X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/0e74e2f70ceb291199499bcd7aa1828e1908fa65..bad5762eecf43cd8cc5f6a55b9262378a3851881:/cookbooks/networking/recipes/default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index dccba7c7a..5d7718508 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -409,22 +409,34 @@ template "/etc/nftables.conf" do
   group "root"
   mode "755"
   variables :interfaces => interfaces, :hosts => hosts
-  notifies :restart, "service[nftables]"
+  notifies :reload, "service[nftables]"
 end
 
-stop_commands = [
-  "-/usr/sbin/nft delete table inet filter",
-  "-/usr/sbin/nft delete table inet chef-filter"
-]
+directory "/var/lib/nftables" do
+  owner "root"
+  group "root"
+  mode "755"
+end
 
-stop_commands << "-/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
-stop_commands << "-/usr/sbin/nft delete table ip chef-nat" if node[:roles].include?("gateway")
+template "/usr/local/bin/nftables" do
+  source "nftables.erb"
+  owner "root"
+  group "root"
+  mode "755"
+end
 
 systemd_service "nftables-stop" do
+  action :delete
   service "nftables"
   dropin "stop"
-  exec_reload ""
-  exec_stop stop_commands
+end
+
+systemd_service "nftables-chef" do
+  service "nftables"
+  dropin "chef"
+  exec_start "/usr/local/bin/nftables start"
+  exec_reload "/usr/local/bin/nftables reload"
+  exec_stop "/usr/local/bin/nftables stop"
 end
 
 if node[:networking][:firewall][:enabled]
@@ -438,17 +450,11 @@ else
 end
 
 if node[:networking][:wireguard][:enabled]
-  wireguard_source = if node[:roles].include?("gateway")
-                       "net"
-                     else
-                       "osm"
-                     end
-
   firewall_rule "accept-wireguard" do
     action :accept
-    source wireguard_source
-    dest "fw"
-    proto "udp"
+    context :incoming
+    protocol :udp
+    source :osm unless node[:roles].include?("gateway")
     dest_ports "51820"
     source_ports "51820"
   end
@@ -456,20 +462,9 @@ end
 
 firewall_rule "accept-http" do
   action :accept
-  source "net"
-  dest "fw"
-  proto "tcp:syn"
-  dest_ports "http"
-  rate_limit node[:networking][:firewall][:http_rate_limit]
-  connection_limit node[:networking][:firewall][:http_connection_limit]
-end
-
-firewall_rule "accept-https" do
-  action :accept
-  source "net"
-  dest "fw"
-  proto "tcp:syn"
-  dest_ports "https"
+  context :incoming
+  protocol :tcp
+  dest_ports %w[http https]
   rate_limit node[:networking][:firewall][:http_rate_limit]
   connection_limit node[:networking][:firewall][:http_connection_limit]
 end