]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/networking/templates/default/nftables.conf.erb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Allow AWS DNS queries through the firewall
[chef.git] / cookbooks / networking / templates / default / nftables.conf.erb
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 8594cc24498a0a05b64f74ff027fb872cc77934a..2545c97c868c733d8b2052e9aa11be0d53a3d0da 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -64,7 +64,11 @@ table inet filter {
   }
 
   chain incoming {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
     ip saddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
     ip6 saddr { $ip6-private-addresses } jump log-and-drop
 
     ip saddr @ip-blacklist jump log-and-drop
@@ -98,7 +102,11 @@ table inet filter {
   }
 
   chain outgoing {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
     ip daddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip daddr { $ip-private-addresses } ip daddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
     ip6 daddr { $ip6-private-addresses } jump log-and-drop
 
 <%- node[:networking][:firewall][:outgoing].each do |rule| %>
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.