Found a couple of issues that I fixed as I was reviewing and pushed directly as they were relatively minor/straight forward changes (and we are right up against time).
Feel free and provide further patches if that seems correct.
Thanks, Mike
On 04/01/2011 11:28 AM, Mohammed Morsi wrote:
recipes/aeolus_recipe/manifests/aeolus.pp | 2 - recipes/aeolus_recipe/manifests/conductor.pp | 5 - recipes/firewall/README | 1 - .../firewall/files/chain_rules/filter/FORWARD.head | 1 - .../firewall/files/chain_rules/filter/FORWARD.tail | 1 - .../firewall/files/chain_rules/filter/INPUT.head | 9 - .../firewall/files/chain_rules/filter/INPUT.tail | 5 - .../firewall/files/chain_rules/filter/OUTPUT.head | 1 - .../firewall/files/chain_rules/filter/OUTPUT.tail | 1 - .../firewall/files/chain_rules/mangle/FORWARD.head | 1 - .../firewall/files/chain_rules/mangle/FORWARD.tail | 1 - .../firewall/files/chain_rules/mangle/INPUT.head | 1 - .../firewall/files/chain_rules/mangle/INPUT.tail | 1 - .../files/chain_rules/mangle/POSTROUTING.head | 1 - .../files/chain_rules/mangle/POSTROUTING.tail | 1 - recipes/firewall/files/chain_rules/nat/OUTPUT.head | 1 - recipes/firewall/files/chain_rules/nat/OUTPUT.tail | 1 - .../files/chain_rules/nat/POSTROUTING.head | 1 - .../files/chain_rules/nat/POSTROUTING.tail | 1 - .../firewall/files/chain_rules/nat/PREROUTING.head | 1 - .../firewall/files/chain_rules/nat/PREROUTING.tail | 1 - recipes/firewall/files/chain_rules/raw/OUTPUT.head | 1 - recipes/firewall/files/chain_rules/raw/OUTPUT.tail | 1 - .../firewall/files/chain_rules/raw/PREROUTING.head | 1 - .../firewall/files/chain_rules/raw/PREROUTING.tail | 1 - recipes/firewall/files/iptables-update.sh | 199 -------------------- recipes/firewall/manifests/defines.pp | 77 -------- recipes/firewall/manifests/init.pp | 102 ---------- recipes/firewall/templates/rule.erb | 70 ------- 29 files changed, 0 insertions(+), 490 deletions(-) delete mode 100644 recipes/firewall/README delete mode 100644 recipes/firewall/files/chain_rules/filter/FORWARD.head delete mode 100644 recipes/firewall/files/chain_rules/filter/FORWARD.tail delete mode 100644 recipes/firewall/files/chain_rules/filter/INPUT.head delete mode 100644 recipes/firewall/files/chain_rules/filter/INPUT.tail delete mode 100644 recipes/firewall/files/chain_rules/filter/OUTPUT.head delete mode 100644 recipes/firewall/files/chain_rules/filter/OUTPUT.tail delete mode 100644 recipes/firewall/files/chain_rules/mangle/FORWARD.head delete mode 100644 recipes/firewall/files/chain_rules/mangle/FORWARD.tail delete mode 100644 recipes/firewall/files/chain_rules/mangle/INPUT.head delete mode 100644 recipes/firewall/files/chain_rules/mangle/INPUT.tail delete mode 100644 recipes/firewall/files/chain_rules/mangle/POSTROUTING.head delete mode 100644 recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail delete mode 100644 recipes/firewall/files/chain_rules/nat/OUTPUT.head delete mode 100644 recipes/firewall/files/chain_rules/nat/OUTPUT.tail delete mode 100644 recipes/firewall/files/chain_rules/nat/POSTROUTING.head delete mode 100644 recipes/firewall/files/chain_rules/nat/POSTROUTING.tail delete mode 100644 recipes/firewall/files/chain_rules/nat/PREROUTING.head delete mode 100644 recipes/firewall/files/chain_rules/nat/PREROUTING.tail delete mode 100644 recipes/firewall/files/chain_rules/raw/OUTPUT.head delete mode 100644 recipes/firewall/files/chain_rules/raw/OUTPUT.tail delete mode 100644 recipes/firewall/files/chain_rules/raw/PREROUTING.head delete mode 100644 recipes/firewall/files/chain_rules/raw/PREROUTING.tail delete mode 100644 recipes/firewall/files/iptables-update.sh delete mode 100644 recipes/firewall/manifests/defines.pp delete mode 100644 recipes/firewall/manifests/init.pp delete mode 100644 recipes/firewall/templates/rule.erb
