X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/f5005ec395d870ace9cc54243dcf79f49150c6ce..bc650c626ea81b4856682888bb059f7f18cb4bb2:/cookbooks/networking/recipes/default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index b643296f4..c195251e6 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -130,6 +130,44 @@ node[:networking][:interfaces].each do |name, interface|
           "scope" => "link"
         )
       end
+
+      if interface[:role] == "internal" && interface[:gateway] != interface[:address]
+        search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
+          next unless gateway[:openvpn]
+
+          gateway[:openvpn][:tunnels].each_value do |tunnel|
+            if tunnel[:peer][:address]
+              deviceplan["routes"].push(
+                "to" => "#{tunnel[:peer][:address]}/32",
+                "via" => interface[:gateway]
+              )
+
+              route tunnel[:peer][:address] do
+                netmask "255.255.255.255"
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+
+            next unless tunnel[:peer][:networks]
+
+            tunnel[:peer][:networks].each do |network|
+              prefix = IPAddr.new("#{network[:address]}/#{network[:netmask]}").prefix
+
+              deviceplan["routes"].push(
+                "to" => "#{network[:address]}/#{prefix}",
+                "via" => interface[:gateway]
+              )
+
+              route network[:address] do
+                netmask network[:netmask]
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+          end
+        end
+      end
     end
 
     if interface[:routes]
@@ -229,34 +267,6 @@ link "/etc/resolv.conf" do
   to "../run/systemd/resolve/stub-resolv.conf"
 end
 
-node.interfaces(:role => :internal) do |interface|
-  if interface[:gateway] && interface[:gateway] != interface[:address]
-    search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
-      next unless gateway[:openvpn]
-
-      gateway[:openvpn][:tunnels].each_value do |tunnel|
-        if tunnel[:peer][:address]
-          route tunnel[:peer][:address] do
-            netmask "255.255.255.255"
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
-
-        next unless tunnel[:peer][:networks]
-
-        tunnel[:peer][:networks].each do |network|
-          route network[:address] do
-            netmask network[:netmask]
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
-      end
-    end
-  end
-end
-
 zones = {}
 
 search(:node, "networking:interfaces").collect do |n|
@@ -333,6 +343,7 @@ template "/etc/shorewall/policy" do
 end
 
 template "/etc/shorewall/rules" do
+  action :nothing
   source "shorewall-rules.erb"
   owner "root"
   group "root"
@@ -341,6 +352,11 @@ template "/etc/shorewall/rules" do
   notifies :restart, "service[shorewall]"
 end
 
+notify_group "shorewall-rules" do
+  action :run
+  notifies :create, "template[/etc/shorewall/rules]"
+end
+
 service "shorewall" do
   action [:enable, :start]
   supports :restart => true
@@ -454,6 +470,7 @@ unless node.interfaces(:family => :inet6).empty?
   end
 
   template "/etc/shorewall6/rules" do
+    action :nothing
     source "shorewall-rules.erb"
     owner "root"
     group "root"
@@ -462,6 +479,11 @@ unless node.interfaces(:family => :inet6).empty?
     notifies :restart, "service[shorewall6]"
   end
 
+  notify_group "shorewall6-rules" do
+    action :run
+    notifies :create, "template[/etc/shorewall6/rules]"
+  end
+
   service "shorewall6" do
     action [:enable, :start]
     supports :restart => true