From 3107dfbd08a4210ceb0385b38af84aa8a22be0c7 Mon Sep 17 00:00:00 2001 From: James Shubin Date: Thu, 2 Jan 2025 15:43:27 -0500 Subject: [PATCH] modules: shorewall: Small fixups to improve the module These are some common fixes and improvements for normal shorewall usage. As we shake out more uses of this, we find small issues. This lets us have long rules, and a better default config. --- modules/shorewall/files/shorewall.conf.tmpl | 2 +- modules/shorewall/main.mcl | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/modules/shorewall/files/shorewall.conf.tmpl b/modules/shorewall/files/shorewall.conf.tmpl index 2dafd6c5..ceeea6c0 100644 --- a/modules/shorewall/files/shorewall.conf.tmpl +++ b/modules/shorewall/files/shorewall.conf.tmpl @@ -189,7 +189,7 @@ IMPLICIT_CONTINUE=No IPSET_WARNINGS=Yes -IP_FORWARDING=Keep +IP_FORWARDING=On KEEP_RT_TABLES=No diff --git a/modules/shorewall/main.mcl b/modules/shorewall/main.mcl index b5f0f4cb..bf4fbb1d 100644 --- a/modules/shorewall/main.mcl +++ b/modules/shorewall/main.mcl @@ -33,6 +33,20 @@ import "golang" import "local" import "golang/strings" + +# Class prepare adds some common things you probably want to run when using this +# module. +class prepare() { + sysctl "net.ipv4.ip_forward" { # firewalls love this! + value => "1", + } + + svc "firewalld" { # we don't want this + state => "stopped", + startup => "disabled", + } +} + # XXX: The templates need a padding function to line up columns. class firewall() { pkg "shorewall" { @@ -302,8 +316,8 @@ class firewall:rule($name, $st) { $rule = $st->rule || "" # entire rule contents OR use the below values - $action = $st->action # REJECT or SSH(ACCEPT) or Ping(DROP) - $source = $st->source # source zone + $action = $st->action || "" # REJECT or SSH(ACCEPT) or Ping(DROP) + $source = $st->source || "" # source zone $source_ips []str = $st->source_ips || [] $dest = $st->dest || "" # dest zone $dest_ips []str = $st->dest_ips || []