Handle machines with no external interface

[chef.git] / cookbooks / networking / recipes / default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index cef11a071a5270f19c9c1978f130012d69cd6c84..427cd794ae1063595f422b68f1cce1ede11df408 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -383,7 +383,7 @@ link "/etc/resolv.conf" do
   to "../run/systemd/resolve/stub-resolv.conf"
 end
 
-hosts = { :inet => [], :inet6 => [] }
+hosts = { "inet" => [], "inet6" => [] }
 zones = {}
 
 search(:node, "networking:interfaces").collect do |n|
@@ -400,9 +400,6 @@ search(:node, "networking:interfaces").collect do |n|
   end
 end
 
-hosts[:inet] << "127.0.0.1" if hosts[:inet].empty?
-hosts[:inet6] << "::1" if hosts[:inet6].empty?
-
 if node[:networking][:firewall][:engine] == "shorewall"
   package "shorewall"
 
@@ -653,7 +650,7 @@ if node[:networking][:firewall][:engine] == "shorewall"
   end
 elsif node[:networking][:firewall][:engine] == "nftables"
   service "shorewall6" do
-    action [:disable, :stop]
+    action :stop
   end
 
   package "shorewall6" do
@@ -661,7 +658,7 @@ elsif node[:networking][:firewall][:engine] == "nftables"
   end
 
   service "shorewall" do
-    action [:disable, :stop]
+    action :stop
   end
 
   systemd_service "shorewall-docker" do
@@ -693,6 +690,19 @@ elsif node[:networking][:firewall][:engine] == "nftables"
     notifies :restart, "service[nftables]"
   end
 
+  stop_commands = [
+    "/usr/sbin/nft delete table inet filter"
+  ]
+
+  stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+
+  systemd_service "nftables-stop" do
+    service "nftables"
+    dropin "stop"
+    exec_reload ""
+    exec_stop stop_commands
+  end
+
   if node[:networking][:firewall][:enabled]
     service "nftables" do
       action [:enable, :start]