Make nftables block various invalid TCP flag combinations

[chef.git] / cookbooks / networking / resources / firewall_rule.rb

diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index 0dd9a488a4a3366559a7f5ae0062af46d437d14f..48a5074d7fba0a102da70150cd9f21b0163955b4 100644 (file)
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -106,15 +106,15 @@ action_class do
             end
 
     if new_resource.source_ports != "-"
-      rule << "#{proto} sport { #{new_resource.source_ports} }"
+      rule << "#{proto} sport { #{nftables_source_ports} }"
     end
 
     if new_resource.dest_ports != "-"
-      rule << "#{proto} dport { #{new_resource.dest_ports} }"
+      rule << "#{proto} dport { #{nftables_dest_ports} }"
     end
 
     if new_resource.source == "osm"
-      rule << "#{ip} saddr { $#{ip}-osm-addresses }"
+      rule << "#{ip} saddr @#{ip}-osm-addresses"
     elsif new_resource.source =~ /^net:(.*)$/
       addresses = Regexp.last_match(1).split(",").join(", ")
 
@@ -122,7 +122,7 @@ action_class do
     end
 
     if new_resource.dest == "osm"
-      rule << "#{ip} daddr $#{ip}-osm-addresses"
+      rule << "#{ip} daddr @#{ip}-osm-addresses"
     elsif new_resource.dest =~ /^net:(.*)$/
       addresses = Regexp.last_match(1).split(",").join(", ")
 
@@ -154,9 +154,17 @@ action_class do
             end
 
     if new_resource.source == "fw"
-      node.default[:networking][:firewall][:outcoming] << rule.join(" ")
+      node.default[:networking][:firewall][:outgoing] << rule.join(" ")
     elsif new_resource.dest == "fw"
       node.default[:networking][:firewall][:incoming] << rule.join(" ")
     end
   end
+
+  def nftables_source_ports
+    new_resource.source_ports.to_s.sub(/:$/, "-65535").gsub(":", "-")
+  end
+
+  def nftables_dest_ports
+    new_resource.dest_ports.to_s.sub(/:$/, "-65535").gsub(":", "-")
+  end
 end