Avoid dropping third party tables when stopping an nftables firewall

author Tom Hughes <tom@compton.nu>

Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)

committer Tom Hughes <tom@compton.nu>

Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)
author Tom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)
committer Tom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb

index a299a67cdd2adec0d37bc98cc7b76b54be0fe46a..427cd794ae1063595f422b68f1cce1ede11df408 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -690,6 +690,19 @@ elsif node[:networking][:firewall][:engine] == "nftables"
      notifies :restart, "service[nftables]"
    end
  
+  stop_commands = [
+    "/usr/sbin/nft delete table inet filter"
+  ]
+
+  stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+
+  systemd_service "nftables-stop" do
+    service "nftables"
+    dropin "stop"
+    exec_reload ""
+    exec_stop stop_commands
+  end
+
    if node[:networking][:firewall][:enabled]
      service "nftables" do
        action [:enable, :start]
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb

index 65d090db31d3cd6ed2b19b3ded337c516402e745..7f0b1e17e6bb68135d73ce48bc4d80c9a068de20 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -5,8 +5,6 @@ define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> }
  define ip-private-addresses = { 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 }
  define ip6-private-addresses = { 2001:db8::/32, fc00::/7 }
  
-flush ruleset
-
  table inet filter {
    set ip-osm-addresses {
      type ipv4_addr
author	Tom Hughes <tom@compton.nu>
	Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)
committer	Tom Hughes <tom@compton.nu>
	Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)
cookbooks/networking/recipes/default.rb		patch \| blob \| history
cookbooks/networking/templates/default/nftables.conf.erb		patch \| blob \| history