Use ruby cookbook to install ruby for prometheus

[chef.git] / cookbooks / networking / templates / default / nftables.conf.erb

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 4a16fb0985df84bb0263d398f2b6b09384510876..1ef38da7f544d85b39a4453a602d889ac0d5466f 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -3,8 +3,8 @@
 <% unless @interfaces.empty? -%>
 define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> }
 <% end -%>
-
-define ip-private-addresses = { 0.0.0.0, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 }
+# Exclude 169.254.169.0/24 from ip-private-addresses as is widely by cloud providers.
+define ip-private-addresses = { 0.0.0.0, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0-169.254.168.255, 169.254.170.0-169.254.255.255, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 }
 define ip-multicast-addresses = { 224.0.0.0/4 }
 define ip6-private-addresses = { 2001:db8::/32, fc00::/7 }
 define ip6-multicast-addresses = { ff00::/8 }
@@ -12,15 +12,15 @@ define ip6-multicast-addresses = { ff00::/8 }
 table inet chef-filter {
   set ip-osm-addresses {
     type ipv4_addr
-<% unless Array(@hosts["inet"]).empty? -%>
-    elements = { <%= Array(@hosts["inet"]).sort.join(", ") %> }
+<% unless Array(@hosts[:inet]).empty? -%>
+    elements = { <%= Array(@hosts[:inet]).sort.join(", ") %> }
 <% end -%>
   }
 
   set ip6-osm-addresses {
     type ipv6_addr
-<% unless Array(@hosts["inet"]).empty? -%>
-    elements = { <%= Array(@hosts["inet6"]).sort.join(", ") %> }
+<% unless Array(@hosts[:inet6]).empty? -%>
+    elements = { <%= Array(@hosts[:inet6]).sort.join(", ") %> }
 <% end -%>
   }
 
@@ -47,15 +47,13 @@ table inet chef-filter {
   }
 
 <% node[:networking][:firewall][:sets].each do |set| -%>
-  set <%= set %> {
-<% if set.end_with?("-ip") -%>
-    type ipv4_addr
-<% elsif set.end_with?("-ip6") -%>
-    type ipv6_addr
+  set <%= set[:name] %> {
+    type <%= set[:type] %>
+<% if set[:flags] -%>
+    flags <%= set[:flags].join(", ") %>
 <% end -%>
-    flags dynamic
-<% unless set.start_with?("connlimit-") -%>
-    timeout 120s
+<% if set[:timeout] -%>
+    timeout <%= set[:timeout] %>s
 <% end -%>
   }
 
@@ -68,12 +66,12 @@ table inet chef-filter {
 
 <% end -%>
   chain log-and-drop {
-    limit rate 1/second log
+    limit rate 1/second log level notice
     drop
   }
 
   chain log-and-reject {
-    limit rate 1/second log
+    limit rate 1/second log level notice
     reject
   }
 
@@ -166,9 +164,9 @@ table ip chef-nat {
   chain postrouting {
     type nat hook postrouting priority srcnat;
 
-<% node.interfaces(:role => :external, :family => :inet).each do |external| -%>
-<% node.interfaces(:role => :internal, :family => :inet).each do |internal| -%>
-    oifname { <%= external[:interface] %> } ip saddr { <%= internal[:network] %>/<%= internal[:prefix] %> } snat <%= external[:address] %>
+<% node.interfaces(:role => :external).each do |external| -%>
+<% node.ipaddresses(:role => :internal, :family => :inet).each do |internal| -%>
+    oifname { <%= external[:interface] %> } ip saddr { <%= internal.subnet %> } snat <%= external[:inet][:address] %>
 <% end -%>
 <% end -%>
   }