From: Tom Hughes Date: Sun, 14 Aug 2016 15:53:39 +0000 (+0100) Subject: Rework firewall rule handling X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/2714460f8457266fec0f5f9d72d900b384d5b724?ds=inline;hp=-c Rework firewall rule handling Instead of patching the variables attached to the resource, keep the list of firewall rules in the attributes. --- 2714460f8457266fec0f5f9d72d900b384d5b724 diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index 0caaa967e..a672bee7e 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -1,3 +1,5 @@ +default[:networking][:firewall][:inet] = [] +default[:networking][:firewall][:inet6] = [] default[:networking][:interfaces] = {} default[:networking][:nameservers] = [] default[:networking][:search] = [] diff --git a/cookbooks/networking/definitions/firewall_rule.rb b/cookbooks/networking/definitions/firewall_rule.rb index 44d141860..388470b9c 100644 --- a/cookbooks/networking/definitions/firewall_rule.rb +++ b/cookbooks/networking/definitions/firewall_rule.rb @@ -18,15 +18,6 @@ # define :firewall_rule, :action => :accept do - inet = nil - inet6 = nil - - begin - inet = resources(:template => "/etc/shorewall/rules") - inet6 = resources(:template => "/etc/shorewall6/rules") - rescue - end - rule = Hash[ :action => params[:action].to_s.upcase, :source => params[:source], @@ -38,12 +29,12 @@ define :firewall_rule, :action => :accept do ] if params[:family].nil? - inet.variables[:rules] << rule unless inet.nil? - inet6.variables[:rules] << rule unless inet6.nil? + node.default[:networking][:firewall][:inet] << rule + node.default[:networking][:firewall][:inet6] << rule elsif params[:family].to_s == "inet" - inet.variables[:rules] << rule unless inet.nil? + node.default[:networking][:firewall][:inet] << rule elsif params[:family].to_s == "inet6" - inet6.variables[:rules] << rule unless inet6.nil? + node.default[:networking][:firewall][:inet6] << rule else log "Unsupported network family" do level :error diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index 2f2812aa9..de493ecff 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -188,7 +188,7 @@ template "/etc/shorewall/rules" do owner "root" group "root" mode 0o644 - variables :rules => [] + variables :family => "inet" notifies :restart, "service[shorewall]" end @@ -301,7 +301,7 @@ unless node.interfaces(:family => :inet6).empty? owner "root" group "root" mode 0o644 - variables :rules => [] + variables :family => "inet6" notifies :restart, "service[shorewall6]" end diff --git a/cookbooks/networking/templates/default/shorewall-rules.erb b/cookbooks/networking/templates/default/shorewall-rules.erb index dbe0120cb..7cda2fbf1 100644 --- a/cookbooks/networking/templates/default/shorewall-rules.erb +++ b/cookbooks/networking/templates/default/shorewall-rules.erb @@ -8,6 +8,6 @@ SECTION NEW # ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORTS PORTS DEST LIMIT -<% @rules.each do |r| -%> +<% node[:networking][:firewall][@family].each do |r| # ~FC034 -%> <%= r[:action] %> <%= r[:source] %> <%= r[:dest] %> <%= r[:proto] %> <%= r[:dest_ports] %> <%= r[:source_ports] %> - <%= r[:rate_limit] %> <% end -%>