ferm now officially sucks

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 9eec4b8..95da151 100644 (file)
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -1,5 +1,5 @@
 class ferm {
-    define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00") {
+    define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00", $notarule=false) {
         file {
             "/etc/ferm/dsa.d/${prio}_${name}":
                 ensure  => present,

diff --git a/modules/ferm/templates/ferm-rule.erb b/modules/ferm/templates/ferm-rule.erb
index ed27c42..afb6973 100644 (file)
--- a/modules/ferm/templates/ferm-rule.erb
+++ b/modules/ferm/templates/ferm-rule.erb
@@ -6,7 +6,7 @@
 domain <%= domain %> {
        table <%= table %> {
                chain <%= chain %> {
-                       <%= rule %>;
+                       <%= rule %><% unless notarule -%>;<% end -%>
                }
        }
 }

diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp
index cde5777..ab17781 100644 (file)
--- a/modules/munin-node/manifests/init.pp
+++ b/modules/munin-node/manifests/init.pp
@@ -82,12 +82,14 @@ class munin-node {
     }
     @ferm::rule { "dsa-munin-v4":
             description     => "Allow munin from munin master",
-            rule            => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }"
+            rule            => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }",
+            notarule        => true,
     }
     @ferm::rule { "dsa-munin-v6":
             description     => "Allow munin from munin master",
             domain          => "ip6",
-            rule            => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }"
+            rule            => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }",
+            notarule        => true,
     }
 }
 

diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp
index 7393260..44a6f32 100644 (file)
--- a/modules/nagios/manifests/client.pp
+++ b/modules/nagios/manifests/client.pp
@@ -47,12 +47,14 @@ class nagios::client inherits nagios {
        }
         @ferm::rule { "dsa-nagios-v4":
                 description     => "Allow nrpe from nagios master",
-                rule            => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }"
+                rule            => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }",
+                notarule        => true,
         }
         @ferm::rule { "dsa-nagios-v6":
                 description     => "Allow nrpe from nagios master",
                 domain          => "ip6",
-                rule            => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }"
+                rule            => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }",
+                notarule        => true,
         }
 }
 # vim:set et: