +# +# See http://shorewall.net/PacketMarking.html for a detailed description of +# the Netfilter/Shorewall packet marking mechanism. +###################################################################################################################### +#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) PORT(S) + diff --git a/manifests/init.pp b/manifests/init.pp index 84ce030..20093e9 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -204,25 +204,25 @@ class shorewall { # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $order='100'){ + define tcdevices($in_bandwidth, $out_bandwidth, $options = '-', $redirected_interfaces = '', $order='100'){ entry { "tcdevices.d/${order}-${title}": - line => "${name} ${in_bandwidth} ${out_bandwidth}", + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", } } # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcrules: } - define tcrules($source, $destination, $protocol, $ports , $order='1'){ + define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '-', $order='1'){ entry { "tcrules.d/${order}-${title}": - line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports}", + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", } } # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcclasses: } - define tcclasses($rate, $ceil, $priority, $options , $order='1'){ + define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ entry { "tcclasses.d/${order}-${title}": - line => "${name} ${order} ${rate} ${ceil} ${priority} ${options}", + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", } } -- cgit v1.2.3 From 1c75011f2509264f5e0a4afbad811470d77099ae Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Mon, 24 Aug 2009 16:04:00 -0300 Subject: Changing default values for some traffic shapping defintions / updating changelog --- manifests/init.pp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 20093e9..c083dd0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,6 +7,7 @@ # at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall # # Changes: +# * added support for traffic shapping: http://www.shorewall.net/traffic_shaping.htm # * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm # * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and # adjust CONFIG_PATH @@ -204,7 +205,7 @@ class shorewall { # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $options = '-', $redirected_interfaces = '', $order='100'){ + define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ entry { "tcdevices.d/${order}-${title}": line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", } @@ -212,7 +213,7 @@ class shorewall { # See http://www.shorewall.net/3.0/traffic_shaping.htm managed_file { tcrules: } - define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '-', $order='1'){ + define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ entry { "tcrules.d/${order}-${title}": line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", } -- cgit v1.2.3 From 1b9d7e2942508c7c27c61eb10ffadee322ca40a9 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 25 Aug 2009 10:00:54 -0300 Subject: Subscribing service shorewall to tcdevices, tcrules and tcclasses files --- manifests/init.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index c083dd0..321d598 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -284,7 +284,10 @@ class shorewall::base { Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"] + Exec["concat_/var/lib/puppet/modules/shorewall/params"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], ], require => Package[shorewall], } -- cgit v1.2.3 From e7fea248ab907913685639dcd2d496bfa02149cf Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 14 Sep 2009 09:47:41 -0400 Subject: fix formatting to be the standard indentations according to the emacs/vim puppet modes --- manifests/init.pp | 518 +++++++++++++++++++++++++++--------------------------- 1 file changed, 259 insertions(+), 259 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 321d598..4e44547 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,288 +25,288 @@ module_dir { "shorewall": } class shorewall { - case $operatingsystem { - gentoo: { include shorewall::gentoo } - debian: { include shorewall::debian } - default: { include shorewall::base } - } + case $operatingsystem { + gentoo: { include shorewall::gentoo } + debian: { include shorewall::debian } + default: { include shorewall::base } + } + + file { + "/var/lib/puppet/modules/shorewall": + ensure => directory, + force => true, + mode => 0755, owner => root, group => 0; + } + # private + define managed_file () { + $dir = "/var/lib/puppet/modules/shorewall/${name}.d" + concatenated_file { "/var/lib/puppet/modules/shorewall/$name": + dir => $dir, + mode => 0600, + } file { - "/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - mode => 0755, owner => root, group => 0; + "${dir}/000-header": + source => "puppet://$server/shorewall/boilerplate/${name}.header", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; + "${dir}/999-footer": + source => "puppet://$server/shorewall/boilerplate/${name}.footer", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; } - - # private - define managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet://$server/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet://$server/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } - } - - # private - define entry ($line) { - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - managed_file{ zones: } - define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${title}": - line => "${real_name} ${type} ${options} ${in} ${out}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - managed_file{ interfaces: } - define interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $rfc1918 = false, - $dhcp = false, - $order = 100 - ) - { - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } - } - - entry { "interfaces.d/${order}-${title}": - line => "${zone} ${name} ${broadcast} ${options_real}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - managed_file { hosts: } - define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${title}": - line => "${zone} ${name} ${options}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - managed_file { policy: } - define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${title}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - managed_file { rules: } - define rule_section($order) { - entry { "rules.d/${order}-${title}": - line => "SECTION ${name}", - } - } - # mark is new in 3.4.4 - define rule($action, $source, $destination, $proto = '-', - $destinationport = '-', $sourceport = '-', $originaldest = '-', - $ratelimit = '-', $user = '-', $mark = '', $order) - { - entry { "rules.d/${order}-${title}": - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - managed_file{ masq: } - # mark is new in 3.4.4 - # source (= subnet) = Set of hosts that you wish to masquerade. - # address = If you specify an address here, SNAT will be used and this will be the source address. - define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${title}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - managed_file { proxyarp: } - define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${title}": - line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - managed_file { nat: } - define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${title}": - line => "${name} ${interface} ${internal} ${all} ${local}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - managed_file { blacklist: } - define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${title}": - line => "${name} ${proto} ${port}", - } + } + + # private + define entry ($line) { + $target = "/var/lib/puppet/modules/shorewall/${name}" + $dir = dirname($target) + file { $target: + content => "${line}\n", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"], + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + managed_file{ zones: } + define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + entry { "zones.d/${order}-${title}": + line => "${real_name} ${type} ${options} ${in} ${out}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + managed_file{ interfaces: } + define interface( + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $rfc1918 = false, + $dhcp = false, + $order = 100 + ) + { + if $rfc1918 { + if $dhcp { + $options_real = "${options},dhcp" + } else { + $options_real = $options } - - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - managed_file { rfc1918: } - define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${title}": - line => "${name} ${action}" - } + } else { + if $dhcp { + $options_real = "${options},norfc1918,dhcp" + } else { + $options_real = "${options},norfc1918" + } } - - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - managed_file { routestopped: } - define routestopped($interface = '', $host = '-', $options = '', $order='100') { - $real_interface = $interface ? { - '' => $name, - default => $interface, - } - entry { "routestopped.d/${order}-${title}": - line => "${real_interface} ${host} ${options}", - } + + entry { "interfaces.d/${order}-${title}": + line => "${zone} ${name} ${broadcast} ${options_real}", } - - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - managed_file { params: } - define params($value, $order='100'){ - entry { "params.d/${order}-${title}": - line => "${name}=${value}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + managed_file { hosts: } + define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { + entry { "hosts.d/${order}-${title}": + line => "${zone} ${name} ${options}" } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ - entry { "tcdevices.d/${order}-${title}": - line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + managed_file { policy: } + define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { + entry { "policy.d/${order}-${title}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcrules: } - define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ - entry { "tcrules.d/${order}-${title}": - line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + managed_file { rules: } + define rule_section($order) { + entry { "rules.d/${order}-${title}": + line => "SECTION ${name}", } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcclasses: } - define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ - entry { "tcclasses.d/${order}-${title}": - line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", - } + } + # mark is new in 3.4.4 + define rule($action, $source, $destination, $proto = '-', + $destinationport = '-', $sourceport = '-', $originaldest = '-', + $ratelimit = '-', $user = '-', $mark = '', $order) + { + entry { "rules.d/${order}-${title}": + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", } + } - # See http://shorewall.net/shorewall_extension_scripts.htm - define extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - managed_file { "${name}": } - entry { "${name}.d/500-${hostname}": - line => "${script}\n"; - } - } - '', default: { - err("${name}: unknown shorewall extension script") + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + managed_file{ masq: } + # mark is new in 3.4.4 + # source (= subnet) = Set of hosts that you wish to masquerade. + # address = If you specify an address here, SNAT will be used and this will be the source address. + define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { + entry { "masq.d/${order}-${title}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + managed_file { proxyarp: } + define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { + entry { "proxyarp.d/${order}-${title}": + line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + managed_file { nat: } + define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { + entry { "nat.d/${order}-${title}": + line => "${name} ${interface} ${internal} ${all} ${local}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + managed_file { blacklist: } + define blacklist($proto = '-', $port = '-', $order='100') { + entry { "blacklist.d/${order}-${title}": + line => "${name} ${proto} ${port}", + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + managed_file { rfc1918: } + define rfc1918($action = 'logdrop', $order='100') { + entry { "rfc1918.d/${order}-${title}": + line => "${name} ${action}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + managed_file { routestopped: } + define routestopped($interface = '', $host = '-', $options = '', $order='100') { + $real_interface = $interface ? { + '' => $name, + default => $interface, + } + entry { "routestopped.d/${order}-${title}": + line => "${real_interface} ${host} ${options}", + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + managed_file { params: } + define params($value, $order='100'){ + entry { "params.d/${order}-${title}": + line => "${name}=${value}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcdevices: } + define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ + entry { "tcdevices.d/${order}-${title}": + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcrules: } + define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ + entry { "tcrules.d/${order}-${title}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcclasses: } + define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ + entry { "tcclasses.d/${order}-${title}": + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", + } + } + + # See http://shorewall.net/shorewall_extension_scripts.htm + define extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + managed_file { "${name}": } + entry { "${name}.d/500-${hostname}": + line => "${script}\n"; } } + '', default: { + err("${name}: unknown shorewall extension script") + } } + } } class shorewall::base { + + package { 'shorewall': + ensure => present, + } - package { 'shorewall': - ensure => present, - } - - # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/shorewall.conf", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/shorewall/shorewall.conf.Default" - ], - mode => 0644, owner => root, group => 0, - require => Package[shorewall], - notify => Service[shorewall], - } + # This file has to be managed in place, so shorewall can find it + file { "/etc/shorewall/shorewall.conf": + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/shorewall.conf", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/shorewall/shorewall.conf.Default" + ], + mode => 0644, owner => root, group => 0, + require => Package[shorewall], + notify => Service[shorewall], + } - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - subscribe => [ - Exec["concat_/var/lib/puppet/modules/shorewall/zones"], - Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], - Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], - Exec["concat_/var/lib/puppet/modules/shorewall/policy"], - Exec["concat_/var/lib/puppet/modules/shorewall/rules"], - Exec["concat_/var/lib/puppet/modules/shorewall/masq"], - Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], - Exec["concat_/var/lib/puppet/modules/shorewall/nat"], - Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], - Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], - Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], - ], - require => Package[shorewall], - } + service{ shorewall: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => [ + Exec["concat_/var/lib/puppet/modules/shorewall/zones"], + Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], + Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], + Exec["concat_/var/lib/puppet/modules/shorewall/policy"], + Exec["concat_/var/lib/puppet/modules/shorewall/rules"], + Exec["concat_/var/lib/puppet/modules/shorewall/masq"], + Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], + Exec["concat_/var/lib/puppet/modules/shorewall/nat"], + Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], + Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], + Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], + Exec["concat_/var/lib/puppet/modules/shorewall/params"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], + ], + require => Package[shorewall], + } } class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package[shorewall]{ + category => 'net-firewall', + } } class shorewall::debian inherits shorewall::base { - file{'/etc/default/shorewall': - source => "puppet://$server/shorewall/debian/default", - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + source => "puppet://$server/shorewall/debian/default", + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } -- cgit v1.2.3 From d39943732684a1e216419b65d86fed86566b1d83 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 14 Sep 2009 10:15:10 -0400 Subject: move debian/default from files to templates template out the startup value in the debian/default so that it can be specified in puppet make it possible to specify a different shorewall version if desired, default is to use 'present' add additional documentation and move copyright information up to the top --- files/debian/default | 24 ------------------------ manifests/init.pp | 47 ++++++++++++++++++++++++++++++++++++++--------- templates/debian/default | 25 +++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 33 deletions(-) delete mode 100644 files/debian/default create mode 100644 templates/debian/default (limited to 'manifests') diff --git a/files/debian/default b/files/debian/default deleted file mode 100644 index ba89cdc..0000000 --- a/files/debian/default +++ /dev/null @@ -1,24 +0,0 @@ -# prevent startup with default configuration -# set the following varible to 1 in order to allow Shorewall to start - -startup=1 - -# if your Shorewall configuration requires detection of the ip address of a ppp -# interface, you must list such interfaces in "wait_interface" to get Shorewall to -# wait until the interface is configured. Otherwise the script will fail because -# it won't be able to detect the IP address. -# -# Example: -# wait_interface="ppp0" -# or -# wait_interface="ppp0 ppp1" -# or, if you have defined in /etc/shorewall/params -# wait_interface= - -# -# Startup options -# - -OPTIONS="" - -# EOF diff --git a/manifests/init.pp b/manifests/init.pp index 4e44547..444aa94 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,12 +1,37 @@ # # modules/shorewall/manifests/init.pp - manage firewalling with shorewall 3.x # Copyright (C) 2007 David Schmitt +# adapted by immerda project group - admin+puppet(at)immerda.ch +# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch +# Copyright (c) 2009 Riseup Networks - micah(shift+2)riseup.net # See LICENSE for the full license granted to you. # # Based on the work of ADNET Ghislain from AQUEOS # at https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall # +# +# If you need to install a specific version of shorewall other than +# the default one that would be installed by 'ensure => present', then +# you can set the following variable and that specific version will be +# installed instead: +# +# $shorewall_ensure_version = "4.0.15-1" +# +# Debian specific settings: +# +# To set any of the following, simply set them as variables in y our manifests +# before the class is included, for example: +# +# $shorewall_startboot = 1 +# +# shorewall_startboot: specify if shorewall should be enabled at boot +# valid options are: 1 (start at boot), 0 (do not start), +# Default: 1 -> start at boot +# # Changes: +# * added Debian support to specify if shorewall should be enabled on boot or not +# * added support for specifying shorewall package version +# * updated indentation and formatting to standardize on puppet emacs/vim modes # * added support for traffic shapping: http://www.shorewall.net/traffic_shaping.htm # * added extension_script define: http://shorewall.net/shorewall_extension_scripts.htm # * FHS Layout: put configuration in /var/lib/puppet/modules/shorewall and @@ -17,9 +42,6 @@ # * add 000-header and 999-footer files for all managed_files # * added rule_section define and a few more parameters for rules # * add managing for masq, proxyarp, blacklist, nat, rfc1918 -# adapted by immerda project group - admin+puppet(at)immerda.ch -# adapted by Puzzle ITC - haerry+puppet(at)puzzle.ch -# adapted by Riseup Networks - micah(shift+2)riseup.net module_dir { "shorewall": } @@ -244,11 +266,12 @@ class shorewall { } class shorewall::base { - + + if $shorewall_ensure_version == '' { $shorewall_ensure_version = 'present' } package { 'shorewall': - ensure => present, + ensure => $shorewall_ensure_version, } - + # This file has to be managed in place, so shorewall can find it file { "/etc/shorewall/shorewall.conf": # use OS specific defaults, but use Default if no other is found @@ -300,13 +323,19 @@ class shorewall::gentoo inherits shorewall::base { } class shorewall::debian inherits shorewall::base { - file{'/etc/default/shorewall': - source => "puppet://$server/shorewall/debian/default", + + # prepare variables to use in templates + case $shorewall_startboot { + '': { $shorewall_startboot = '1' } + } + + file { '/etc/default/shorewall': + content => template("shorewall/debian/default"), require => Package['shorewall'], notify => Service['shorewall'], owner => root, group => 0, mode => 0644; } - Service['shorewall']{ + Service['shorewall'] { status => '/sbin/shorewall status' } } diff --git a/templates/debian/default b/templates/debian/default new file mode 100644 index 0000000..1aaad8c --- /dev/null +++ b/templates/debian/default @@ -0,0 +1,25 @@ +# prevent startup with default configuration +# set the following varible to 1 in order to allow Shorewall to start + + +startup=<%=shorewall_startboot -%> + +# if your Shorewall configuration requires detection of the ip address of a ppp +# interface, you must list such interfaces in "wait_interface" to get Shorewall to +# wait until the interface is configured. Otherwise the script will fail because +# it won't be able to detect the IP address. +# +# Example: +# wait_interface="ppp0" +# or +# wait_interface="ppp0 ppp1" +# or, if you have defined in /etc/shorewall/params +# wait_interface= + +# +# Startup options +# + +OPTIONS="" + +# EOF -- cgit v1.2.3 From 4725d23ab0f03d6fffeb725741de870b3facb72a Mon Sep 17 00:00:00 2001 From: Jerome Charaoui Date: Fri, 9 Oct 2009 10:59:17 -0400 Subject: modify service subscriptions to avoid needless restarts --- manifests/init.pp | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index 444aa94..aa6eb61 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -296,21 +296,21 @@ class shorewall::base { hasstatus => true, hasrestart => true, subscribe => [ - Exec["concat_/var/lib/puppet/modules/shorewall/zones"], - Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], - Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], - Exec["concat_/var/lib/puppet/modules/shorewall/policy"], - Exec["concat_/var/lib/puppet/modules/shorewall/rules"], - Exec["concat_/var/lib/puppet/modules/shorewall/masq"], - Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], - Exec["concat_/var/lib/puppet/modules/shorewall/nat"], - Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], - Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], - Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], + File["/var/lib/puppet/modules/shorewall/zones"], + File["/var/lib/puppet/modules/shorewall/interfaces"], + File["/var/lib/puppet/modules/shorewall/hosts"], + File["/var/lib/puppet/modules/shorewall/policy"], + File["/var/lib/puppet/modules/shorewall/rules"], + File["/var/lib/puppet/modules/shorewall/masq"], + File["/var/lib/puppet/modules/shorewall/proxyarp"], + File["/var/lib/puppet/modules/shorewall/nat"], + File["/var/lib/puppet/modules/shorewall/blacklist"], + File["/var/lib/puppet/modules/shorewall/rfc1918"], + File["/var/lib/puppet/modules/shorewall/routestopped"], + File["/var/lib/puppet/modules/shorewall/params"], + File["/var/lib/puppet/modules/shorewall/tcdevices"], + File["/var/lib/puppet/modules/shorewall/tcrules"], + File["/var/lib/puppet/modules/shorewall/tcclasses"], ], require => Package[shorewall], } -- cgit v1.2.3 From 33df59d5016a503c21495eedcc4c9e3cabf9e28c Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 23 Nov 2009 14:25:01 -0500 Subject: switch to 0.25 module style source references --- manifests/init.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index aa6eb61..fbb8032 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -69,11 +69,11 @@ class shorewall { } file { "${dir}/000-header": - source => "puppet://$server/shorewall/boilerplate/${name}.header", + source => "puppet://$server/modules/shorewall/boilerplate/${name}.header", mode => 0600, owner => root, group => 0, notify => Exec["concat_${dir}"]; "${dir}/999-footer": - source => "puppet://$server/shorewall/boilerplate/${name}.footer", + source => "puppet://$server/modules/shorewall/boilerplate/${name}.footer", mode => 0600, owner => root, group => 0, notify => Exec["concat_${dir}"]; } @@ -281,9 +281,9 @@ class shorewall::base { "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", "puppet://$server/files/shorewall/shorewall.conf", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/shorewall/shorewall.conf.Default" + "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/modules/shorewall/shorewall.conf.Default" ], mode => 0644, owner => root, group => 0, require => Package[shorewall], -- cgit v1.2.3 From c49625a4cd14a53d91b7d12aea88201a211a26a2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 23 Nov 2009 15:48:18 -0500 Subject: switch the shorewall.conf source first hits to use the $fileserver/shorewall location. this enables you to put these files in your local fileserver area, without modifying the shorewall module. if you dont need to do this, then the shorewall module defaults will be used instead --- manifests/init.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'manifests') diff --git a/manifests/init.pp b/manifests/init.pp index fbb8032..0bf0e9d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -276,11 +276,11 @@ class shorewall::base { file { "/etc/shorewall/shorewall.conf": # use OS specific defaults, but use Default if no other is found source => [ - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/shorewall.conf", + "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet://$fileserver/shorewall/${fqdn}/shorewall.conf", + "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$fileserver/shorewall/shorewall.conf.$operatingsystem", + "puppet://$fileserver/shorewall/shorewall.conf", "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", "puppet://$server/modules/shorewall/shorewall.conf.$operatingsystem", "puppet://$server/modules/shorewall/shorewall.conf.Default" -- cgit v1.2.3