diff --git a/firewall/manifests/init.pp b/firewall/manifests/init.pp index 367e1f1..0f0ed9d 100644 --- a/firewall/manifests/init.pp +++ b/firewall/manifests/init.pp @@ -77,25 +77,55 @@ class firewall::custom { # class firewall::common::iptables { + case $::operatingsystem { + "centos","fedora","redhat": { + $iptables = "/etc/sysconfig/iptables" + $ip6tables = "/etc/sysconfig/ip6tables" + } + "ubuntu": { + if versioncmp($::operatingsystemrelease, "11.10") < 0 { + $iptables = "/etc/iptables/rules" + } else { + $iptables = "/etc/iptables/rules.v4" + } + if versioncmp($::operatingsystemrelease, "11.04") < 0 { + $ip6tables = undef + } else { + $ip6tables = "/etc/iptables/rules.v6" + } + # kludge for missing directory in Ubuntu 11.04 Natty + if $::operatingsystemrelease == "11.04" { + file { "/etc/iptables": + ensure => directory, + mode => "0755", + owner => "root", + group => "root", + before => File[$iptables], + } + } + } + "debian": { + $iptables = "/etc/iptables/rules" + $ip6tables = undef + } + } + $ip6states = versioncmp($::kernelversion, "2.6.20") + package { "iptables": + ensure => installed, name => $::operatingsystem ? { - centos => [ "iptables", "iptables-ipv6" ], - redhat => [ "iptables", "iptables-ipv6" ], - debian => [ "iptables", "iptables-persistent" ], - fedora => $::operatingsystemrelease ? { + "centos" => [ "iptables", "iptables-ipv6" ], + "redhat" => [ "iptables", "iptables-ipv6" ], + "debian" => [ "iptables", "iptables-persistent" ], + "fedora" => $::operatingsystemrelease ? { /^1[0-5]/ => [ "iptables", "iptables-ipv6" ], default => "iptables", }, - ubuntu => [ "iptables", "iptables-persistent" ], + "ubuntu" => [ "iptables", "iptables-persistent" ], }, } - file { "/etc/sysconfig/iptables": - name => $::operatingsystem ? { - debian => "/etc/iptables/rules", - ubuntu => "/etc/iptables/rules", - default => "/etc/sysconfig/iptables", - }, + file { $iptables: ensure => present, mode => "0600", owner => "root", @@ -103,26 +133,47 @@ class firewall::common::iptables { require => Package["iptables"], notify => Service["iptables"], } + service { "iptables": + ensure => running, + name => $::operatingsystem ? { + "debian" => "iptables-persistent", + "ubuntu" => "iptables-persistent", + default => "iptables", + }, + alias => $::operatingsystem ? { + "ubuntu" => "ip6tables", + default => undef, + }, + enable => true, + status => "iptables -t filter --list --line-numbers | egrep '^1'", + require => Package["iptables"], + } - case $::operatingsystem { - "centos","redhat","fedora": { - $ip6states = versioncmp($kernelversion, "2.6.20") - file { "/etc/sysconfig/ip6tables": - ensure => present, - mode => "0600", - owner => "root", - group => "root", - require => Package["iptables"], - notify => Service["ip6tables"], + if $ip6tables { + file { $ip6tables: + ensure => present, + mode => "0600", + owner => "root", + group => "root", + require => Package["iptables"], + notify => Service["ip6tables"], + } + case $::operatingsystem { + "centos","fedora","redhat": { + service { "ip6tables": + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => Package["iptables"], + } } - service { "ip6tables": - ensure => running, - enable => true, - hasstatus => true, - hasrestart => true, - require => Package["iptables"], - } - if $firewall_modules { + } + } + + if $firewall_modules { + case $::operatingsystem { + "centos","fedora","redhat": { $firewall_modules_str = inline_template('<%= @firewall_modules.join(" ") -%>') augeas { "iptables-config": context => "/files/etc/sysconfig/iptables-config", @@ -133,25 +184,6 @@ class firewall::common::iptables { } } - service { "iptables": - name => $::operatingsystem ? { - debian => "iptables-persistent", - ubuntu => "iptables-persistent", - default => "iptables", - }, - ensure => running, - enable => true, - hasrestart => $::operatingsystem ? { - centos => true, - redhat => true, - debian => false, - fedora => true, - ubuntu => false, - }, - status => "iptables -t filter --list --line-numbers | egrep '^1'", - require => Package["iptables"], - } - } @@ -159,15 +191,13 @@ class firewall::common::iptables { # class firewall::iptables inherits firewall::common::iptables { - File["/etc/sysconfig/iptables"] { + File[$firewall::common::iptables::iptables] { content => template("firewall/iptables.erb"), } - case $::operatingsystem { - "centos","redhat","fedora": { - File["/etc/sysconfig/ip6tables"] { - content => template("firewall/ip6tables.erb"), - } + if $firewall::common::iptables::ip6tables { + File[$firewall::common::iptables::ip6tables] { + content => template("firewall/ip6tables.erb"), } } @@ -179,7 +209,7 @@ class firewall::iptables inherits firewall::common::iptables { class firewall::custom::iptables inherits firewall::common::iptables { File["/etc/sysconfig/iptables"] { - source => [ "puppet:///files/firewall/iptables.${fqdn}", + source => [ "puppet:///files/firewall/iptables.${::homename}", "puppet:///files/firewall/iptables", ], } @@ -222,7 +252,7 @@ class firewall::pf inherits firewall::common::pf { class firewall::custom::pf inherits firewall::common::pf { File["/etc/pf.conf"] { - source => [ "puppet:///files/firewall/pf.conf.${fqdn}", + source => [ "puppet:///files/firewall/pf.conf.${::homename}", "puppet:///files/firewall/pf.conf", ], }