2 # Cookbook Name:: networking
5 # Copyright 2010, OpenStreetMap Foundation.
6 # Copyright 2009, Opscode, Inc.
8 # Licensed under the Apache License, Version 2.0 (the "License");
9 # you may not use this file except in compliance with the License.
10 # You may obtain a copy of the License at
12 # http://www.apache.org/licenses/LICENSE-2.0
14 # Unless required by applicable law or agreed to in writing, software
15 # distributed under the License is distributed on an "AS IS" BASIS,
16 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 # See the License for the specific language governing permissions and
18 # limitations under the License.
21 # * node[:networking][:nameservers]
25 node[:networking][:interfaces].each do |name, interface|
26 if interface[:role] && (role = node[:networking][:roles][interface[:role]])
27 if role[interface[:family]]
28 node.set[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
29 node.set[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
32 node.set[:networking][:interfaces][name][:metric] = role[:metric]
33 node.set[:networking][:interfaces][name][:zone] = role[:zone]
36 prefix = node[:networking][:interfaces][name][:prefix]
38 node.set[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
39 node.set[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
42 template "/etc/network/interfaces" do
43 source "interfaces.erb"
51 command "/bin/hostname -F /etc/hostname"
54 template "/etc/hostname" do
59 notifies :run, "execute[hostname]"
62 template "/etc/hosts" do
69 link "/etc/resolv.conf" do
72 to "/run/resolvconf/resolv.conf"
73 only_if { File.symlink?("/etc/resolv.conf") }
76 template "/etc/resolv.conf" do
77 source "resolv.conf.erb"
83 node.interfaces(:role => :internal) do |interface|
84 if interface[:gateway] && interface[:gateway] != interface[:address]
85 search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
86 next unless gateway[:openvpn]
88 gateway[:openvpn][:tunnels].each_value do |tunnel|
89 if tunnel[:peer][:address] # ~FC023
90 route tunnel[:peer][:address] do
91 netmask "255.255.255.255"
92 gateway interface[:gateway]
93 device interface[:interface]
97 next unless tunnel[:peer][:networks]
99 tunnel[:peer][:networks].each do |network|
100 route network[:address] do
101 netmask network[:netmask]
102 gateway interface[:gateway]
103 device interface[:interface]
113 search(:node, "networking:interfaces").collect do |n|
114 next if n[:fqdn] == node[:fqdn]
116 n.interfaces.each do |interface|
117 next unless interface[:role] == "external" && interface[:zone]
119 zones[interface[:zone]] ||= {}
120 zones[interface[:zone]][interface[:family]] ||= []
121 zones[interface[:zone]][interface[:family]] << interface[:address]
127 service "shorewall" do
128 action [:enable, :start]
129 supports :restart => true
130 status_command "shorewall status"
133 template "/etc/default/shorewall" do
134 source "shorewall-default.erb"
138 notifies :restart, "service[shorewall]"
141 template "/etc/shorewall/shorewall.conf" do
142 source "shorewall.conf.erb"
146 notifies :restart, "service[shorewall]"
149 template "/etc/shorewall/zones" do
150 source "shorewall-zones.erb"
154 variables :type => "ipv4"
155 notifies :restart, "service[shorewall]"
158 template "/etc/shorewall/interfaces" do
159 source "shorewall-interfaces.erb"
163 notifies :restart, "service[shorewall]"
166 template "/etc/shorewall/hosts" do
167 source "shorewall-hosts.erb"
171 variables :zones => zones
172 notifies :restart, "service[shorewall]"
175 template "/etc/shorewall/policy" do
176 source "shorewall-policy.erb"
180 notifies :restart, "service[shorewall]"
183 template "/etc/shorewall/rules" do
184 source "shorewall-rules.erb"
188 variables :rules => []
189 notifies :restart, "service[shorewall]"
192 template "/etc/logrotate.d/shorewall" do
193 source "logrotate.shorewall.erb"
197 variables :name => "shorewall"
200 firewall_rule "limit-icmp-echo" do
206 dest_ports "echo-request"
207 rate_limit "s:1/sec:5"
210 %w(ucl ic bm aws).each do |zone|
211 firewall_rule "accept-openvpn-#{zone}" do
217 dest_ports "1194:1196"
218 source_ports "1194:1196"
222 if node[:roles].include?("gateway")
223 template "/etc/shorewall/masq" do
224 source "shorewall-masq.erb"
228 notifies :restart, "service[shorewall]"
231 file "/etc/shorewall/masq" do
233 notifies :restart, "service[shorewall]"
237 unless node.interfaces(:family => :inet6).empty?
240 service "shorewall6" do
241 action [:enable, :start]
242 supports :restart => true
243 status_command "shorewall6 status"
246 template "/etc/default/shorewall6" do
247 source "shorewall-default.erb"
251 notifies :restart, "service[shorewall6]"
254 template "/etc/shorewall6/shorewall6.conf" do
255 source "shorewall6.conf.erb"
259 notifies :restart, "service[shorewall6]"
262 template "/etc/shorewall6/zones" do
263 source "shorewall-zones.erb"
267 variables :type => "ipv6"
268 notifies :restart, "service[shorewall6]"
271 template "/etc/shorewall6/interfaces" do
272 source "shorewall6-interfaces.erb"
276 notifies :restart, "service[shorewall6]"
279 template "/etc/shorewall6/hosts" do
280 source "shorewall6-hosts.erb"
284 variables :zones => zones
285 notifies :restart, "service[shorewall6]"
288 template "/etc/shorewall6/policy" do
289 source "shorewall-policy.erb"
293 notifies :restart, "service[shorewall6]"
296 template "/etc/shorewall6/rules" do
297 source "shorewall-rules.erb"
301 variables :rules => []
302 notifies :restart, "service[shorewall6]"
305 template "/etc/logrotate.d/shorewall6" do
306 source "logrotate.shorewall.erb"
310 variables :name => "shorewall6"
313 firewall_rule "limit-icmp6-echo" do
319 dest_ports "echo-request"
320 rate_limit "s:1/sec:5"
324 firewall_rule "accept-http" do
332 firewall_rule "accept-https" do