Reintroduce helper support and implement it

author Tom Hughes <tom@compton.nu>

Tue, 7 Mar 2023 19:55:11 +0000 (19:55 +0000)

committer Tom Hughes <tom@compton.nu>

Tue, 7 Mar 2023 19:55:11 +0000 (19:55 +0000)
author Tom Hughes <tom@compton.nu>
Tue, 7 Mar 2023 19:55:11 +0000 (19:55 +0000)
committer Tom Hughes <tom@compton.nu>
Tue, 7 Mar 2023 19:55:11 +0000 (19:55 +0000)
diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb

index dcecbb5f6a996310cea04f573804c0be2852e1aa..9832ce8f3f8c7527e92760fe76792642258043f8 100644 (file)
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -1,5 +1,6 @@
  default[:networking][:firewall][:enabled] = true
  default[:networking][:firewall][:sets] = []
+default[:networking][:firewall][:helpers] = []
  default[:networking][:firewall][:incoming] = []
  default[:networking][:firewall][:outgoing] = []
  default[:networking][:firewall][:http_rate_limit] = nil
diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb

index 38572764768eed42d695009a086712802ae7f18b..6f429ac5dd537574921e4aa5573ce9febd701537 100644 (file)
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -33,6 +33,7 @@ property :dest_ports, :kind_of => [String, Integer, Array]
  property :source_ports, :kind_of => [String, Integer, Array]
  property :rate_limit, :kind_of => String
  property :connection_limit, :kind_of => [String, Integer]
+property :helper, :kind_of => String
  
  property :compile_time, TrueClass, :default => true
  
@@ -114,6 +115,16 @@ action_class do
        rule << "update @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }"
      end
  
+    if new_resource.helper
+      helper = "#{new_resource.rule}-#{new_resource.helper}"
+
+      node.default[:networking][:firewall][:helpers] << {
+        :name => helper, :helper => new_resource.helper, :protocol => proto
+      }
+
+      rule << "ct helper set #{helper}"
+    end
+
      rule << case action
              when :accept then "accept"
              when :drop then "jump log-and-drop"
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb

index 957955af4121d3432a28221d9635c336512fcb67..cc3cd8f7fe69465d0e208643793f00cb1d0f9384 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -57,6 +57,13 @@ table inet chef-filter {
  <%- end %>
    }
  
+<%- end %>
+
+<%- node[:networking][:firewall][:helpers].each do |helper| %>
+  ct helper <%= helper[:name] %> {
+    type "<%= helper[:helper] %>" protocol <%= helper[:protocol] %>
+  }
+
  <%- end %>
    chain log-and-drop {
      limit rate 1/second log
author	Tom Hughes <tom@compton.nu>
	Tue, 7 Mar 2023 19:55:11 +0000 (19:55 +0000)
committer	Tom Hughes <tom@compton.nu>
	Tue, 7 Mar 2023 19:55:11 +0000 (19:55 +0000)
cookbooks/networking/attributes/default.rb		patch \| blob \| history
cookbooks/networking/resources/firewall_rule.rb		patch \| blob \| history
cookbooks/networking/templates/default/nftables.conf.erb		patch \| blob \| history