group "root"
mode "755"
variables :interfaces => interfaces, :hosts => hosts
- notifies :restart, "service[nftables]"
+ notifies :reload, "service[nftables]"
end
-stop_commands = [
- "-/usr/sbin/nft delete table inet filter",
- "-/usr/sbin/nft delete table inet chef-filter"
-]
+directory "/var/lib/nftables" do
+ owner "root"
+ group "root"
+ mode "755"
+end
-stop_commands << "-/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
-stop_commands << "-/usr/sbin/nft delete table ip chef-nat" if node[:roles].include?("gateway")
+template "/usr/local/bin/nftables" do
+ source "nftables.erb"
+ owner "root"
+ group "root"
+ mode "755"
+end
systemd_service "nftables-stop" do
+ action :delete
service "nftables"
dropin "stop"
- exec_reload ""
- exec_stop stop_commands
+end
+
+systemd_service "nftables-chef" do
+ service "nftables"
+ dropin "chef"
+ exec_start "/usr/local/bin/nftables start"
+ exec_reload "/usr/local/bin/nftables reload"
+ exec_stop "/usr/local/bin/nftables stop"
end
if node[:networking][:firewall][:enabled]
end
if node[:networking][:wireguard][:enabled]
- wireguard_source = if node[:roles].include?("gateway")
- "net"
- else
- "osm"
- end
-
firewall_rule "accept-wireguard" do
action :accept
- source wireguard_source
- dest "fw"
- proto "udp"
+ context :incoming
+ protocol :udp
+ source :osm unless node[:roles].include?("gateway")
dest_ports "51820"
source_ports "51820"
end
firewall_rule "accept-http" do
action :accept
- source "net"
- dest "fw"
- proto "tcp:syn"
- dest_ports "http"
- rate_limit node[:networking][:firewall][:http_rate_limit]
- connection_limit node[:networking][:firewall][:http_connection_limit]
-end
-
-firewall_rule "accept-https" do
- action :accept
- source "net"
- dest "fw"
- proto "tcp:syn"
- dest_ports "https"
+ context :incoming
+ protocol :tcp
+ dest_ports %w[http https]
rate_limit node[:networking][:firewall][:http_rate_limit]
connection_limit node[:networking][:firewall][:http_connection_limit]
end
projects / chef.git / blobdiff