X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/2e17bd4b4697423f9c124cfdb802424a58c16d80..200f486870c88f3916ede7bcb36b47b374a63901:/cookbooks/networking/resources/firewall_rule.rb diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 4cda0486b..22bde6ca9 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -75,7 +75,9 @@ action_class do if new_resource.connection_limit set = "connlimit-#{new_resource.rule}-#{ip}" - node.default[:networking][:firewall][:sets] << set + node.default[:networking][:firewall][:sets] << { + :name => set, :type => set_type(ip), :flags => %w[dynamic] + } rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }" end @@ -85,7 +87,9 @@ action_class do rate = Regexp.last_match(1) burst = Regexp.last_match(2) - node.default[:networking][:firewall][:sets] << set + node.default[:networking][:firewall][:sets] << { + :name => set, :type => set_type(ip), :flags => %w[dynamic], :timeout => 120 + } rule << "update @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }" end @@ -114,9 +118,9 @@ action_class do addresses else Array(addresses).map do |address| - if ip == "ip" && IPAddr.new(address).ipv4? + if ip == "ip" && IPAddr.new(address.to_s).ipv4? address - elsif ip == "ip6" && IPAddr.new(address).ipv6? + elsif ip == "ip6" && IPAddr.new(address.to_s).ipv6? address end end.compact @@ -134,4 +138,11 @@ action_class do "{ #{Array(addresses).map(&:to_s).join(', ')} }" end end + + def set_type(ip) + case ip + when "ip" then "ipv4_addr" + when "ip6" then "ipv6_addr" + end + end end