if interface[:interface]
if interface[:role] && (role = node[:networking][:roles][interface[:role]])
if role[interface[:family]]
- node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
- node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
- node.normal[:networking][:interfaces][name][:routes] = role[interface[:family]][:routes]
+ node.default[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
+ node.default[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+ node.default[:networking][:interfaces][name][:routes] = role[interface[:family]][:routes]
end
- node.normal[:networking][:interfaces][name][:metric] = role[:metric]
- node.normal[:networking][:interfaces][name][:zone] = role[:zone]
+ node.default[:networking][:interfaces][name][:metric] = role[:metric]
+ node.default[:networking][:interfaces][name][:zone] = role[:zone]
end
if interface[:address]
prefix = node[:networking][:interfaces][name][:prefix]
- node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
- node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+ node.default[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
+ node.default[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
end
interface = node[:networking][:interfaces][name]
"scope" => "link"
)
end
+
+ if interface[:role] == "internal" && interface[:gateway] != interface[:address]
+ search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
+ next unless gateway[:openvpn]
+
+ gateway[:openvpn][:tunnels].each_value do |tunnel|
+ if tunnel[:peer][:address]
+ deviceplan["routes"].push(
+ "to" => "#{tunnel[:peer][:address]}/32",
+ "via" => interface[:gateway]
+ )
+
+ route tunnel[:peer][:address] do
+ netmask "255.255.255.255"
+ gateway interface[:gateway]
+ device interface[:interface]
+ end
+ end
+
+ next unless tunnel[:peer][:networks]
+
+ tunnel[:peer][:networks].each do |network|
+ prefix = IPAddr.new("#{network[:address]}/#{network[:netmask]}").prefix
+
+ deviceplan["routes"].push(
+ "to" => "#{network[:address]}/#{prefix}",
+ "via" => interface[:gateway]
+ )
+
+ route network[:address] do
+ netmask network[:netmask]
+ gateway interface[:gateway]
+ device interface[:interface]
+ end
+ end
+ end
+ end
+ end
end
if interface[:routes]
to "../run/systemd/resolve/stub-resolv.conf"
end
-if node[:networking][:tcp_fastopen_key]
- fastopen_keys = data_bag_item("networking", "fastopen")
-
- node.normal[:sysctl][:tcp_fastopen] = {
- :comment => "Set shared key for TCP fast open",
- :parameters => {
- "net.ipv4.tcp_fastopen_key" => fastopen_keys[node[:networking][:tcp_fastopen_key]]
- }
- }
-end
-
-node.interfaces(:role => :internal) do |interface|
- if interface[:gateway] && interface[:gateway] != interface[:address]
- search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
- next unless gateway[:openvpn]
-
- gateway[:openvpn][:tunnels].each_value do |tunnel|
- if tunnel[:peer][:address]
- route tunnel[:peer][:address] do
- netmask "255.255.255.255"
- gateway interface[:gateway]
- device interface[:interface]
- end
- end
-
- next unless tunnel[:peer][:networks]
-
- tunnel[:peer][:networks].each do |network|
- route network[:address] do
- netmask network[:netmask]
- gateway interface[:gateway]
- device interface[:interface]
- end
- end
- end
- end
- end
-end
-
zones = {}
search(:node, "networking:interfaces").collect do |n|
end
template "/etc/shorewall/rules" do
+ action :nothing
source "shorewall-rules.erb"
owner "root"
group "root"
notifies :restart, "service[shorewall]"
end
+notify_group "shorewall-rules" do
+ action :run
+ notifies :create, "template[/etc/shorewall/rules]"
+end
+
service "shorewall" do
action [:enable, :start]
supports :restart => true
end
template "/etc/shorewall6/rules" do
+ action :nothing
source "shorewall-rules.erb"
owner "root"
group "root"
notifies :restart, "service[shorewall6]"
end
+ notify_group "shorewall6-rules" do
+ action :run
+ notifies :create, "template[/etc/shorewall6/rules]"
+ end
+
service "shorewall6" do
action [:enable, :start]
supports :restart => true