X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/beb8df4e22cdf7a8d3016186ec333838eaa1c3c2..4ae23398ffb24aebf67db392cdea316d8550f6da:/cookbooks/networking/templates/default/nftables.conf.erb?ds=inline

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 8594cc244..2545c97c8 100644
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -64,7 +64,11 @@ table inet filter {
   }
 
   chain incoming {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
     ip saddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
     ip6 saddr { $ip6-private-addresses } jump log-and-drop
 
     ip saddr @ip-blacklist jump log-and-drop
@@ -98,7 +102,11 @@ table inet filter {
   }
 
   chain outgoing {
+<%- if node[:networking][:firewall][:whitelist].empty? %>
     ip daddr { $ip-private-addresses } jump log-and-drop
+<%- else %>
+    ip daddr { $ip-private-addresses } ip daddr != { <%= node[:networking][:firewall][:whitelist].sort.join(", ") %> } jump log-and-drop
+<%- end %>
     ip6 daddr { $ip6-private-addresses } jump log-and-drop
 
 <%- node[:networking][:firewall][:outgoing].each do |rule| %>