X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/ccfa52cb5bce88a14e36a9967c5803570321c325..5f3a5421476c68027c50b821916585ab01f0efa1:/cookbooks/networking/resources/firewall_rule.rb?ds=sidebyside

diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index 0dd9a488a..75d73dc11 100644
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -106,15 +106,15 @@ action_class do
             end
 
     if new_resource.source_ports != "-"
-      rule << "#{proto} sport { #{new_resource.source_ports} }"
+      rule << "#{proto} sport { #{nftables_source_ports} }"
     end
 
     if new_resource.dest_ports != "-"
-      rule << "#{proto} dport { #{new_resource.dest_ports} }"
+      rule << "#{proto} dport { #{nftables_dest_ports} }"
     end
 
     if new_resource.source == "osm"
-      rule << "#{ip} saddr { $#{ip}-osm-addresses }"
+      rule << "#{ip} saddr @#{ip}-osm-addresses"
     elsif new_resource.source =~ /^net:(.*)$/
       addresses = Regexp.last_match(1).split(",").join(", ")
 
@@ -122,7 +122,7 @@ action_class do
     end
 
     if new_resource.dest == "osm"
-      rule << "#{ip} daddr $#{ip}-osm-addresses"
+      rule << "#{ip} daddr @#{ip}-osm-addresses"
     elsif new_resource.dest =~ /^net:(.*)$/
       addresses = Regexp.last_match(1).split(",").join(", ")
 
@@ -134,17 +134,21 @@ action_class do
     end
 
     if new_resource.connection_limit != "-"
-      rule << "ct count #{new_resource.connection_limit}"
+      set = "connlimit-#{new_resource.rule}-#{ip}"
+
+      node.default[:networking][:firewall][:sets] << set
+
+      rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }"
     end
 
     if new_resource.rate_limit =~ %r{^s:(\d+)/sec:(\d+)$}
-      set = "#{new_resource.rule}-#{ip}"
+      set = "ratelimit-#{new_resource.rule}-#{ip}"
       rate = Regexp.last_match(1)
       burst = Regexp.last_match(2)
 
       node.default[:networking][:firewall][:sets] << set
 
-      rule << "add @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }"
+      rule << "update @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }"
     end
 
     rule << case action
@@ -154,9 +158,17 @@ action_class do
             end
 
     if new_resource.source == "fw"
-      node.default[:networking][:firewall][:outcoming] << rule.join(" ")
+      node.default[:networking][:firewall][:outgoing] << rule.join(" ")
     elsif new_resource.dest == "fw"
       node.default[:networking][:firewall][:incoming] << rule.join(" ")
     end
   end
+
+  def nftables_source_ports
+    new_resource.source_ports.to_s.sub(/:$/, "-65535").gsub(":", "-")
+  end
+
+  def nftables_dest_ports
+    new_resource.dest_ports.to_s.sub(/:$/, "-65535").gsub(":", "-")
+  end
 end