dubzland · rivimey · Oct 16, 2020 · Oct 16, 2020 · Oct 16, 2020 · t3hpr1m3
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -11,6 +11,41 @@ dubzland_shorewall_conf:
 
 dubzland_shorewall_params: []
 
+dubzland_shorewall_tunnels: []
+# - type: openvpnserver:1194
+#   zone: net
+#   gateway: 0.0.0.0/0
+#   gwzone: vpn
+
+dubzland_shorewall_macros:
+# The name: key is limited to alphanumeric characters (shorewall
+# syntax).
+#
+#  - name: Bareos
+#    desc: Bareos File Backup/Restore service
+#    actions:
+#      - action: PARAM
+#        proto: tcp
+#        dest_ports: "9101:9103"
+#        source_ports: "-"
+#
+  # SIP - VoIP Macro specifying the minimal options
+  - name: SIP
+    desc: SIP / Voice over IP
+    rules:
+      - proto: tcp
+        dest_ports: 5060,5065
+      - proto: udp
+        dest_ports: 5060,5065
+      - proto: tcp
+        dest_ports: 10000:10100
+      - proto: udp
+        dest_ports: 10000:10100
+      - proto: tcp
+        dest_ports: 5004:5020
+      - proto: udp
+        dest_ports: 5004:5020
+
 dubzland_shorewall_zones:
   - name: fw
     type: firewall

diff --git a/macro.j2 b/macro.j2
@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+{% import 'j2macros.j2' as _tpl with context %}
+#
+# Shorewall 5 - {{ item.desc | default(item.name) }}
+#
+# /etc/shorewall/macro.{{ item.name }}
+#
+# For information about entries in this file see https://shorewall.org/Macros.html
+#
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+##############################################################################################################################################################
+#ACTION      SOURCE      DEST      PROTO    DPORT    SPORT    ORIGDEST        RATE    USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
+
+{% for rule in item.rules %}
+{{ _tpl.print_macro(_rule) }}
+{% endfor %}
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
@@ -1,4 +1,18 @@
-- name: ensure shorewall is configured
+- name: Write shorewall macro files
+  template:
+    src: "etc/shorewall/macro.j2"
+    dest: "{{ dubzland_shorewall_configuration_root }}/macro.{{ item.name }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - "{{ dubzland_shorewall_macros }}"
+  notify:
+    - restart shorewall
+  tags:
+    - shorewall
+
+- name: Write shorewall configuration files.
   template:
     src: "etc/shorewall/{{ item }}.j2"
     dest: "{{ dubzland_shorewall_configuration_root }}/{{ item }}"
@@ -13,6 +27,7 @@
     - rules
     - shorewall.conf
     - snat
+    - tunnels
     - zones
   notify:
     - restart shorewall

diff --git a/templates/etc/shorewall/hosts.j2 b/templates/etc/shorewall/hosts.j2
@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-{% import 'macros.j2' as _tpl with context %}
+{% import 'j2macros.j2' as _tpl with context %}
 #
 # Shorewall -- /etc/shorewall/hosts
 #

diff --git a/templates/etc/shorewall/interfaces.j2 b/templates/etc/shorewall/interfaces.j2
@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-{% import 'macros.j2' as _tpl with context %}
+{% import 'j2macros.j2' as _tpl with context %}
 #
 # Shorewall -- /etc/shorewall/interfaces
 #

