Make sure meraxes holds a DHCPv6 lease

[chef.git] / cookbooks / networking / templates / default / nftables.erb

diff --git a/cookbooks/networking/templates/default/nftables.erb b/cookbooks/networking/templates/default/nftables.erb
index 82064d7f5454e6b21c3940a381f41bce3c643426..778e57a218768fb84fe03ba4c343b8ad7fddc4d7 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.erb
+++ b/cookbooks/networking/templates/default/nftables.erb
@@ -11,7 +11,7 @@ stop() {
   /usr/sbin/nft list set inet chef-filter ip6-blocklist > /var/lib/nftables/ip6-blocklist.nft
   /usr/sbin/nft delete table inet chef-filter
 <% if node[:roles].include?("gateway") -%>
-  /usr/sbin/nft delete table inet chef-nat
+  /usr/sbin/nft delete table ip chef-nat
 <% end -%>
 }
 
@@ -20,10 +20,35 @@ reload() {
   start
 }
 
-case "$1" in
+block() {
+  for address in "$@"
+  do
+    case "$address" in
+      *.*) /usr/sbin/nft add element inet chef-filter ip-blocklist "{ $address }";;
+      *:*) /usr/sbin/nft add element inet chef-filter ip6-blocklist "{ $address }";;
+    esac
+  done
+}
+
+unblock() {
+  for address in "$@"
+  do
+    case "$address" in
+      *.*) /usr/sbin/nft delete element inet chef-filter ip-blocklist "{ $address }";;
+      *:*) /usr/sbin/nft delete element inet chef-filter ip6-blocklist "{ $address }";;
+    esac
+  done
+}
+
+command=$1
+shift
+
+case "$command" in
   start) start;;
   stop) stop;;
   reload) reload;;
+  block) block "$@";;
+  unblock) unblock "$@";;
 esac
 
 exit 0