From: Peter Palfrader Date: Thu, 9 Sep 2010 12:35:11 +0000 (+0200) Subject: ferm now officially sucks X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=ed9c052bcce0377d8c9f1f7de79fe3114c8f8bf8;p=mirror%2Fdsa-puppet.git ferm now officially sucks --- diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp index 9eec4b8ee..95da151e6 100644 --- a/modules/ferm/manifests/init.pp +++ b/modules/ferm/manifests/init.pp @@ -1,5 +1,5 @@ class ferm { - define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00") { + define rule($domain="ip", $table="filter", $chain="INPUT", $rule, $description="", $prio="00", $notarule=false) { file { "/etc/ferm/dsa.d/${prio}_${name}": ensure => present, diff --git a/modules/ferm/templates/ferm-rule.erb b/modules/ferm/templates/ferm-rule.erb index ed27c423e..afb697341 100644 --- a/modules/ferm/templates/ferm-rule.erb +++ b/modules/ferm/templates/ferm-rule.erb @@ -6,7 +6,7 @@ domain <%= domain %> { table <%= table %> { chain <%= chain %> { - <%= rule %>; + <%= rule %><% unless notarule -%>;<% end -%> } } } diff --git a/modules/munin-node/manifests/init.pp b/modules/munin-node/manifests/init.pp index cde57774f..ab177817e 100644 --- a/modules/munin-node/manifests/init.pp +++ b/modules/munin-node/manifests/init.pp @@ -82,12 +82,14 @@ class munin-node { } @ferm::rule { "dsa-munin-v4": description => "Allow munin from munin master", - rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }" + rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V4 \$HOST_NAGIOS_V4) ACCEPT; }", + notarule => true, } @ferm::rule { "dsa-munin-v6": description => "Allow munin from munin master", domain => "ip6", - rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }" + rule => "proto tcp mod state state (NEW) dport (munin) @subchain 'munin' { saddr (\$HOST_MUNIN_V6 \$HOST_NAGIOS_V6) ACCEPT; }", + notarule => true, } } diff --git a/modules/nagios/manifests/client.pp b/modules/nagios/manifests/client.pp index 7393260ea..44a6f3254 100644 --- a/modules/nagios/manifests/client.pp +++ b/modules/nagios/manifests/client.pp @@ -47,12 +47,14 @@ class nagios::client inherits nagios { } @ferm::rule { "dsa-nagios-v4": description => "Allow nrpe from nagios master", - rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }" + rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V4) ACCEPT; }", + notarule => true, } @ferm::rule { "dsa-nagios-v6": description => "Allow nrpe from nagios master", domain => "ip6", - rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }" + rule => "proto tcp mod state state (NEW) dport (5666) @subchain 'nagios' { saddr (\$HOST_NAGIOS_V6) ACCEPT; }", + notarule => true, } } # vim:set et: