Refactor firewall rules to simplify IPv4/IPv6 handling

[chef.git] / cookbooks / munin / recipes / default.rb

diff --git a/cookbooks/munin/recipes/default.rb b/cookbooks/munin/recipes/default.rb
index c1233f9b9203804a9aafa4fe5e3f24a947b4c468..0a2a344528159a0bb687300e6fa325170419f5ab 100644 (file)
--- a/cookbooks/munin/recipes/default.rb
+++ b/cookbooks/munin/recipes/default.rb
@@ -24,22 +24,24 @@ service "munin-node" do
   supports :status => true, :restart => true, :reload => true
 end
 
-servers = search(:node, "recipes:munin\\:\\:server")
+servers = []
 
-servers.each do |server|
+search(:node, "recipes:munin\\:\\:server").each do |server|
   server.interfaces(:role => :external) do |interface|
-    firewall_rule "accept-munin-#{server}" do
-      action :accept
-      family interface[:family]
-      source "net:#{interface[:address]}"
-      dest "fw"
-      proto "tcp"
-      dest_ports "munin"
-      source_ports "1024-65535"
-    end
+    servers << interface[:address]
   end
 end
 
+firewall_rule "accept-munin" do
+  action :accept
+  context :incoming
+  protocol :tcp
+  source servers
+  dest_ports "munin"
+  source_ports "1024-65535"
+  not_if { servers.empty? }
+end
+
 template "/etc/munin/munin-node.conf" do
   source "munin-node.conf.erb"
   owner "root"