X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/57d39f25fd8e302f19b49c55308cc24d7ca3047d..3ee5c4d242a98a13d89a02ba7998610a20969e0c:/cookbooks/networking/recipes/default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 2ec9691a4..799871963 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -413,10 +413,12 @@ template "/etc/nftables.conf" do
 end
 
 stop_commands = [
-  "/usr/sbin/nft delete table inet filter"
+  "-/usr/sbin/nft delete table inet filter",
+  "-/usr/sbin/nft delete table inet chef-filter"
 ]
 
-stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+stop_commands << "-/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+stop_commands << "-/usr/sbin/nft delete table ip chef-nat" if node[:roles].include?("gateway")
 
 systemd_service "nftables-stop" do
   service "nftables"
@@ -456,18 +458,8 @@ firewall_rule "accept-http" do
   action :accept
   source "net"
   dest "fw"
-  proto "tcp:syn"
-  dest_ports "http"
-  rate_limit node[:networking][:firewall][:http_rate_limit]
-  connection_limit node[:networking][:firewall][:http_connection_limit]
-end
-
-firewall_rule "accept-https" do
-  action :accept
-  source "net"
-  dest "fw"
-  proto "tcp:syn"
-  dest_ports "https"
+  proto "tcp"
+  dest_ports %w[http https]
   rate_limit node[:networking][:firewall][:http_rate_limit]
   connection_limit node[:networking][:firewall][:http_connection_limit]
 end