diff options
Diffstat (limited to 'manifests/init.pp')
| -rw-r--r-- | manifests/init.pp | 518 |
1 files changed, 259 insertions, 259 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index 321d598..4e44547 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -25,288 +25,288 @@ module_dir { "shorewall": } class shorewall { - case $operatingsystem { - gentoo: { include shorewall::gentoo } - debian: { include shorewall::debian } - default: { include shorewall::base } - } + case $operatingsystem { + gentoo: { include shorewall::gentoo } + debian: { include shorewall::debian } + default: { include shorewall::base } + } + + file { + "/var/lib/puppet/modules/shorewall": + ensure => directory, + force => true, + mode => 0755, owner => root, group => 0; + } + # private + define managed_file () { + $dir = "/var/lib/puppet/modules/shorewall/${name}.d" + concatenated_file { "/var/lib/puppet/modules/shorewall/$name": + dir => $dir, + mode => 0600, + } file { - "/var/lib/puppet/modules/shorewall": - ensure => directory, - force => true, - mode => 0755, owner => root, group => 0; + "${dir}/000-header": + source => "puppet://$server/shorewall/boilerplate/${name}.header", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; + "${dir}/999-footer": + source => "puppet://$server/shorewall/boilerplate/${name}.footer", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"]; } - - # private - define managed_file () { - $dir = "/var/lib/puppet/modules/shorewall/${name}.d" - concatenated_file { "/var/lib/puppet/modules/shorewall/$name": - dir => $dir, - mode => 0600, - } - file { - "${dir}/000-header": - source => "puppet://$server/shorewall/boilerplate/${name}.header", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - "${dir}/999-footer": - source => "puppet://$server/shorewall/boilerplate/${name}.footer", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"]; - } - } - - # private - define entry ($line) { - $target = "/var/lib/puppet/modules/shorewall/${name}" - $dir = dirname($target) - file { $target: - content => "${line}\n", - mode => 0600, owner => root, group => 0, - notify => Exec["concat_${dir}"], - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Zones - managed_file{ zones: } - define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { - $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } - entry { "zones.d/${order}-${title}": - line => "${real_name} ${type} ${options} ${in} ${out}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces - managed_file{ interfaces: } - define interface( - $zone, - $broadcast = 'detect', - $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', - $rfc1918 = false, - $dhcp = false, - $order = 100 - ) - { - if $rfc1918 { - if $dhcp { - $options_real = "${options},dhcp" - } else { - $options_real = $options - } - } else { - if $dhcp { - $options_real = "${options},norfc1918,dhcp" - } else { - $options_real = "${options},norfc1918" - } - } - - entry { "interfaces.d/${order}-${title}": - line => "${zone} ${name} ${broadcast} ${options_real}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Hosts - managed_file { hosts: } - define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { - entry { "hosts.d/${order}-${title}": - line => "${zone} ${name} ${options}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Policy - managed_file { policy: } - define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { - entry { "policy.d/${order}-${title}": - line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Rules - managed_file { rules: } - define rule_section($order) { - entry { "rules.d/${order}-${title}": - line => "SECTION ${name}", - } - } - # mark is new in 3.4.4 - define rule($action, $source, $destination, $proto = '-', - $destinationport = '-', $sourceport = '-', $originaldest = '-', - $ratelimit = '-', $user = '-', $mark = '', $order) - { - entry { "rules.d/${order}-${title}": - line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Masq - managed_file{ masq: } - # mark is new in 3.4.4 - # source (= subnet) = Set of hosts that you wish to masquerade. - # address = If you specify an address here, SNAT will be used and this will be the source address. - define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { - entry { "masq.d/${order}-${title}": - line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp - managed_file { proxyarp: } - define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { - entry { "proxyarp.d/${order}-${title}": - line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#NAT - managed_file { nat: } - define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { - entry { "nat.d/${order}-${title}": - line => "${name} ${interface} ${internal} ${all} ${local}" - } - } - - # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist - managed_file { blacklist: } - define blacklist($proto = '-', $port = '-', $order='100') { - entry { "blacklist.d/${order}-${title}": - line => "${name} ${proto} ${port}", - } + } + + # private + define entry ($line) { + $target = "/var/lib/puppet/modules/shorewall/${name}" + $dir = dirname($target) + file { $target: + content => "${line}\n", + mode => 0600, owner => root, group => 0, + notify => Exec["concat_${dir}"], + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Zones + managed_file{ zones: } + define zone($type, $options = '-', $in = '-', $out = '-', $parent = '-', $order = 100) { + $real_name = $parent ? { '-' => $name, default => "${name}:${parent}" } + entry { "zones.d/${order}-${title}": + line => "${real_name} ${type} ${options} ${in} ${out}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Interfaces + managed_file{ interfaces: } + define interface( + $zone, + $broadcast = 'detect', + $options = 'tcpflags,blacklist,routefilter,nosmurfs,logmartians', + $rfc1918 = false, + $dhcp = false, + $order = 100 + ) + { + if $rfc1918 { + if $dhcp { + $options_real = "${options},dhcp" + } else { + $options_real = $options } - - # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 - managed_file { rfc1918: } - define rfc1918($action = 'logdrop', $order='100') { - entry { "rfc1918.d/${order}-${title}": - line => "${name} ${action}" - } + } else { + if $dhcp { + $options_real = "${options},norfc1918,dhcp" + } else { + $options_real = "${options},norfc1918" + } } - - # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped - managed_file { routestopped: } - define routestopped($interface = '', $host = '-', $options = '', $order='100') { - $real_interface = $interface ? { - '' => $name, - default => $interface, - } - entry { "routestopped.d/${order}-${title}": - line => "${real_interface} ${host} ${options}", - } + + entry { "interfaces.d/${order}-${title}": + line => "${zone} ${name} ${broadcast} ${options_real}", } - - # See http://www.shorewall.net/3.0/Documentation.htm#Variables - managed_file { params: } - define params($value, $order='100'){ - entry { "params.d/${order}-${title}": - line => "${name}=${value}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Hosts + managed_file { hosts: } + define host($zone, $options = 'tcpflags,blacklist,norfc1918',$order='100') { + entry { "hosts.d/${order}-${title}": + line => "${zone} ${name} ${options}" } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcdevices: } - define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ - entry { "tcdevices.d/${order}-${title}": - line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Policy + managed_file { policy: } + define policy($sourcezone, $destinationzone, $policy, $shloglevel = '-', $limitburst = '-', $order) { + entry { "policy.d/${order}-${title}": + line => "# ${name}\n${sourcezone} ${destinationzone} ${policy} ${shloglevel} ${limitburst}", } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcrules: } - define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ - entry { "tcrules.d/${order}-${title}": - line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", - } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Rules + managed_file { rules: } + define rule_section($order) { + entry { "rules.d/${order}-${title}": + line => "SECTION ${name}", } - - # See http://www.shorewall.net/3.0/traffic_shaping.htm - managed_file { tcclasses: } - define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ - entry { "tcclasses.d/${order}-${title}": - line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", - } + } + # mark is new in 3.4.4 + define rule($action, $source, $destination, $proto = '-', + $destinationport = '-', $sourceport = '-', $originaldest = '-', + $ratelimit = '-', $user = '-', $mark = '', $order) + { + entry { "rules.d/${order}-${title}": + line => "# ${name}\n${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport} ${originaldest} ${ratelimit} ${user} ${mark}", } + } - # See http://shorewall.net/shorewall_extension_scripts.htm - define extension_script($script = '') { - case $name { - 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { - managed_file { "${name}": } - entry { "${name}.d/500-${hostname}": - line => "${script}\n"; - } - } - '', default: { - err("${name}: unknown shorewall extension script") + # See http://www.shorewall.net/3.0/Documentation.htm#Masq + managed_file{ masq: } + # mark is new in 3.4.4 + # source (= subnet) = Set of hosts that you wish to masquerade. + # address = If you specify an address here, SNAT will be used and this will be the source address. + define masq($interface, $source, $address = '-', $proto = '-', $port = '-', $ipsec = '-', $mark = '', $order='100' ) { + entry { "masq.d/${order}-${title}": + line => "# ${name}\n${interface} ${source} ${address} ${proto} ${port} ${ipsec} ${mark}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp + managed_file { proxyarp: } + define proxyarp($interface, $external, $haveroute = yes, $persistent = no, $order='100') { + entry { "proxyarp.d/${order}-${title}": + line => "# ${name}\n${name} ${interface} ${external} ${haveroute} ${persistent}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#NAT + managed_file { nat: } + define nat($interface, $internal, $all = 'no', $local = 'yes',$order='100') { + entry { "nat.d/${order}-${title}": + line => "${name} ${interface} ${internal} ${all} ${local}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Blacklist + managed_file { blacklist: } + define blacklist($proto = '-', $port = '-', $order='100') { + entry { "blacklist.d/${order}-${title}": + line => "${name} ${proto} ${port}", + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#rfc1918 + managed_file { rfc1918: } + define rfc1918($action = 'logdrop', $order='100') { + entry { "rfc1918.d/${order}-${title}": + line => "${name} ${action}" + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Routestopped + managed_file { routestopped: } + define routestopped($interface = '', $host = '-', $options = '', $order='100') { + $real_interface = $interface ? { + '' => $name, + default => $interface, + } + entry { "routestopped.d/${order}-${title}": + line => "${real_interface} ${host} ${options}", + } + } + + # See http://www.shorewall.net/3.0/Documentation.htm#Variables + managed_file { params: } + define params($value, $order='100'){ + entry { "params.d/${order}-${title}": + line => "${name}=${value}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcdevices: } + define tcdevices($in_bandwidth, $out_bandwidth, $options = '', $redirected_interfaces = '', $order='100'){ + entry { "tcdevices.d/${order}-${title}": + line => "${name} ${in_bandwidth} ${out_bandwidth} ${options} ${redirected_interfaces}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcrules: } + define tcrules($source, $destination, $protocol = 'all', $ports, $client_ports = '', $order='1'){ + entry { "tcrules.d/${order}-${title}": + line => "# ${name}\n${order} ${source} ${destination} ${protocol} ${ports} ${client_ports}", + } + } + + # See http://www.shorewall.net/3.0/traffic_shaping.htm + managed_file { tcclasses: } + define tcclasses($interface, $rate, $ceil, $priority, $options = '' , $order='1'){ + entry { "tcclasses.d/${order}-${title}": + line => "# ${name}\n${interface} ${order} ${rate} ${ceil} ${priority} ${options}", + } + } + + # See http://shorewall.net/shorewall_extension_scripts.htm + define extension_script($script = '') { + case $name { + 'init', 'initdone', 'start', 'started', 'stop', 'stopped', 'clear', 'refresh', 'continue', 'maclog': { + managed_file { "${name}": } + entry { "${name}.d/500-${hostname}": + line => "${script}\n"; } } + '', default: { + err("${name}: unknown shorewall extension script") + } } + } } class shorewall::base { + + package { 'shorewall': + ensure => present, + } - package { 'shorewall': - ensure => present, - } - - # This file has to be managed in place, so shorewall can find it - file { "/etc/shorewall/shorewall.conf": - # use OS specific defaults, but use Default if no other is found - source => [ - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/files/shorewall/shorewall.conf", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", - "puppet://$server/shorewall/shorewall.conf.$operatingsystem", - "puppet://$server/shorewall/shorewall.conf.Default" - ], - mode => 0644, owner => root, group => 0, - require => Package[shorewall], - notify => Service[shorewall], - } + # This file has to be managed in place, so shorewall can find it + file { "/etc/shorewall/shorewall.conf": + # use OS specific defaults, but use Default if no other is found + source => [ + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/${fqdn}/shorewall.conf", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/files/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/files/shorewall/shorewall.conf", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem.$lsbdistcodename", + "puppet://$server/shorewall/shorewall.conf.$operatingsystem", + "puppet://$server/shorewall/shorewall.conf.Default" + ], + mode => 0644, owner => root, group => 0, + require => Package[shorewall], + notify => Service[shorewall], + } - service{shorewall: - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - subscribe => [ - Exec["concat_/var/lib/puppet/modules/shorewall/zones"], - Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], - Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], - Exec["concat_/var/lib/puppet/modules/shorewall/policy"], - Exec["concat_/var/lib/puppet/modules/shorewall/rules"], - Exec["concat_/var/lib/puppet/modules/shorewall/masq"], - Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], - Exec["concat_/var/lib/puppet/modules/shorewall/nat"], - Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], - Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], - Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], - Exec["concat_/var/lib/puppet/modules/shorewall/params"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], - Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], - ], - require => Package[shorewall], - } + service{ shorewall: + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + subscribe => [ + Exec["concat_/var/lib/puppet/modules/shorewall/zones"], + Exec["concat_/var/lib/puppet/modules/shorewall/interfaces"], + Exec["concat_/var/lib/puppet/modules/shorewall/hosts"], + Exec["concat_/var/lib/puppet/modules/shorewall/policy"], + Exec["concat_/var/lib/puppet/modules/shorewall/rules"], + Exec["concat_/var/lib/puppet/modules/shorewall/masq"], + Exec["concat_/var/lib/puppet/modules/shorewall/proxyarp"], + Exec["concat_/var/lib/puppet/modules/shorewall/nat"], + Exec["concat_/var/lib/puppet/modules/shorewall/blacklist"], + Exec["concat_/var/lib/puppet/modules/shorewall/rfc1918"], + Exec["concat_/var/lib/puppet/modules/shorewall/routestopped"], + Exec["concat_/var/lib/puppet/modules/shorewall/params"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcdevices"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcrules"], + Exec["concat_/var/lib/puppet/modules/shorewall/tcclasses"], + ], + require => Package[shorewall], + } } class shorewall::gentoo inherits shorewall::base { - Package[shorewall]{ - category => 'net-firewall', - } + Package[shorewall]{ + category => 'net-firewall', + } } class shorewall::debian inherits shorewall::base { - file{'/etc/default/shorewall': - source => "puppet://$server/shorewall/debian/default", - require => Package['shorewall'], - notify => Service['shorewall'], - owner => root, group => 0, mode => 0644; - } - Service['shorewall']{ - status => '/sbin/shorewall status' - } + file{'/etc/default/shorewall': + source => "puppet://$server/shorewall/debian/default", + require => Package['shorewall'], + notify => Service['shorewall'], + owner => root, group => 0, mode => 0644; + } + Service['shorewall']{ + status => '/sbin/shorewall status' + } } |