if interface[:role] && (role = node[:networking][:roles][interface[:role]])
if role[interface[:family]]
- node.set[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
- node.set[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+ node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
+ node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
end
- node.set[:networking][:interfaces][name][:metric] = role[:metric]
- node.set[:networking][:interfaces][name][:zone] = role[:zone]
+ node.normal[:networking][:interfaces][name][:metric] = role[:metric]
+ node.normal[:networking][:interfaces][name][:zone] = role[:zone]
end
prefix = node[:networking][:interfaces][name][:prefix]
- node.set[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
- node.set[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+ node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
+ node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
end
package network_packages
mode 0o644
end
-link "/etc/resolv.conf" do
- action :delete
- link_type :symbolic
- to "/run/resolvconf/resolv.conf"
- only_if { File.symlink?("/etc/resolv.conf") }
-end
+unless node[:networking][:nameservers].empty?
+ link "/etc/resolv.conf" do
+ action :delete
+ link_type :symbolic
+ to "/run/resolvconf/resolv.conf"
+ only_if { File.symlink?("/etc/resolv.conf") }
+ end
-template "/etc/resolv.conf" do
- source "resolv.conf.erb"
- owner "root"
- group "root"
- mode 0o644
+ template "/etc/resolv.conf" do
+ source "resolv.conf.erb"
+ owner "root"
+ group "root"
+ mode 0o644
+ end
end
node.interfaces(:role => :internal) do |interface|
owner "root"
group "root"
mode 0o644
- variables :rules => []
+ variables :family => "inet"
notifies :restart, "service[shorewall]"
end
rate_limit "s:1/sec:5"
end
-%w(ucl ic bm aws).each do |zone|
+%w[ucl ic bm aws].each do |zone|
firewall_rule "accept-openvpn-#{zone}" do
action :accept
family :inet
owner "root"
group "root"
mode 0o644
- variables :rules => []
+ variables :family => "inet6"
notifies :restart, "service[shorewall6]"
end
dest "fw"
proto "tcp:syn"
dest_ports "http"
+ connection_limit node[:networking][:firewall][:http_connection_limit]
end
firewall_rule "accept-https" do
dest "fw"
proto "tcp:syn"
dest_ports "https"
+ connection_limit node[:networking][:firewall][:http_connection_limit]
end