X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/7ceeae1a312e18a1bb2d05c357455f3c058e3975..3ee5c4d242a98a13d89a02ba7998610a20969e0c:/cookbooks/networking/recipes/default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index e892f262f..799871963 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -403,8 +403,6 @@ node.interfaces(:role => :external).each do |interface|
   interfaces << interface[:interface]
 end
 
-interfaces << "eth0" if kitchen? && interfaces.empty?
-
 template "/etc/nftables.conf" do
   source "nftables.conf.erb"
   owner "root"
@@ -415,10 +413,12 @@ template "/etc/nftables.conf" do
 end
 
 stop_commands = [
-  "/usr/sbin/nft delete table inet filter"
+  "-/usr/sbin/nft delete table inet filter",
+  "-/usr/sbin/nft delete table inet chef-filter"
 ]
 
-stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+stop_commands << "-/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+stop_commands << "-/usr/sbin/nft delete table ip chef-nat" if node[:roles].include?("gateway")
 
 systemd_service "nftables-stop" do
   service "nftables"
@@ -458,18 +458,8 @@ firewall_rule "accept-http" do
   action :accept
   source "net"
   dest "fw"
-  proto "tcp:syn"
-  dest_ports "http"
-  rate_limit node[:networking][:firewall][:http_rate_limit]
-  connection_limit node[:networking][:firewall][:http_connection_limit]
-end
-
-firewall_rule "accept-https" do
-  action :accept
-  source "net"
-  dest "fw"
-  proto "tcp:syn"
-  dest_ports "https"
+  proto "tcp"
+  dest_ports %w[http https]
   rate_limit node[:networking][:firewall][:http_rate_limit]
   connection_limit node[:networking][:firewall][:http_connection_limit]
 end