diff --git a/templates/etc/shorewall/macros.j2 → templates/etc/shorewall/j2macros.j2 b/templates/etc/shorewall/macros.j2 → templates/etc/shorewall/j2macros.j2
@@ -41,6 +41,19 @@
 {%   set _          = _fields.append({ "format": "\t%s", "value": _policy.connlimit | default(None) }) %}
 {{ print_fields(_fields) }}
 {%- endmacro %}
+{##############################################################################
+ #
+ # MACRO :: print_tunnel()
+ #
+ #############################################################################}
+{% macro print_tunnel(_tunnel) -%}
+{%   set _fields    = [] %}
+{%   set _          = _fields.append({ "format": "%-5s", "value": _policy.type | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t\t%-5s", "value": _policy.zone | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t\t%-6s", "value": _policy.gateway | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t%-8s", "value": _policy.gwzone | default(None) }) %}
+{{ print_fields(_fields) }}
+{%- endmacro %}
 {##############################################################################
  #
  # MACRO :: print_rule()
@@ -84,6 +97,53 @@
 {%   set _          = _fields.append({ "format": "\t%s", "value": _rule.helper | default(None) }) %}
 {{ print_fields(_fields) }}
 {%- endmacro %}
+{##############################################################################
+ #
+ # MACRO :: print_macro()
+ #
+ #############################################################################}
+{% macro print_macro(_rule) -%}
+{%   if _rule.comment is defined and _rule.comment %}
+# {{ _rule.comment }}
+{%   endif %}
+{%   set _fields    = [] %}
+{%   if _rule.action is not defined or _rule.action == "-" %}
+{%     set _        = _fields.append({ "format": "%-12s", "value": "PARAM" }) %}
+{%   else %}
+{%     set _        = _fields.append({ "format": "%-12s", "value": _rule.action }) %}
+{%   endif %}
+{%   set _          = _fields.append({ "format": "\t%-12s", "value": _rule.source | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t%-12s", "value": _rule.dest | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t%-5s", "value": _rule.proto | default(None) }) %}
+{%   if _rule.dest_ports is defined and _rule.dest_ports %}
+{%     set _        = _fields.append({ "format": "\t%-5s", "value": _rule.dest_ports | join(",") }) %}
+{%   else %}
+{%     set _        = _fields.append({ "format": "\t%-5s", "value": None }) %}
+{%   endif %}
+{%   if _rule.source_ports is defined and _rule.source_ports %}
+{%     set _        = _fields.append({ "format": "\t%-5s", "value": _rule.source_ports | join(",") }) %}
+{%   else %}
+{%     set _        = _fields.append({ "format": "\t%-5s", "value": None }) %}
+{%   endif %}
+{%   set _          = _fields.append({ "format": "\t%-12s", "value": _rule.origdest | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t%s", "value": _rule.rate | default(None) }) %}
+{%   if _rule.users is defined and _rule.users %}
+{%     set _        = _fields.append({ "format": "\t%s", "value": _rule.users | join(",") }) %}
+{%   else %}
+{%     set _        = _fields.append({ "format": "\t%s", "value": None }) %}
+{%   endif %}
+{%   set _          = _fields.append({ "format": "\t%s", "value": _rule.mark | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t%-9s", "value": _rule.connlimit | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t%s", "value": _rule.time | default(None) }) %}
+{%   if _rule.headers is defined and _rule.headers %}
+{%     set _        = _fields.append({ "format": "\t%s", "value": _rule.headers | join(",") }) %}
+{%   else %}
+{%     set _        = _fields.append({ "format": "\t%s", "value": None }) %}
+{%   endif %}
+{%   set _          = _fields.append({ "format": "\t%s", "value": _rule.switch | default(None) }) %}
+{%   set _          = _fields.append({ "format": "\t%s", "value": _rule.helper | default(None) }) %}
+{{ print_fields(_fields) }}
+{%- endmacro %}
 {##############################################################################
  #
  # MACRO :: print_ruleset()

diff --git a/templates/etc/shorewall/macro.j2 b/templates/etc/shorewall/macro.j2
@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+{% import 'j2macros.j2' as _tpl with context %}
+#
+# Shorewall 5 - {{ item.desc | default(item.name) }}
+#
+# /etc/shorewall/macro.{{ item.name }}
+#
+# For information about entries in this file see https://shorewall.org/Macros.html
+#
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+##############################################################################################################################################################
+#ACTION      SOURCE      DEST      PROTO    DPORT    SPORT    ORIGDEST        RATE    USER    MARK    CONNLIMIT       TIME    HEADERS SWITCH  HELPER
+
+{% for _rule in item.rules %}
+{{ _tpl.print_macro(_rule) }}
+{% endfor %}
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/templates/etc/shorewall/policy.j2 b/templates/etc/shorewall/policy.j2
@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-{% import 'macros.j2' as _tpl with context %}
+{% import 'j2macros.j2' as _tpl with context %}
 #
 # Shorewall -- /etc/shorewall/policy
 #

diff --git a/templates/etc/shorewall/rules.j2 b/templates/etc/shorewall/rules.j2
@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-{% import 'macros.j2' as _tpl with context %}
+{% import 'j2macros.j2' as _tpl with context %}
 #
 # Shorewall -- /etc/shorewall/rules
 #

diff --git a/templates/etc/shorewall/snat.j2 b/templates/etc/shorewall/snat.j2
@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-{% import 'macros.j2' as _tpl with context %}
+{% import 'j2macros.j2' as _tpl with context %}
 #
 # Shorewall -- /etc/shorewall/snat
 #

diff --git a/templates/etc/shorewall/tunnels.j2 b/templates/etc/shorewall/tunnels.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+{% import 'j2macros.j2' as _tpl with context %}
+#
+# Shorewall -- /etc/shorewall/snat
+#
+# For information about entries in this file, type "man shorewall-snat"
+#
+# See http://shorewall.net/manpages/shorewall-snat.html for more information
+#
+###########################################################################################################################################
+#TYPE                   ZONE    GATEWAY         GATEWAY
+#                                               ZONE
+{% for _rule in dubzland_shorewall_tunnels -%}
+{{ _tpl.print_tunnel(_rule) }}
+{%- endfor %}
diff --git a/templates/etc/shorewall/zones.j2 b/templates/etc/shorewall/zones.j2
@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-{% import 'macros.j2' as _tpl with context %}
+{% import 'j2macros.j2' as _tpl with context %}
 #
 # Shorewall -- /etc/shorewall/zones
 #