Commit 7aff7451 authored by Micah's avatar Micah

Merge branch '5.x-3' into 'master'

5.x part 3

See merge request !9
parents 4da1590e b131814e
......@@ -74,6 +74,23 @@ module will not work:
CONFIG_PATH="/etc/shorewall/puppet:/etc/shorewall:/usr/share/shorewall"
Warnings
--------
There are some features that have been deprecated upstream that may still be
supported by this module on certain shorewall major version. Please note
the following:
* the blacklist file and option is deprecated and replaced by blrules
* the rfc1918 file and norfc1918 option are deprecated
* the tcrules file is deprecated, replaced by mangled
* the routestopped file is deprecated and replaced by stoppedrules
* as of shorewall 4.6.0, SECTION headers need a leading '?'
You should migrate your own calls to this module to move to the currently
supported methods, we will be dropping support for deprecated features as
the available distribution version permit it.
For more details see http://www.shorewall.net/upgrade_issues.htm
Documentation
-------------
......
#
# Shorewall version 4 - Clear
# Shorewall -- /etc/shorewall/clear
#
# /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
# Add commands below that you want to be executed after Shorewall has
# processed the 'clear' command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 3.4 - Hosts file
# Shorewall -- /etc/shorewall/hosts
#
# For information about entries in this file, type "man shorewall-hosts"
#
# For additional information, see http://shorewall.net/Documentation.htm#Hosts
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-hosts.html
#
###############################################################################
#ZONE HOST(S) OPTIONS
#ZONE HOSTS OPTIONS
#
# Shorewall version 4 - Init File
# Shorewall -- /etc/shorewall/init
#
# /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
# Add commands below that you want to be executed at the beginning of
# a "shorewall start", "shorewall-reload" or "shorewall restart" command.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#
# Shorewall version 4 - Initdone File
# Shorewall -- /etc/shorewall/initdone
#
# /etc/shorewall/initdone
#
# Add commands below that you want to be executed during
# "shorewall start" or "shorewall restart" commands at the point where
# Shorewall has not yet added any perminent rules to the builtin chains.
# Add commands below that you want to be executed during
# "shorewall start", "shorewall reload" or "shorewall restart" commands
# at the point where Shorewall has not yet added any permanent rules to
# the builtin chains.
#
# For additional information, see
# http://shorewall.net/shorewall_extension_scripts.htm
#
###############################################################################
#
# Shorewall version 4 - Interfaces File
# Shorewall -- /etc/shorewall/interfaces
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# For additional information, see
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
# FIXME: need to switch to format 2
#?FORMAT 2
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
#ZONE INTERFACE OPTIONS
#
# Shorewall - Mangle File
# Shorewall -- /etc/shorewall/mangle
#
# For additional information, see http://shorewall.net/manpages/shorewall-mangle.html
# For information about entries in this file, type "man shorewall-mangle"
#
#######################################################################################
#ACTION SOURCE DESTINATION PROTO DSTPORT SRCPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
# See http://shorewall.net/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://shorewall.net/MultiISP.html
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
#
##############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH
#
# Shorewall version 3.4 - Masq file
# Shorewall -- /etc/shorewall/masq
#
# For information about entries in this file, type "man shorewall-masq"
#
# For additional information, see http://shorewall.net/Documentation.htm#Masq
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-masq.html
#
###############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
###################################################################################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#