diff --git a/recipes/aeolus_recipe/manifests/aeolus.pp b/recipes/aeolus_recipe/manifests/aeolus.pp index a7496db..fec4265 100644 --- a/recipes/aeolus_recipe/manifests/aeolus.pp +++ b/recipes/aeolus_recipe/manifests/aeolus.pp @@ -1,7 +1,5 @@ # Aeolus puppet definitions
-import "firewall"
- import "postgres" import "apache" import "rails"
diff --git a/recipes/aeolus_recipe/manifests/conductor.pp b/recipes/aeolus_recipe/manifests/conductor.pp index 1d43ce8..cd2934a 100644 --- a/recipes/aeolus_recipe/manifests/conductor.pp +++ b/recipes/aeolus_recipe/manifests/conductor.pp @@ -20,11 +20,6 @@ class aeolus::conductor inherits aeolus { ### Setup selinux for deltacloud selinux::mode{"permissive":}
- ### Setup firewall for deltacloud
- firewall::rule{"http": destination_port => '80' }
- firewall::rule{"https": destination_port => '443'}
- firewall::rule{"ssh": destination_port => '22'}
- ### Start the aeolus services file {"/var/lib/condor/condor_config.local": source => "puppet:///modules/aeolus_recipe/condor_config.local",
diff --git a/recipes/firewall/README b/recipes/firewall/README deleted file mode 100644 index 5fb3acc..0000000 --- a/recipes/firewall/README +++ /dev/null @@ -1 +0,0 @@ -Module documentation for firewall diff --git a/recipes/firewall/files/chain_rules/filter/FORWARD.head b/recipes/firewall/files/chain_rules/filter/FORWARD.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/filter/FORWARD.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/filter/FORWARD.tail b/recipes/firewall/files/chain_rules/filter/FORWARD.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/filter/FORWARD.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.head b/recipes/firewall/files/chain_rules/filter/INPUT.head deleted file mode 100644 index ca7bbed..0000000 --- a/recipes/firewall/files/chain_rules/filter/INPUT.head +++ /dev/null @@ -1,9 +0,0 @@ -# INPUT.head --P INPUT ACCEPT -#-i lo -m comment --comment "localhost access" -j ACCEPT --i lo -j ACCEPT -#-m state --state RELATED,ESTABLISHED -m comment --comment "All established/related" -j ACCEPT --m state --state RELATED,ESTABLISHED -j ACCEPT -# -p icmp -m comment --comment "allow icmp/ping traffic" -j ACCEPT --p icmp -j ACCEPT
diff --git a/recipes/firewall/files/chain_rules/filter/INPUT.tail b/recipes/firewall/files/chain_rules/filter/INPUT.tail deleted file mode 100644 index 1c983ec..0000000 --- a/recipes/firewall/files/chain_rules/filter/INPUT.tail +++ /dev/null @@ -1,5 +0,0 @@ -# INPUT.tail -# -m comment --comment "Logging" -m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : " --m limit --limit 3/minute -j LOG --log-prefix "[IPTABLES] INPUT : "
--j REJECT diff --git a/recipes/firewall/files/chain_rules/filter/OUTPUT.head b/recipes/firewall/files/chain_rules/filter/OUTPUT.head deleted file mode 100644 index 4c40843..0000000 --- a/recipes/firewall/files/chain_rules/filter/OUTPUT.head +++ /dev/null @@ -1 +0,0 @@ -# OUTPUT.head diff --git a/recipes/firewall/files/chain_rules/filter/OUTPUT.tail b/recipes/firewall/files/chain_rules/filter/OUTPUT.tail deleted file mode 100644 index 9effd41..0000000 --- a/recipes/firewall/files/chain_rules/filter/OUTPUT.tail +++ /dev/null @@ -1 +0,0 @@ -# OUTPUT.tail diff --git a/recipes/firewall/files/chain_rules/mangle/FORWARD.head b/recipes/firewall/files/chain_rules/mangle/FORWARD.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/mangle/FORWARD.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/mangle/FORWARD.tail b/recipes/firewall/files/chain_rules/mangle/FORWARD.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/mangle/FORWARD.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/mangle/INPUT.head b/recipes/firewall/files/chain_rules/mangle/INPUT.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/mangle/INPUT.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/mangle/INPUT.tail b/recipes/firewall/files/chain_rules/mangle/INPUT.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/mangle/INPUT.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.head b/recipes/firewall/files/chain_rules/mangle/POSTROUTING.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail b/recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/mangle/POSTROUTING.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/nat/OUTPUT.head b/recipes/firewall/files/chain_rules/nat/OUTPUT.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/nat/OUTPUT.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/nat/OUTPUT.tail b/recipes/firewall/files/chain_rules/nat/OUTPUT.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/nat/OUTPUT.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/nat/POSTROUTING.head b/recipes/firewall/files/chain_rules/nat/POSTROUTING.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/nat/POSTROUTING.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/nat/POSTROUTING.tail b/recipes/firewall/files/chain_rules/nat/POSTROUTING.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/nat/POSTROUTING.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/nat/PREROUTING.head b/recipes/firewall/files/chain_rules/nat/PREROUTING.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/nat/PREROUTING.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/nat/PREROUTING.tail b/recipes/firewall/files/chain_rules/nat/PREROUTING.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/nat/PREROUTING.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/raw/OUTPUT.head b/recipes/firewall/files/chain_rules/raw/OUTPUT.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/raw/OUTPUT.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/raw/OUTPUT.tail b/recipes/firewall/files/chain_rules/raw/OUTPUT.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/raw/OUTPUT.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/raw/PREROUTING.head b/recipes/firewall/files/chain_rules/raw/PREROUTING.head deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/raw/PREROUTING.head +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/chain_rules/raw/PREROUTING.tail b/recipes/firewall/files/chain_rules/raw/PREROUTING.tail deleted file mode 100644 index 1bb8bf6..0000000 --- a/recipes/firewall/files/chain_rules/raw/PREROUTING.tail +++ /dev/null @@ -1 +0,0 @@ -# empty diff --git a/recipes/firewall/files/iptables-update.sh b/recipes/firewall/files/iptables-update.sh deleted file mode 100644 index 3911548..0000000 --- a/recipes/firewall/files/iptables-update.sh +++ /dev/null @@ -1,199 +0,0 @@ -#!/bin/bash
-firewallDir="/usr/share/firewall"
-# firewallDir contains a directory for each table (filter, nat, mangle) -# - each table dir contains a dir for each chain in that table -# - each chain dir has link files that are iptables snippets -# - each table dir can contain a CHAIN.head file, which goes in front of the chain -# - each table dir can contain a CHAIN.tail file, which goes in back of the chain -# and should set default policy -# -# Example firewallDir layout -# filter -# INPUT -# ftp -# http -# smb -# INPUT.head -# INPUT.tail -# OUTPUT -# OUTPUT.head -# FORWARD -# nat -# PREROUTING -# -# Any chains not in this tree will be removed from the running config
-#oldTable=$(mktemp oldTable.XXXXXX) -#currentTable=$(mktemp currTable.XXXXXX) -if [ "$1" == 'DEBUG' ]; then
- DEBUG=1
-else
- DEBUG=0
-fi -IPTABLES="/sbin/iptables"
-# iptables wrapper -function ipt {
- if [ "$DEBUG" -eq 1 ]; then
echo "DEBUG: running $IPTABLES $@"
eval $IPTABLES $@
else
eval $IPTABLES $@ 2>/dev/null
- fi
- retVal="$?"
