# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
network_packages = []
node[:networking][:interfaces].each do |name, interface|
- network_packages |= ["vlan"] if interface[:interface] =~ /\.\d+$/
- network_packages |= ["ifenslave"] if interface[:bond]
+ if interface[:interface]
+ network_packages |= ["vlan"] if interface[:interface] =~ /\.\d+$/
+ network_packages |= ["ifenslave"] if interface[:bond]
+
+ if interface[:role] && (role = node[:networking][:roles][interface[:role]])
+ if role[interface[:family]]
+ node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
+ node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+ end
- if interface[:role] && (role = node[:networking][:roles][interface[:role]])
- if role[interface[:family]]
- node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
- node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+ node.normal[:networking][:interfaces][name][:metric] = role[:metric]
+ node.normal[:networking][:interfaces][name][:zone] = role[:zone]
end
- node.normal[:networking][:interfaces][name][:metric] = role[:metric]
- node.normal[:networking][:interfaces][name][:zone] = role[:zone]
- end
-
- prefix = node[:networking][:interfaces][name][:prefix]
+ prefix = node[:networking][:interfaces][name][:prefix]
- node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
- node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+ node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
+ node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+ else
+ node.rm(:networking, :interfaces, name)
+ end
end
package network_packages
notifies :restart, "service[shorewall]"
end
+template "/etc/shorewall/conntrack" do
+ source "shorewall-conntrack.erb"
+ owner "root"
+ group "root"
+ mode 0o644
+ notifies :restart, "service[shorewall]"
+ only_if { node[:networking][:firewall][:raw] }
+end
+
template "/etc/shorewall/policy" do
source "shorewall-policy.erb"
owner "root"
rate_limit "s:1/sec:5"
end
-%w(ucl ic bm aws).each do |zone|
+%w[ucl ams bm].each do |zone|
firewall_rule "accept-openvpn-#{zone}" do
action :accept
- family :inet
source zone
dest "fw"
proto "udp"
notifies :restart, "service[shorewall6]"
end
+ template "/etc/shorewall6/conntrack" do
+ source "shorewall-conntrack.erb"
+ owner "root"
+ group "root"
+ mode 0o644
+ notifies :restart, "service[shorewall6]"
+ only_if { node[:networking][:firewall][:raw] }
+ end
+
template "/etc/shorewall6/policy" do
source "shorewall-policy.erb"
owner "root"
dest "fw"
proto "tcp:syn"
dest_ports "http"
+ rate_limit node[:networking][:firewall][:http_rate_limit]
+ connection_limit node[:networking][:firewall][:http_connection_limit]
end
firewall_rule "accept-https" do
dest "fw"
proto "tcp:syn"
dest_ports "https"
+ rate_limit node[:networking][:firewall][:http_rate_limit]
+ connection_limit node[:networking][:firewall][:http_connection_limit]
end