imagery: do not fail socket upstreams

[chef.git] / cookbooks / networking / recipes / default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 2d6f83b38d1db1ed04aa493a2620771ac2b3e417..51f3f4389aa1eb7dd4ec5f2078080e47131ac6e5 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -25,23 +25,27 @@ require "ipaddr"
 network_packages = []
 
 node[:networking][:interfaces].each do |name, interface|
-  network_packages |= ["vlan"] if interface[:interface] =~ /\.\d+$/
-  network_packages |= ["ifenslave"] if interface[:bond]
+  if interface[:interface]
+    network_packages |= ["vlan"] if interface[:interface] =~ /\.\d+$/
+    network_packages |= ["ifenslave"] if interface[:bond]
+
+    if interface[:role] && (role = node[:networking][:roles][interface[:role]])
+      if role[interface[:family]]
+        node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
+        node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+      end
 
-  if interface[:role] && (role = node[:networking][:roles][interface[:role]])
-    if role[interface[:family]]
-      node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
-      node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+      node.normal[:networking][:interfaces][name][:metric] = role[:metric]
+      node.normal[:networking][:interfaces][name][:zone] = role[:zone]
     end
 
-    node.normal[:networking][:interfaces][name][:metric] = role[:metric]
-    node.normal[:networking][:interfaces][name][:zone] = role[:zone]
-  end
-
-  prefix = node[:networking][:interfaces][name][:prefix]
+    prefix = node[:networking][:interfaces][name][:prefix]
 
-  node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
-  node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+    node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
+    node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+  else
+    node.rm(:networking, :interfaces, name)
+  end
 end
 
 package network_packages
@@ -175,6 +179,14 @@ template "/etc/shorewall/hosts" do
   notifies :restart, "service[shorewall]"
 end
 
+template "/etc/shorewall/conntrack" do
+  source "shorewall-conntrack.erb"
+  owner "root"
+  group "root"
+  mode 0o644
+  notifies :restart, "service[shorewall]"
+end
+
 template "/etc/shorewall/policy" do
   source "shorewall-policy.erb"
   owner "root"
@@ -216,10 +228,9 @@ firewall_rule "limit-icmp-echo" do
   rate_limit "s:1/sec:5"
 end
 
-%w[ucl ic bm aws].each do |zone|
+%w[ucl ams bm].each do |zone|
   firewall_rule "accept-openvpn-#{zone}" do
     action :accept
-    family :inet
     source zone
     dest "fw"
     proto "udp"
@@ -288,6 +299,14 @@ unless node.interfaces(:family => :inet6).empty?
     notifies :restart, "service[shorewall6]"
   end
 
+  template "/etc/shorewall6/conntrack" do
+    source "shorewall-conntrack.erb"
+    owner "root"
+    group "root"
+    mode 0o644
+    notifies :restart, "service[shorewall6]"
+  end
+
   template "/etc/shorewall6/policy" do
     source "shorewall-policy.erb"
     owner "root"