Unverified Commit 74ee1feb authored by Mike Green's avatar Mike Green
Browse files

* Split tasks for Shorewall(6);

* Converted config to be entirely key-value based;
* Moved (incompatible) package list to vars;
* Default vars autodetect def interface name;
* Minor cosmetic changes;
parent d5feec14
---
# defaults file for myatu.shorewall
# Defaults file for Myatu.shorewall
shorewall_startup: 1
shorewall6_startup: 1
shorewall_conf: {}
shorewall6_conf: {}
shorewall_verbosity: 1
shorewall6_verbosity: 1
shorewall_package_state: "present"
shorewall6_package_state: "{{ shorewall_package_state }}"
shorewall_log_verbosity: 2
shorewall6_log_verbosity: 2
shorewall_startup: 1
shorewall6_startup: "{{ shorewall_startup }}"
shorewall_interfaces:
- zone: net
interface: eth0
interface: "{{ ansible_default_ipv4.interface|default('eth0') }}"
options: "tcpflags,logmartians,routefilter,sourceroute=0"
shorewall6_interfaces:
- zone: net
interface: eth0
interface: "{{ ansible_default_ipv6.interface|default('eth0') }}"
options: "tcpflags,nosmurfs,sourceroute=0"
shorewall_masq: []
......
---
# handlers file for myatu.shorewall
# handlers file for Myatu.shorewall
- name: start shorewall
service: name={{ shorewall_service_name }} state=started
- name: start shorewall6
service: name={{ shorewall6_service_name }} state=started
- name: enabled shorewall
- name: enable shorewall
service: name={{ shorewall_service_name }} enabled=yes
- name: enabled shorewall6
- name: enable shorewall6
service: name={{ shorewall6_service_name }} enabled=yes
- name: restart shorewall
......
---
# tasks file for myatu.shorewall
- name: add OS specific variables
- name: Add OS specific variables
include_vars: "{{ item }}"
with_first_found:
- "vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
......@@ -12,98 +12,13 @@
- configuration
- packages
- name: remove other firewall package
- name: Remove incompatible firewall packages
package:
name: "{{ item }}"
state: absent
with_items:
- shorewall
- iptables-service
with_items: shorewall_incompatible_packages
- name: install shorewall
package:
name: "{{ shorewall_package_name }}"
state: latest
notify:
- enabled shorewall
- start shorewall
tags:
- packages
- name: shorewall configuration files
template:
dest: "/etc/shorewall/{{ item }}"
src: "shorewall/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- shorewall.conf
- params
- interfaces
- masq
- zones
- policy
- rules
- hosts
notify:
- restart shorewall
tags:
- configuration
- name: generate Shorewall service conf
template:
dest: /etc/default/shorewall
src: default/shorewall.j2
owner: root
group: root
mode: 0640
notify:
- restart shorewall
tags:
- configuration
- block:
- name: install shorewall6
package:
name: "{{ shorewall6_package_name }}"
state: latest
notify:
- enabled shorewall6
- start shorewall6
tags:
- packages
- name: shorewall configuration files
template:
dest: /etc/default/shorewall6
src: default/shorewall6.j2
owner: root
group: root
mode: 0640
notify:
- restart shorewall6
tags:
- configuration
- include: shorewall.yml
- name: shorewall6 configuration files
template:
dest: "/etc/shorewall6/{{ item }}"
src: "shorewall6/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- shorewall6.conf
- params
- interfaces
- masq
- zones
- policy
- rules
- hosts
notify:
- restart shorewall6
tags:
- configuration
- include: shorewall6.yml
when: "'scope' in ansible_default_ipv6 and ansible_default_ipv6.scope == 'global'"
\ No newline at end of file
---
# Shorewall tasks file for Myatu.shorewall
- name: Gather Shorewall configuration variables
set_fact:
shorewall_conf: "{{ shorewall_conf_base|combine(shorewall_conf) }}"
- name: Install Shorewall and dependencies
package:
name: "{{ item }}"
state: "{{ shorewall_package_state }}"
with_items: shorewall_packages
notify:
- enable shorewall
tags:
- packages
- name: Generate Shorewall service conf
template:
dest: /etc/default/shorewall
src: default/shorewall.j2
owner: root
group: root
mode: 0640
notify:
- restart shorewall
tags:
- configuration
- name: Shorewall configuration files
template:
dest: "/etc/shorewall/{{ item }}"
src: "shorewall/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- shorewall.conf
- params
- interfaces
- masq
- zones
- policy
- rules
- hosts
notify:
- restart shorewall
tags:
- configuration
---
# Shorewall6 tasks file for Myatu.shorewall
- name: Gather Shorewall6 configuration variables
set_fact:
shorewall6_conf: "{{ shorewall6_conf_base|combine(shorewall6_conf) }}"
- name: Install Shorewall6 and dependencies
package:
name: "{{ item }}"
state: "{{ shorewall6_package_state }}"
with_items: shorewall6_packages
notify:
- enable shorewall6
tags:
- packages
- name: Generate Shorewall6 service conf
template:
dest: /etc/default/shorewall6
src: default/shorewall6.j2
owner: root
group: root
mode: 0640
notify:
- restart shorewall6
tags:
- configuration
- name: Shorewall6 configuration files
template:
dest: "/etc/shorewall6/{{ item }}"
src: "shorewall6/{{ item }}.j2"
owner: root
group: root
mode: 0640
with_items:
- shorewall6.conf
- params
- interfaces
- masq
- zones
- policy
- rules
- hosts
notify:
- restart shorewall6
tags:
- configuration
\ No newline at end of file
......@@ -7,266 +7,7 @@
#
# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY={{ shorewall_verbosity }}
###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY={{ shorewall_log_verbosity }}
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT=
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
ARPTABLES=
CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
BASIC_FILTERS=No
IGNOREUNKNOWNVARIABLES=No
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CHAIN_SCRIPTS=Yes
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IMPLICIT_CONTINUE=No
INLINE_MATCHES=Yes
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=No
LOAD_HELPERS_ONLY=Yes
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
OPTIMIZE_ACCOUNTING=No
REJECT_ACTION=
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=No
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
WARNOLDCAPVERSION=Yes
ZONE2ZONE=-
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
\ No newline at end of file
{% for key,value in shorewall_conf.items() %}
{{ key|upper }}={{ value }}
{% endfor %}
......@@ -8,242 +8,7 @@
# Manpage also online at
# http://www.shorewall.net/manpages6/shorewall6.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY={{ shorewall6_verbosity }}
###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY={{ shorewall6_log_verbosity }}
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGLIMIT=
LOGTAGONLY=No
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info
UNTRACKED_LOG_LEVEL=
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IP6TABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'