From 2e0f296f4a1b27087989d9cc3e4c80d96ae929b9 Mon Sep 17 00:00:00 2001 From: Grant Slater Date: Wed, 20 Mar 2024 10:32:54 +0000 Subject: [PATCH] networking: ensure nftables script checks input Ensure the nftables script does not prematurely exit on any invalid input. eg: If unblocking a set of IPs skip any not currently blocked instead of premature exit. Signed-off-by: Grant Slater --- cookbooks/networking/templates/default/nftables.erb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cookbooks/networking/templates/default/nftables.erb b/cookbooks/networking/templates/default/nftables.erb index 7484877d5..363e84656 100644 --- a/cookbooks/networking/templates/default/nftables.erb +++ b/cookbooks/networking/templates/default/nftables.erb @@ -24,8 +24,8 @@ block() { for address in "$@" do case "$address" in - *.*) /usr/sbin/nft add element inet chef-filter ip-blocklist "{ $address }";; - *:*) /usr/sbin/nft add element inet chef-filter ip6-blocklist "{ $address }";; + *.*) /usr/sbin/nft --check add element inet chef-filter ip-blocklist "{ $address }" && /usr/sbin/nft add element inet chef-filter ip-blocklist "{ $address }" ;; + *:*) /usr/sbin/nft --check add element inet chef-filter ip6-blocklist "{ $address }" && /usr/sbin/nft add element inet chef-filter ip6-blocklist "{ $address }" ;; esac done } @@ -34,15 +34,15 @@ unblock() { for address in "$@" do case "$address" in - *.*) /usr/sbin/nft delete element inet chef-filter ip-blocklist "{ $address }";; - *:*) /usr/sbin/nft delete element inet chef-filter ip6-blocklist "{ $address }";; + *.*) /usr/sbin/nft --check delete element inet chef-filter ip-blocklist "{ $address }" && /usr/sbin/nft delete element inet chef-filter ip-blocklist "{ $address }" ;; + *:*) /usr/sbin/nft --check delete element inet chef-filter ip6-blocklist "{ $address }" && /usr/sbin/nft delete element inet chef-filter ip6-blocklist "{ $address }" ;; esac done } flush() { - /usr/sbin/nft flush set inet chef-filter ip-blocklist - /usr/sbin/nft flush set inet chef-filter ip6-blocklist + /usr/sbin/nft --check flush set inet chef-filter ip-blocklist && /usr/sbin/nft flush set inet chef-filter ip-blocklist + /usr/sbin/nft --check flush set inet chef-filter ip6-blocklist && /usr/sbin/nft flush set inet chef-filter ip6-blocklist } command=$1 -- 2.39.5