* Split tasks for Shorewall(6);

* Converted config to be entirely key-value based; * Moved (incompatible) package list to vars; * Default vars autodetect def interface name; * Minor cosmetic changes;

* Split tasks for Shorewall(6);
* Converted config to be entirely key-value based; * Moved (incompatible) package list to vars; * Default vars autodetect def interface name; * Minor cosmetic changes;
74ee1feb · Mike Green · d5feec14 · 74ee1feb · 74ee1feb · 74ee1feb
Unverified Commit 74ee1feb authored Feb 11, 2017 by Mike Green
--- a/defaults/main.yml
+++ b/defaults/main.yml
 ---
-# defaults file for myatu.shorewall
+# Defaults file for Myatu.shorewall

-shorewall_startup: 1
-shorewall6_startup: 1
+shorewall_conf: {}
+shorewall6_conf: {}

-shorewall_verbosity: 1
-shorewall6_verbosity: 1
+shorewall_package_state: "present"
+shorewall6_package_state: "{{ shorewall_package_state }}"

-shorewall_log_verbosity: 2
-shorewall6_log_verbosity: 2
+shorewall_startup: 1
+shorewall6_startup: "{{ shorewall_startup }}"

 shorewall_interfaces:
  - zone: net
-    interface: eth0
+    interface: "{{ ansible_default_ipv4.interface|default('eth0') }}"
    options: "tcpflags,logmartians,routefilter,sourceroute=0"

 shorewall6_interfaces:
  - zone: net
-    interface: eth0
+    interface: "{{ ansible_default_ipv6.interface|default('eth0') }}"
    options: "tcpflags,nosmurfs,sourceroute=0"

 shorewall_masq: []

--- a/handlers/main.yml
+++ b/handlers/main.yml
 ---
-# handlers file for myatu.shorewall
+# handlers file for Myatu.shorewall

- name: start shorewall
-  service: name={{ shorewall_service_name }} state=started
-
- name: start shorewall6 
-  service: name={{ shorewall6_service_name }} state=started
-
- name: enabled shorewall
+- name: enable shorewall
  service: name={{ shorewall_service_name }} enabled=yes

- name: enabled shorewall6 
+- name: enable shorewall6 
  service: name={{ shorewall6_service_name }} enabled=yes

 - name: restart shorewall

--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
 # tasks file for myatu.shorewall

- name: add OS specific variables
+- name: Add OS specific variables
  include_vars: "{{ item }}"
  with_first_found:
    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
@@ -12,98 +12,13 @@
    - configuration
    - packages

- name: remove other firewall package
+- name: Remove incompatible firewall packages
  package:
    name: "{{ item }}"
    state: absent
-  with_items:
-    - shorewall
-    - iptables-service
+  with_items: shorewall_incompatible_packages

- name: install shorewall
-  package:
-    name: "{{ shorewall_package_name }}"
-    state: latest
-  notify: 
-    - enabled shorewall
-    - start shorewall
-  tags:
-    - packages
-
- name: shorewall configuration files
-  template:
-    dest: "/etc/shorewall/{{ item }}"
-    src: "shorewall/{{ item }}.j2"
-    owner: root
-    group: root
-    mode: 0640
-  with_items:
-    - shorewall.conf
-    - params
-    - interfaces
-    - masq
-    - zones
-    - policy
-    - rules
-    - hosts
-  notify:
-    - restart shorewall
-  tags:
-    - configuration
-
- name: generate Shorewall service conf
-  template:
-    dest: /etc/default/shorewall
-    src: default/shorewall.j2
-    owner: root
-    group: root
-    mode: 0640
-  notify: 
-    - restart shorewall
-  tags:
-    - configuration
-
- block:
-  - name: install shorewall6
-    package:
-      name: "{{ shorewall6_package_name }}"
-      state: latest
-    notify: 
-      - enabled shorewall6
-      - start shorewall6
-    tags:
-      - packages
-
-  - name: shorewall configuration files
-    template:
-      dest: /etc/default/shorewall6
-      src: default/shorewall6.j2
-      owner: root
-      group: root
-      mode: 0640
-    notify:
-      - restart shorewall6
-    tags:
-      - configuration
+- include: shorewall.yml

-  - name: shorewall6 configuration files
-    template:
-      dest: "/etc/shorewall6/{{ item }}"
-      src: "shorewall6/{{ item }}.j2"
-      owner: root
-      group: root
-      mode: 0640
-    with_items:
-      - shorewall6.conf
-      - params
-      - interfaces
-      - masq
-      - zones
-      - policy
-      - rules
-      - hosts
-    notify:
-      - restart shorewall6
-    tags:
-      - configuration
+- include: shorewall6.yml
  when: "'scope' in ansible_default_ipv6 and ansible_default_ipv6.scope == 'global'"
\ No newline at end of file
--- a/tasks/shorewall.yml
+++ b/tasks/shorewall.yml
+---
+# Shorewall tasks file for Myatu.shorewall
+
+- name: Gather Shorewall configuration variables
+  set_fact:
+    shorewall_conf: "{{ shorewall_conf_base|combine(shorewall_conf) }}"
+
+- name: Install Shorewall and dependencies
+  package:
+    name: "{{ item }}"
+    state: "{{ shorewall_package_state }}"
+  with_items: shorewall_packages
+  notify: 
+    - enable shorewall
+  tags:
+    - packages
+
+- name: Generate Shorewall service conf
+  template:
+    dest: /etc/default/shorewall
+    src: default/shorewall.j2
+    owner: root
+    group: root
+    mode: 0640
+  notify: 
+    - restart shorewall
+  tags:
+    - configuration
+
+- name: Shorewall configuration files
+  template:
+    dest: "/etc/shorewall/{{ item }}"
+    src: "shorewall/{{ item }}.j2"
+    owner: root
+    group: root
+    mode: 0640
+  with_items:
+    - shorewall.conf
+    - params
+    - interfaces
+    - masq
+    - zones
+    - policy
+    - rules
+    - hosts
+  notify:
+    - restart shorewall
+  tags:
+    - configuration
+
--- a/tasks/shorewall6.yml
+++ b/tasks/shorewall6.yml
+---
+# Shorewall6 tasks file for Myatu.shorewall
+
+- name: Gather Shorewall6 configuration variables
+  set_fact:
+    shorewall6_conf: "{{ shorewall6_conf_base|combine(shorewall6_conf) }}"
+
+- name: Install Shorewall6 and dependencies
+  package:
+    name: "{{ item }}"    
+    state: "{{ shorewall6_package_state }}"
+  with_items: shorewall6_packages    
+  notify: 
+    - enable shorewall6
+  tags:
+    - packages
+
+- name: Generate Shorewall6 service conf
+  template:
+    dest: /etc/default/shorewall6
+    src: default/shorewall6.j2
+    owner: root
+    group: root
+    mode: 0640
+  notify:
+    - restart shorewall6
+  tags:
+    - configuration
+
+- name: Shorewall6 configuration files
+  template:
+    dest: "/etc/shorewall6/{{ item }}"
+    src: "shorewall6/{{ item }}.j2"
+    owner: root
+    group: root
+    mode: 0640
+  with_items:
+    - shorewall6.conf
+    - params
+    - interfaces
+    - masq
+    - zones
+    - policy
+    - rules
+    - hosts
+  notify:
+    - restart shorewall6
+  tags:
+    - configuration
\ No newline at end of file
--- a/templates/shorewall/shorewall.conf.j2
+++ b/templates/shorewall/shorewall.conf.j2
@@ -7,266 +7,7 @@
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#			     V E R B O S I T Y
-###############################################################################
-
-VERBOSITY={{ shorewall_verbosity }}
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-BLACKLIST_LOG_LEVEL=
-
-INVALID_LOG_LEVEL=
-
-LOG_BACKEND=
-
-LOG_MARTIANS=Yes
-
-LOG_VERBOSITY={{ shorewall_log_verbosity }}
-
-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-MACLIST_LOG_LEVEL=info
-
-RELATED_LOG_LEVEL=
-
-RPFILTER_LOG_LEVEL=info
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
-
-UNTRACKED_LOG_LEVEL=
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-ARPTABLES=
-
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
-
-GEOIPDIR=/usr/share/xt_geoip/LE
-
-IPTABLES=
-
-IP=
-
-IPSET=
-
-LOCKFILE=
-
-MODULESDIR=
-
-NFACCT=
-
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
-
-PERL=/usr/bin/perl
-
-RESTOREFILE=restore
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=""
-
-TC=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
-
-###############################################################################
-#			 R S H / R C P	C O M M A N D S
-###############################################################################
-
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADD_IP_ALIASES=No
-
-ADD_SNAT_ALIASES=No
-
-ADMINISABSENTMINDED=Yes
-
-BASIC_FILTERS=No
-
-IGNOREUNKNOWNVARIABLES=No
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
-
-AUTOMAKE=No
-
-BLACKLIST="NEW,INVALID,UNTRACKED"
-
-CHAIN_SCRIPTS=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DEFER_DNS_RESOLUTION=Yes
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DISABLE_IPV6=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-HELPERS=
-
-IMPLICIT_CONTINUE=No
-
-INLINE_MATCHES=Yes
-
-IPSET_WARNINGS=Yes
-
-IP_FORWARDING=Keep
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=0
-
-OPTIMIZE_ACCOUNTING=No
-
-REJECT_ACTION=
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
-RESTORE_ROUTEMARKS=Yes
-
-RETAIN_ALIASES=No
-
-ROUTE_FILTER=Yes
-
-SAVE_ARPTABLES=No
-
-SAVE_IPSETS=No
-
-TC_ENABLED=Internal
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-TRACK_PROVIDERS=No
-
-TRACK_RULES=No
-
-USE_DEFAULT_RT=Yes
-
-USE_PHYSICAL_NAMES=No
-
-USE_RT_NAMES=No
-
-WARNOLDCAPVERSION=Yes
-
-ZONE2ZONE=-
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-INVALID_DISPOSITION=CONTINUE
-
-MACLIST_DISPOSITION=REJECT
-
-RELATED_DISPOSITION=ACCEPT
-
-RPFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
-TCP_FLAGS_DISPOSITION=DROP
-
-UNTRACKED_DISPOSITION=CONTINUE
-
-################################################################################
-#			P A C K E T  M A R K  L A Y O U T
-################################################################################
-
-TC_BITS=
-
-PROVIDER_BITS=
-
-PROVIDER_OFFSET=
-
-MASK_BITS=

