From: Tom Hughes Date: Sat, 4 Mar 2023 12:46:14 +0000 (+0000) Subject: Use named sets for OSM IP addresses X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/cc045c868bf15083df4db4442c0d92814441951e Use named sets for OSM IP addresses --- diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 0eca03176..48a5074d7 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -114,7 +114,7 @@ action_class do end if new_resource.source == "osm" - rule << "#{ip} saddr { $#{ip}-osm-addresses }" + rule << "#{ip} saddr @#{ip}-osm-addresses" elsif new_resource.source =~ /^net:(.*)$/ addresses = Regexp.last_match(1).split(",").join(", ") @@ -122,7 +122,7 @@ action_class do end if new_resource.dest == "osm" - rule << "#{ip} daddr $#{ip}-osm-addresses" + rule << "#{ip} daddr @#{ip}-osm-addresses" elsif new_resource.dest =~ /^net:(.*)$/ addresses = Regexp.last_match(1).split(",").join(", ") diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb index 923437f77..63f45a0c8 100644 --- a/cookbooks/networking/templates/default/nftables.conf.erb +++ b/cookbooks/networking/templates/default/nftables.conf.erb @@ -5,12 +5,19 @@ define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> } define ip-private-addresses = { 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 } define ip6-private-addresses = { 2001:db8::/32, fc00::/7 } -define ip-osm-addresses = { <%= Array(@hosts["inet"]).sort.join(", ") %> } -define ip6-osm-addresses = { <%= Array(@hosts["inet6"]).sort.join(", ") %> } - flush ruleset table inet filter { + set ip-osm-addresses { + type ipv4_addr + elements = { <%= Array(@hosts["inet"]).sort.join(", ") %> } + } + + set ip6-osm-addresses { + type ipv6_addr + elements = { <%= Array(@hosts["inet6"]).sort.join(", ") %> } + } + set ip-blacklist { type ipv4_addr flags dynamic