Rework firewall rule handling

Instead of patching the variables attached to the resource, keep
the list of firewall rules in the attributes.

diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb
index 0caaa967e695778be8c2e9e44889bb5c1fa2804b..a672bee7e057f59b237eadb94d1f76405f050e38 100644 (file)
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -1,3 +1,5 @@
+default[:networking][:firewall][:inet] = []
+default[:networking][:firewall][:inet6] = []
 default[:networking][:interfaces] = {}
 default[:networking][:nameservers] = []
 default[:networking][:search] = []

diff --git a/cookbooks/networking/definitions/firewall_rule.rb b/cookbooks/networking/definitions/firewall_rule.rb
index 44d141860073b3592d0d2fd71c7a2dd9e6e0b587..388470b9cdf3898963bc55c1379efc8b803adf0a 100644 (file)
--- a/cookbooks/networking/definitions/firewall_rule.rb
+++ b/cookbooks/networking/definitions/firewall_rule.rb
@@ -18,15 +18,6 @@
 #
 
 define :firewall_rule, :action => :accept do
-  inet = nil
-  inet6 = nil
-
-  begin
-    inet = resources(:template => "/etc/shorewall/rules")
-    inet6 = resources(:template => "/etc/shorewall6/rules")
-  rescue
-  end
-
   rule = Hash[
     :action => params[:action].to_s.upcase,
     :source => params[:source],
@@ -38,12 +29,12 @@ define :firewall_rule, :action => :accept do
   ]
 
   if params[:family].nil?
-    inet.variables[:rules] << rule unless inet.nil?
-    inet6.variables[:rules] << rule unless inet6.nil?
+    node.default[:networking][:firewall][:inet] << rule
+    node.default[:networking][:firewall][:inet6] << rule
   elsif params[:family].to_s == "inet"
-    inet.variables[:rules] << rule unless inet.nil?
+    node.default[:networking][:firewall][:inet] << rule
   elsif params[:family].to_s == "inet6"
-    inet6.variables[:rules] << rule unless inet6.nil?
+    node.default[:networking][:firewall][:inet6] << rule
   else
     log "Unsupported network family" do
       level :error

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 2f2812aa9cb4e01d20f84d659a701e86ea755aab..de493ecffb4251acee5f7879d242e2f48b333124 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -188,7 +188,7 @@ template "/etc/shorewall/rules" do
   owner "root"
   group "root"
   mode 0o644
-  variables :rules => []
+  variables :family => "inet"
   notifies :restart, "service[shorewall]"
 end
 
@@ -301,7 +301,7 @@ unless node.interfaces(:family => :inet6).empty?
     owner "root"
     group "root"
     mode 0o644
-    variables :rules => []
+    variables :family => "inet6"
     notifies :restart, "service[shorewall6]"
   end
 

diff --git a/cookbooks/networking/templates/default/shorewall-rules.erb b/cookbooks/networking/templates/default/shorewall-rules.erb
index dbe0120cb21c4ff39e71f38acea306abcc923dc6..7cda2fbf174a4a5c572d19b0f4caeb3a5f9877f8 100644 (file)
--- a/cookbooks/networking/templates/default/shorewall-rules.erb
+++ b/cookbooks/networking/templates/default/shorewall-rules.erb
@@ -8,6 +8,6 @@ SECTION NEW
 
 # ACTION       SOURCE  DEST    PROTO           DEST            SOURCE  ORIGINAL        RATE
 #                                              PORTS           PORTS   DEST            LIMIT
-<% @rules.each do |r| -%>
+<% node[:networking][:firewall][@family].each do |r| # ~FC034 -%>
 <%= r[:action] %>              <%= r[:source] %>       <%= r[:dest] %> <%= r[:proto] %>                <%= r[:dest_ports] %>   <%= r[:source_ports] %> -       <%= r[:rate_limit] %>
 <% end -%>