- return $retVal
-}
-function insertEntry {
- table="$1"
- chain="$2"
- entryNum="$3"
- shift; shift; shift
- ENTRY="$@"
- # Remove the -A if it's there, we already know the table and chain
- # This will make it easier to create the files, as you can just copy/paste
- # from an iptables-save
- ENTRY=$(echo $ENTRY | sed 's/^-A [0-9a-zA-Z-]* //')
- # Insert at the enegrep -v '^([[:space:]]*#|[[:space:]]*$)'d of the new section
- if echo "$ENTRY" | grep -q '^-P'; then
ipt -t $table $ENTRY
- else
ipt -t $table -I $chain $entryNum $ENTRY
- fi
-}
-function removeComments {
- filename="$1"
- egrep -v '^([[:space:]]*#|[[:space:]]*$)' $filename 2>/dev/null
-}
-# write out the current firewall -#iptables-save> $oldTable
-# Set up all the tables in advance. -pushd ${firewallDir}> /dev/null -for table in *; do
- # A particular table
- if [ -d "$table" ]; then
pushd "$table"> /dev/null
for chain in *; do
if [ ! -d "$chain" ]; then
# Only directories are valid chains
continue
fi
#create the table
ipt -t $table -N $chain 2> /dev/null
done
popd> /dev/null
- fi
-done -popd> /dev/null
-# Put the iptables pieces into the full layout of the table -pushd ${firewallDir}> /dev/null -for table in *; do
- if [ -d "$table" ]; then
pushd "$table"> /dev/null
for chain in *; do
if [ ! -d "$chain" ]; then
# Only directories are valid chains
continue
fi
echo "Working on chain $chain in table $table"
numEntries=0
echo "Adding rules to chain $chain in table $table"
if [ -f "${chain}.head" ]; then
# The head of the firewall goes in first.
while read ENTRY; do
if echo "$ENTRY" | grep -qv '^-P'; then
let numEntries="$numEntries + 1"
fi
insertEntry $table $chain $numEntries $ENTRY
done< <( removeComments "${chain}.head" )
fi
# go into the chain, add all the link files to the firewall
pushd $chain> /dev/null
for link in *; do
while read ENTRY; do
if echo "$ENTRY" | grep -qv '^-P'; then
let numEntries="$numEntries + 1"
fi
insertEntry $table $chain $numEntries $ENTRY
done< <( removeComments "$link" )
done
popd> /dev/null
if [ -f "$chain.tail" ]; then
# The tail of the firewall goes in last.
while read ENTRY; do
if echo "$ENTRY" | grep -qv '^-P'; then
let numEntries="$numEntries + 1"
fi
insertEntry $table $chain $numEntries $ENTRY
done< <( removeComments "${chain}.tail" )
fi
# flush out the old rules from this chain
echo "Cleaning chain $chain in table $table..."
let oldEntry="$numEntries + 1"
while ipt -t $table -D $chain $oldEntry; do
echo -en "."
