From: Stephen Gran <steve@lobefin.net>
Date: Sat, 20 Feb 2010 20:27:04 +0000 (+0000)
Subject: add v6, possibly not brokenly this time
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=bf8fb059cf46f8c8a74b55b970b97038925dc75b;p=dsa-puppet.git

add v6, possibly not brokenly this time

Signed-off-by: Stephen Gran <steve@lobefin.net>
---

diff --git a/modules/ferm/files/defs.conf b/modules/ferm/files/defs.conf
index 329d7ed7..199034c1 100644
--- a/modules/ferm/files/defs.conf
+++ b/modules/ferm/files/defs.conf
@@ -21,8 +21,14 @@
 @def $HOST_MUNIN  = (192.25.206.57 192.25.206.33);
 @def $HOST_NAGIOS = (192.25.206.57 192.25.206.33);
 
-@def $sgran  = (91.103.132.25 2001:4b10:100b::dead:f00d);
-@def $weasel = ();
-@def $zobel  = ();
-@def $luca   = ();
+@def $sgran   = (91.103.132.25);
+@def $weasel  = ();
+@def $zobel   = ();
+@def $luca    = ();
 @def $DSA_IPS = ($sgran $weasel $zobel $luca);
+
+@def $sgran6     = (2001:4b10:100b::dead:f00d);
+@def $weasel6    = ();
+@def $zobel6     = ();
+@def $luca6      = ();
+@def $DSA_V6_IPS = ($sgran6 $weasel6 $zobel6 $luca6);
diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 78becb9a..75b8f55d 100644
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -35,9 +35,13 @@ class ferm {
 
         ferm::rule { "dsa-ssh":
                 description     => "Allow SSH from DSA",
-                domain          => "(ip ip6)",
                 rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_SOURCES) ACCEPT; }"
         }
+        ferm::rule { "dsa-ssh-v6":
+                description     => "Allow SSH from DSA",
+                domain          => "ip6",
+                rule            => "proto tcp mod state state (NEW) dport (ssh) @subchain 'ssh' { saddr (\$SSH_V6_SOURCES) ACCEPT; }"
+        }
 
         exec { "ferm restart":
                 path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index 4c12bd55..5a139074 100644
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -18,3 +18,18 @@ end
 
 sshallowed.join(' ')
 %>);
+
+@def $SSH_V6_SOURCES = (<%=
+
+sshallowed = []
+
+case hostname
+  when 'logtest01' then sshallowed << [ '$DSA_V6_IPS' ]
+end
+
+if sshallowed.length == 0
+  sshallowed = [ ':::' ]
+end
+
+sshallowed.join(' ')
+%>);