-ZONE_BITS=0
\ No newline at end of file
+{% for key,value in shorewall_conf.items() %}
+{{ key|upper }}={{ value }}
+{% endfor %}
--- a/templates/shorewall6/shorewall6.conf.j2
+++ b/templates/shorewall6/shorewall6.conf.j2
@@ -8,242 +8,7 @@
 #  Manpage also online at
 #  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#			     V E R B O S I T Y
-###############################################################################
-
-VERBOSITY={{ shorewall6_verbosity }}
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-BLACKLIST_LOG_LEVEL=
-
-INVALID_LOG_LEVEL=
-
-LOG_BACKEND=
-
-LOG_VERBOSITY={{ shorewall6_log_verbosity }}
-
-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-RELATED_LOG_LEVEL=
-
-RPFILTER_LOG_LEVEL=info
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-STARTUP_LOG=/var/log/shorewall6-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
-
-UNTRACKED_LOG_LEVEL=
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
-
-GEOIPDIR=/usr/share/xt_geoip/LE
-
-IP6TABLES=
-
-IP=
-
-IPSET=
-
-LOCKFILE=
-
-MODULESDIR=
-
-NFACCT=
-
-PERL=/usr/bin/perl
-
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
-
-RESTOREFILE=restore
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=""
-
-TC=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
-
-###############################################################################
-#			 R S H / R C P	C O M M A N D S
-###############################################################################
-
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################