done
echo -en "\n"
done
popd> /dev/null
- fi
-done -popd> /dev/null
-# Delete all rules from the chains that shouldn't be there -pushd ${firewallDir}> /dev/null -for table in *; do
- pushd "$table"> /dev/null> /dev/null
- for chain in $(iptables-save | sed -n '/^*'$table'/,/^*/p' | grep '^:' | cut -d' ' -f1 | sed 's/://'); do
if [ ! -d "$chain" ]; then
# Flush the chain
echo "Flushing rules from chain $chain in table $table"
ipt -t $table -F $chain
fi
- done
- popd> /dev/null
-done -popd> /dev/null
-# delete the chains that shouldn't be there -pushd ${firewallDir}> /dev/null -for table in filter nat mangle; do
- if [ ! -d "$table" ]; then
# This table isn't used, clear it
ipt -t $table -F
ipt -t $table -X
- else
pushd "$table"> /dev/null
for chain in $(iptables-save | sed -n '/^\*'$table'/,/^\*/p' | grep '^:' | cut -d' ' -f1 | sed 's/://'); do
if [ "$chain" == "FORWARD" ]; then
continue
fi
if [ ! -d "$chain" ]; then
# Delete the chain
echo "Deleting chain $chain from table $table"
ipt -t $table -P $chain ACCEPT
ipt -t $table -X $chain
fi
done
popd> /dev/null
- fi
-done diff --git a/recipes/firewall/manifests/defines.pp b/recipes/firewall/manifests/defines.pp deleted file mode 100644 index 871f357..0000000 --- a/recipes/firewall/manifests/defines.pp +++ /dev/null @@ -1,77 +0,0 @@ -# usage -# firewall::rule { 'rulename': -# chain => "INPUT", -# table => "filter", -# source_port => 123423, -# destination_port => 22, -# destination => foo.com, -# source => bar.com, -# to_ports => "443" -# action => ACCEPT -# } -define firewall::rule (
- $chain = 'INPUT',
- $table = 'filter',
- $comment = '',
- $protocol = 'tcp',
- $source_port = '',
- $destination_port = '',
- $source = '',
- $destination = '',
- $to_ports = '',
- $to_destination = '',
- $modules = [],
- $destination_range = '',
- $not_physdev_bridged = '',
- $source_range = '',
- $out_interface = '',
- $in_interface = '',
- $uid_owner = '',
- $reject_with = '',
- $log_prefix = '',
- $state = '',
- $every = '',
- $mode = '',
- $action = 'ACCEPT'
- ) {
- include firewall
- $table_path = "${firewall::firewall_dir}/${table}"
- $chain_path = "${firewall::firewall_dir}/${table}/${chain}"
- if defined(File["${chain_path}"]) {
# do nothing
$trash = ''
- } else {
file { "${chain_path}":
ensure => directory,
purge => true,
recurse => true,
require => File["${table_path}"],
}
- }
- $link_path = "$firewall::firewall_dir/${table}/${chain}/${name}"
- file { "${link_path}":
content => template("firewall/rule.erb"),
notify => Service["firewall"],
- }
-}
-define firewall::rule::stub () {
- file {
- "${name}.head":
name => "${firewall_dir}/${name}.head",
mode => 0700,
source => "puppet:///modules/firewall/chain_rules/${name}.head",
- ;
- "${name}.tail":
name => "${firewall_dir}/${name}.tail",
mode => 0700,
source => "puppet:///modules/firewall/chain_rules/${name}.tail",
- ;
- }
-}
diff --git a/recipes/firewall/manifests/init.pp b/recipes/firewall/manifests/init.pp deleted file mode 100644 index c38abc3..0000000 --- a/recipes/firewall/manifests/init.pp +++ /dev/null @@ -1,102 +0,0 @@ -import "defines.pp"
-class firewall {
- $firewall_dir = "/usr/share/firewall"
- package { "iptables":
ensure => installed,
- }
- service { "firewall":
name => "iptables",
enable => true,
hasstatus => true,
require => [ Package["iptables"], File["iptables-update"] ],
restart => "/usr/local/bin/iptables-update.sh",
- }
- # the reload script (thanks rmonk)
- file { "iptables-update":
name => "/usr/local/bin/iptables-update.sh",
mode => 0755,
source => "puppet:///modules/firewall/iptables-update.sh",
- }
- file { "${firewall_dir}":
ensure => directory,
mode => 0755,
- }
- # create the table directories
- file {
- [
"${firewall_dir}/filter",
"${firewall_dir}/filter/INPUT",
"${firewall_dir}/filter/OUTPUT",
"${firewall_dir}/filter/FORWARD",
"${firewall_dir}/nat",
"${firewall_dir}/nat/PREROUTING",
"${firewall_dir}/nat/OUTPUT",
"${firewall_dir}/nat/POSTROUTING",
"${firewall_dir}/mangle",
"${firewall_dir}/mangle/FORWARD",
"${firewall_dir}/mangle/POSTROUTING",
"${firewall_dir}/mangle/INPUT",
"${firewall_dir}/raw",
"${firewall_dir}/raw/PREROUTING",
"${firewall_dir}/raw/OUTPUT"
- ]:
ensure => directory,
notify => Service["firewall"],
require => File["${firewall_dir}"],
mode => 0755,
- }
- # create the head/tail files -- we tried a recursive resource here but it failed.
- $wrapper_rules = [
'filter/INPUT',
'filter/OUTPUT',
'filter/FORWARD',
'nat/PREROUTING',
'nat/POSTROUTING',
'nat/OUTPUT',
'mangle/FORWARD',
'mangle/INPUT',
'mangle/POSTROUTING',
'raw/PREROUTING',
'raw/OUTPUT'
- ]
- firewall::rule::stub { $wrapper_rules:
notify => Service["firewall"],
require => File["${firewall_dir}"],
- }
- # relevent execs
- exec { "reload-firewall":
command => "/usr/local/bin/iptables-update.sh",
require => File["iptables-update"],
refreshonly => true,
- }
-}
-class firewall::disabled inherits firewall {
- Service["firewall"] {
ensure => stopped,
enable => false,
- }
-}
-class firewall::ckmtest inherits firewall {
- firewall::rule { "NAT":
table => 'nat',
chain => 'PREROUTING',
protocol => 'tcp',
destination_port => '8443',
action => 'REDIRECT',
to_ports => "443",
comment => "nat rule",
- }
-}
diff --git a/recipes/firewall/templates/rule.erb b/recipes/firewall/templates/rule.erb deleted file mode 100644 index c3ae3f8..0000000 --- a/recipes/firewall/templates/rule.erb +++ /dev/null @@ -1,70 +0,0 @@ -<% unless protocol.empty? -%> --p<%= protocol + " " -%> -<% end -%> -<% for m in modules -%> --m<%= m + " " -%> -<% end -%> -<% unless destination_range.empty? -%> ---dst-range<%= destination_range + " " -%> -<% end -%> -<% unless source_range.empty? -%> ---src-range<%= source_range + " " -%> -<% end -%> -<% unless out_interface.empty? -%> ---out-interface<%= out_interface + " " -%> -<% end -%> -<% unless in_interface.empty? -%> ---in-interface<%= in_interface + " " -%> -<% end -%> -<% unless source.empty? -%> ---source<%= source + " " -%> -<% end -%> -<% unless uid_owner.empty? -%> ---uid-owner<%= uid_owner + " " -%> -<% end -%> -<% unless state.empty? -%> ---state<%= state + " " -%> -<% end -%> -<% unless mode.empty? -%> ---mode<%= mode + " " -%> -<% end -%> -<% unless not_physdev_bridged.empty? -%> -! --physdev-is-bridged -<% end -%> -<% unless every.empty? -%> ---every<%= every + " " -%> -<% end -%> -<% unless destination.empty? -%> ---destination<%= destination + " " -%> -<% end -%> -<% unless destination_port.empty? -%> -<% if destination_port =~ /:|,/ -%> --m multiport --destination-ports<%= destination_port + " " -%> -<% else -%> ---destination-port<%= destination_port + " " -%> -<% end -%> -<% end -%> -<% unless source_port.empty? -%> -<% if source_port =~ /:|,/ -%> --m multiport --source-ports<%= source_port + " " -%> -<% else -%> ---source-port<%= source_port + " " -%> -<% end -%> -<% end -%> -<% if operatingsystemrelease == '5' -%> --m comment --comment "<%= comment -%>"<%= " " -%> -<% end -%> --j<%= action -%> -<% unless to_ports.empty? -%>
- --to-ports<%= to_ports + " " -%>
-<% end -%> -<% unless to_destination.empty? -%>
- --to-destination<%= to_destination + " " -%>
-<% end -%> -<% unless log_prefix.empty? -%> ---log-prefix<%= log_prefix + " " -%> -<% end -%> -<% unless reject_with.empty? -%> ---reject-with<%= reject_with + " " -%> -<% end -%> -<%# keep at end %>