# Shorewall version 3.4 - Nat File
# Shorewall -- /etc/shorewall/nat
#
# For information about entries in this file, type "man shorewall-nat"
#
# For additional information, see http://shorewall.net/NAT.htm
#
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
#
# Shorewall version 3.4 - Params File
# Shorewall -- /etc/shorewall/params
#
# /etc/shorewall/params
# Assign any variables that you need here.
#
# Assign any variables that you need here.
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
# Example:
#
# Example:
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter
#
# NET_IF=eth0
# NET_BCAST=130.252.100.255
# NET_OPTIONS=routefilter
# Example (/etc/shorewall/interfaces record):
#
# Example (/etc/shorewall/interfaces record):
# net $NET_IF $NET_BCAST $NET_OPTIONS
#
# net $NET_IF $NET_BCAST $NET_OPTIONS
# The result will be the same as if the record had been written
#
# The result will be the same as if the record had been written
#
# net eth0 130.252.100.255 routefilter
# net eth0 130.252.100.255 routefilter
#
###############################################################################
#
# Shorewall version 4 - Policy File
# Shorewall -- /etc/shorewall/policy
#
# For information about entries in this file, type "man shorewall-policy"
#
......@@ -7,5 +7,4 @@
# http://www.shorewall.net/manpages/shorewall-policy.html
#
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
#SOURCE DEST POLICY LOGLEVEL LIMIT CONNLIMIT
#
# Shorewall version 4 - Providers File
# Shorewall -- /etc/shorewall/providers
#
# For information about entries in this file, type "man shorewall-providers"
#
......
#
# Shorewall version 3.4 - Proxyarp File
# Shorewall -- /etc/shorewall/proxyarp
#
# For information about entries in this file, type "man shorewall-proxyarp"
#
# See http://shorewall.net/ProxyARP.htm for additional information.
#
###############################################################################
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
#
# Shorewall version 4 - route rules File
# Shorewall -- /etc/shorewall/rtrules
#
# For information about entries in this file, type "man shorewall-rtrules"
#
# For additional information, see http://www.shorewall.net/MultiISP.html
#
####################################################################################
# SOURCE DEST PROVIDER PRIORITY MASK
#SOURCE DEST PROVIDER PRIORITY MASK
#
# Shorewall version 3.4 - Rules File
# Shorewall -- /etc/shorewall/rules
#
# For information on the settings in this file, type "man shorewall-rules"
#
# See http://shorewall.net/Documentation.htm#Rules for additional information.
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
##############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER MARK CONNLIMIT TIME HEADERS SWITCH HELPER
#
# Shorewall version 4 - Start File
# Shorewall -- /etc/shorewall/start
#
# /etc/shorewall/start
#
# Add commands below that you want to be executed after shorewall has
# been started or restarted.
# Add commands below that you want to be executed after shorewall has
# been started, reloaded or restarted.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
......
#
# Shorewall version 4 - Stop File
# Shorewall -- /etc/shorewall/stop
#
# /etc/shorewall/stop
#
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
# Add commands below that you want to be executed at the beginning of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall version 4 - Stopped File
# Shorewall -- /etc/shorewall/stopped
#
# /etc/shorewall/stopped
#
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
# Add commands below that you want to be executed at the completion of a
# "shorewall stop" command.
#
# See http://shorewall.net/shorewall_extension_scripts.htm for additional
# information.
#
###############################################################################
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall -- /etc/shorewall/stoppedrules
#
# For information about entries in this file, type "man shorewall-stoppedrules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
#
# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
# information.
#
###############################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT
#
# Shorewall version 4 - Tcclasses File
# Shorewall -- /etc/shorewall/tcclasses
#
# For information about entries in this file, type "man shorewall-tcclasses"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
#INTERFACE:CLASS MARK RATE CEIL PRIORITY OPTIONS
#INTERFACE MARK RATE CEIL PRIO OPTIONS
#
# Shorewall version 4 - Tcdevices File
# Shorewall -- /etc/shorewall/tcdevices
#
# For information about entries in this file, type "man shorewall-tcdevices"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
#
###############################################################################
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
#INTERFACE IN_BANDWITH OUT_BANDWIDTH OPTIONS REDIRECT
#
# Shorewall version 4 - Tunnels File
# Shorewall -- /etc/shorewall/tunnels
#
# For information about entries in this file, type "man shorewall-tunnels"
#
......@@ -7,5 +7,4 @@
# http://www.shorewall.net/manpages/shorewall-tunnels.html
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
#TYPE ZONE GATEWAY GATEWAY_ZONE
#
# Shorewall version 4 - Zones File
# Shorewall -- /etc/shorewall/zones
#
# For information about this file, type "man shorewall-zones"
#
......@@ -7,6 +7,6 @@
# http://www.shorewall.net/manpages/shorewall-zones.html
#
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
Facter.add("shorewall_major_version") do
confine :shorewall_version => /\d/
setcode do
Facter::Util::Resolution.exec('shorewall version').split('.').first || nil
Facter.value(:shorewall_version).split('.').first
end
end
Facter.add("shorewall_version") do
setcode 'shorewall version'
end
......@@ -29,6 +29,8 @@ class shorewall(
$nat_defaults = {},
$routestopped = {},
$routestopped_defaults = {},
$stoppedrules = {},
$stoppedrules_defaults = {},
$params = {},
$params_defaults = {},
$tcdevices = {},
......@@ -56,37 +58,39 @@ class shorewall(
shorewall::managed_file{
[
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
# See http://www.shorewall.net/manpages/shorewall-zones.html
'zones',
# See http://www.shorewall.net/3.0/Documentation.htm#Interfaces
# See http://www.shorewall.net/manpages/shorewall-interfaces.html
'interfaces',
# See http://www.shorewall.net/3.0/Documentation.htm#Hosts
# See http://www.shorewall.net/manpages/shorewall-hosts.html
'hosts',
# See http://www.shorewall.net/3.0/Documentation.htm#Policy
# See http://www.shorewall.net/manpages/shorewall-policy.html
'policy',
# See http://www.shorewall.net/3.0/Documentation.htm#Rules
# See http://www.shorewall.net/manpages/shorewall-rules.html
'rules',
# See http://www.shorewall.net/3.0/Documentation.htm#Masq
# See http://www.shorewall.net/manpages/shorewall-masq.html
'masq',
# See http://www.shorewall.net/3.0/Documentation.htm#ProxyArp
# See http://www.shorewall.net/manpages/shorewall-proxyarp.html
'proxyarp',
# See http://www.shorewall.net/3.0/Documentation.htm#NAT
# See http://www.shorewall.net/manpages/shorewall-nat.html
'nat',
# See http://www.shorewall.net/3.0/Documentation.htm#Routestopped
# See http://www.shorewall.net/manpages/shorewall-stoppedrules.html
'stoppedrules',
# Deprecated http://www.shorewall.net/4.2/manpages/shorewall-routestopped.html
'routestopped',
# See http://www.shorewall.net/3.0/Documentation.htm#Variables
# See http://www.shorewall.net/manpages/shorewall-params.html
'params',
# See http://www.shorewall.net/3.0/traffic_shaping.htm
# See http://www.shorewall.net/manpages/shorewall-tcdevices.html
'tcdevices',
# See http://www.shorewall.net/3.0/traffic_shaping.htm
# Deprecated http://www.shorewall.net/4.6/manpages/shorewall-tcrules.htmle
'tcrules',
# See http://www.shorewall.net/3.0/traffic_shaping.htm
# See http://www.shorewall.net/manpages/shorewall-tcclasses.html
'tcclasses',
# http://www.shorewall.net/manpages/shorewall-providers.html
# See http://www.shorewall.net/manpages/shorewall-providers.html
'providers',
# See http://www.shorewall.net/manpages/shorewall-tunnels.html
'tunnel',
# See http://www.shorewall.net/MultiISP.html
# See http://www.shorewall.net/manpages/shorewall-rtrules.html
'rtrules',
# See http://www.shorewall.net/manpages/shorewall-mangle.html
'mangle',
......@@ -102,6 +106,8 @@ class shorewall(
create_resources('shorewall::masq',$masq,$masq_defaults)
create_resources('shorewall::proxyarp',$proxyarp,$proxyarp_defaults)
create_resources('shorewall::nat',$nat,$nat_defaults)
create_resources('shorewall::stoppedrules',$stoppedrules,
$stoppedrules_defaults)
create_resources('shorewall::routestopped',$routestopped,
$routestopped_defaults)
create_resources('shorewall::params',$params,$params_defaults)
......
define shorewall::stoppedrules(
$action = 'ACCEPT',
$source = '-',
$destination = '-',
$proto = '-',
$destinationport = '-',
$sourceport = '-',
$order = '100'
){
shorewall::entry{"stoppedrules-${order}-${name}":
line => "${action} ${source} ${destination} ${proto} ${destinationport} ${sourceport}"
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment