X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/f4a0305a479f4177a21d60d9b726b42e0562a875..5a207c66f87d1d119e0b3824345e1371e686eb7c:/cookbooks/networking/templates/default/nftables.erb

diff --git a/cookbooks/networking/templates/default/nftables.erb b/cookbooks/networking/templates/default/nftables.erb
index 82064d7f5..778e57a21 100644
--- a/cookbooks/networking/templates/default/nftables.erb
+++ b/cookbooks/networking/templates/default/nftables.erb
@@ -11,7 +11,7 @@ stop() {
   /usr/sbin/nft list set inet chef-filter ip6-blocklist > /var/lib/nftables/ip6-blocklist.nft
   /usr/sbin/nft delete table inet chef-filter
 <% if node[:roles].include?("gateway") -%>
-  /usr/sbin/nft delete table inet chef-nat
+  /usr/sbin/nft delete table ip chef-nat
 <% end -%>
 }
 
@@ -20,10 +20,35 @@ reload() {
   start
 }
 
-case "$1" in
+block() {
+  for address in "$@"
+  do
+    case "$address" in
+      *.*) /usr/sbin/nft add element inet chef-filter ip-blocklist "{ $address }";;
+      *:*) /usr/sbin/nft add element inet chef-filter ip6-blocklist "{ $address }";;
+    esac
+  done
+}
+
+unblock() {
+  for address in "$@"
+  do
+    case "$address" in
+      *.*) /usr/sbin/nft delete element inet chef-filter ip-blocklist "{ $address }";;
+      *:*) /usr/sbin/nft delete element inet chef-filter ip6-blocklist "{ $address }";;
+    esac
+  done
+}
+
+command=$1
+shift
+
+case "$command" in
   start) start;;
   stop) stop;;
   reload) reload;;
+  block) block "$@";;
+  unblock) unblock "$@";;
 esac
 
 exit 0