Avoid dropping third party tables when stopping an nftables firewall

[chef.git] / cookbooks / networking / recipes / default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 8101a9b89141757902c86ef4d838722abfb8fd11..427cd794ae1063595f422b68f1cce1ede11df408 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -400,9 +400,6 @@ search(:node, "networking:interfaces").collect do |n|
   end
 end
 
-hosts["inet"] << "127.0.0.1" if hosts["inet"].empty?
-hosts["inet6"] << "::1" if hosts["inet6"].empty?
-
 if node[:networking][:firewall][:engine] == "shorewall"
   package "shorewall"
 
@@ -693,6 +690,19 @@ elsif node[:networking][:firewall][:engine] == "nftables"
     notifies :restart, "service[nftables]"
   end
 
+  stop_commands = [
+    "/usr/sbin/nft delete table inet filter"
+  ]
+
+  stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+
+  systemd_service "nftables-stop" do
+    service "nftables"
+    dropin "stop"
+    exec_reload ""
+    exec_stop stop_commands
+  end
+
   if node[:networking][:firewall][:enabled]
     service "nftables" do
       action [:enable, :start]