From 7ceeae1a312e18a1bb2d05c357455f3c058e3975 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 5 Mar 2023 19:19:12 +0000 Subject: [PATCH 1/1] Drop support for shorewall --- .../templates/default/jail.default.erb | 4 - cookbooks/logstash/recipes/default.rb | 8 +- cookbooks/munin/recipes/default.rb | 2 +- .../munin/templates/default/munin.conf.erb | 2 - cookbooks/networking/attributes/default.rb | 7 - cookbooks/networking/recipes/default.rb | 339 ++---------------- .../networking/resources/firewall_rule.rb | 39 +- .../templates/default/shorewall-conntrack.erb | 7 - .../templates/default/shorewall-default.erb | 7 - .../templates/default/shorewall-hosts.erb | 14 - .../default/shorewall-interfaces.erb | 16 - .../templates/default/shorewall-policy.erb | 5 - .../templates/default/shorewall-rules.erb | 9 - .../templates/default/shorewall-snat.erb | 8 - .../default/shorewall-stoppedrules.erb | 2 - .../templates/default/shorewall-zones.erb | 12 - .../templates/default/shorewall.conf.erb | 307 ---------------- .../templates/default/shorewall6-hosts.erb | 12 - .../default/shorewall6-interfaces.erb | 14 - .../templates/default/shorewall6.conf.erb | 287 --------------- roles/base.rb | 4 +- roles/bytemark.rb | 1 - 22 files changed, 42 insertions(+), 1064 deletions(-) delete mode 100644 cookbooks/networking/templates/default/shorewall-conntrack.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-default.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-hosts.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-interfaces.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-policy.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-rules.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-snat.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-stoppedrules.erb delete mode 100644 cookbooks/networking/templates/default/shorewall-zones.erb delete mode 100644 cookbooks/networking/templates/default/shorewall.conf.erb delete mode 100644 cookbooks/networking/templates/default/shorewall6-hosts.erb delete mode 100644 cookbooks/networking/templates/default/shorewall6-interfaces.erb delete mode 100644 cookbooks/networking/templates/default/shorewall6.conf.erb diff --git a/cookbooks/fail2ban/templates/default/jail.default.erb b/cookbooks/fail2ban/templates/default/jail.default.erb index 890e35117..de2d16766 100644 --- a/cookbooks/fail2ban/templates/default/jail.default.erb +++ b/cookbooks/fail2ban/templates/default/jail.default.erb @@ -2,10 +2,6 @@ [DEFAULT] destemail = admins@openstreetmap.org -<%- if node[:networking][:firewall][:engine] == "shorewall" %> -banaction = shorewall -<%- elsif node[:networking][:firewall][:engine] == "nftables" %> banaction = nftables[type=multiport] banaction_allports = nftables[type=allports] -<%- end %> bantime = 14400 diff --git a/cookbooks/logstash/recipes/default.rb b/cookbooks/logstash/recipes/default.rb index 712b33cb8..df4da98f1 100644 --- a/cookbooks/logstash/recipes/default.rb +++ b/cookbooks/logstash/recipes/default.rb @@ -81,7 +81,7 @@ forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder| firewall_rule "accept-lumberjack-#{forwarder}" do action :accept family interface[:family] - source "#{interface[:zone]}:#{interface[:address]}" + source "net:#{interface[:address]}" dest "fw" proto "tcp:syn" dest_ports "5043" @@ -91,7 +91,7 @@ forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder| firewall_rule "accept-beats-#{forwarder}" do action :accept family interface[:family] - source "#{interface[:zone]}:#{interface[:address]}" + source "net:#{interface[:address]}" dest "fw" proto "tcp:syn" dest_ports "5044" @@ -107,7 +107,7 @@ gateways.sort_by { |n| n[:fqdn] }.each do |gateway| firewall_rule "accept-lumberjack-#{gateway}" do action :accept family interface[:family] - source "#{interface[:zone]}:#{interface[:address]}" + source "net:#{interface[:address]}" dest "fw" proto "tcp:syn" dest_ports "5043" @@ -117,7 +117,7 @@ gateways.sort_by { |n| n[:fqdn] }.each do |gateway| firewall_rule "accept-beats-#{gateway}" do action :accept family interface[:family] - source "#{interface[:zone]}:#{interface[:address]}" + source "net:#{interface[:address]}" dest "fw" proto "tcp:syn" dest_ports "5044" diff --git a/cookbooks/munin/recipes/default.rb b/cookbooks/munin/recipes/default.rb index aad5d40d8..6c4bc6e76 100644 --- a/cookbooks/munin/recipes/default.rb +++ b/cookbooks/munin/recipes/default.rb @@ -31,7 +31,7 @@ servers.each do |server| firewall_rule "accept-munin-#{server}" do action :accept family interface[:family] - source "#{interface[:zone]}:#{interface[:address]}" + source "net:#{interface[:address]}" dest "fw" proto "tcp:syn" dest_ports "munin" diff --git a/cookbooks/munin/templates/default/munin.conf.erb b/cookbooks/munin/templates/default/munin.conf.erb index 2009ff6a5..44afaa5b1 100644 --- a/cookbooks/munin/templates/default/munin.conf.erb +++ b/cookbooks/munin/templates/default/munin.conf.erb @@ -29,8 +29,6 @@ unknown_limit 144 address <%= client.internal_ipaddress || client.external_ipaddress %> <% elsif client[:networking][:roles][:external][:zone] == "dub" -%> address <%= client.internal_ipaddress || client.external_ipaddress %> -<% elsif client[:networking][:roles][:external][:zone] == "bm" -%> - address <%= client.internal_ipaddress || client.external_ipaddress %> <% elsif client.external_ipaddress -%> address <%= client.external_ipaddress %> <% end -%> diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index 37e0b6533..ac47543f1 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -1,16 +1,9 @@ -default[:networking][:firewall][:engine] = "nftables" default[:networking][:firewall][:enabled] = true -default[:networking][:firewall][:inet] = [] -default[:networking][:firewall][:inet6] = [] default[:networking][:firewall][:sets] = [] default[:networking][:firewall][:incoming] = [] default[:networking][:firewall][:outgoing] = [] default[:networking][:firewall][:http_rate_limit] = "-" default[:networking][:firewall][:http_connection_limit] = "-" -default[:networking][:firewall][:log] = true -default[:networking][:firewall][:mark] = true -default[:networking][:firewall][:raw] = true -default[:networking][:firewall][:mangle] = true default[:networking][:firewall][:whitelist] = [] default[:networking][:roles] = {} default[:networking][:interfaces] = {} diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index 427cd794a..e892f262f 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -384,333 +384,56 @@ link "/etc/resolv.conf" do end hosts = { "inet" => [], "inet6" => [] } -zones = {} search(:node, "networking:interfaces").collect do |n| next if n[:fqdn] == node[:fqdn] n.interfaces.each do |interface| - next unless interface[:role] == "external" && interface[:zone] + next unless interface[:role] == "external" hosts[interface[:family]] << interface[:address] - - zones[interface[:zone]] ||= {} - zones[interface[:zone]][interface[:family]] ||= [] - zones[interface[:zone]][interface[:family]] << interface[:address] end end -if node[:networking][:firewall][:engine] == "shorewall" - package "shorewall" - - systemd_service "shorewall-docker" do - service "shorewall" - dropin "docker" - exec_stop "/sbin/shorewall $OPTIONS stop" - notifies :restart, "service[shorewall]" - end - - template "/etc/default/shorewall" do - source "shorewall-default.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall]" - end - - template "/etc/shorewall/shorewall.conf" do - source "shorewall.conf.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall]" - end +package "nftables" - template "/etc/shorewall/zones" do - source "shorewall-zones.erb" - owner "root" - group "root" - mode "644" - variables :type => "ipv4" - notifies :restart, "service[shorewall]" - end - - template "/etc/shorewall/interfaces" do - source "shorewall-interfaces.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall]" - end - - template "/etc/shorewall/hosts" do - source "shorewall-hosts.erb" - owner "root" - group "root" - mode "644" - variables :zones => zones - notifies :restart, "service[shorewall]" - end - - template "/etc/shorewall/conntrack" do - source "shorewall-conntrack.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall]" - only_if { node[:networking][:firewall][:raw] } - end - - template "/etc/shorewall/policy" do - source "shorewall-policy.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall]" - end - - template "/etc/shorewall/rules" do - source "shorewall-rules.erb" - owner "root" - group "root" - mode "644" - variables :family => "inet" - notifies :restart, "service[shorewall]" - end - - template "/etc/shorewall/stoppedrules" do - source "shorewall-stoppedrules.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall]" - end - - if node[:networking][:firewall][:enabled] - service "shorewall" do - action [:enable, :start] - supports :restart => true - status_command "shorewall status" - ignore_failure true - end - else - service "shorewall" do - action [:disable, :stop] - supports :restart => true - status_command "shorewall status" - ignore_failure true - end - end - - template "/etc/logrotate.d/shorewall" do - source "logrotate.shorewall.erb" - owner "root" - group "root" - mode "644" - variables :name => "shorewall" - end - - firewall_rule "limit-icmp-echo" do - action :accept - family :inet - source "net" - dest "fw" - proto "icmp" - dest_ports "echo-request" - rate_limit "s:1/sec:5" - end +interfaces = [] - file "/etc/shorewall/masq" do - action :delete - end - - file "/etc/shorewall/masq.bak" do - action :delete - end - - if node[:roles].include?("gateway") - template "/etc/shorewall/snat" do - source "shorewall-snat.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall]" - end - else - file "/etc/shorewall/snat" do - action :delete - notifies :restart, "service[shorewall]" - end - end - - unless node.interfaces(:family => :inet6).empty? - package "shorewall6" - - template "/etc/default/shorewall6" do - source "shorewall-default.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall6]" - end - - template "/etc/shorewall6/shorewall6.conf" do - source "shorewall6.conf.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall6]" - end - - template "/etc/shorewall6/zones" do - source "shorewall-zones.erb" - owner "root" - group "root" - mode "644" - variables :type => "ipv6" - notifies :restart, "service[shorewall6]" - end - - template "/etc/shorewall6/interfaces" do - source "shorewall6-interfaces.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall6]" - end - - template "/etc/shorewall6/hosts" do - source "shorewall6-hosts.erb" - owner "root" - group "root" - mode "644" - variables :zones => zones - notifies :restart, "service[shorewall6]" - end - - template "/etc/shorewall6/conntrack" do - source "shorewall-conntrack.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall6]" - only_if { node[:networking][:firewall][:raw] } - end - - template "/etc/shorewall6/policy" do - source "shorewall-policy.erb" - owner "root" - group "root" - mode "644" - notifies :restart, "service[shorewall6]" - end - - template "/etc/shorewall6/rules" do - source "shorewall-rules.erb" - owner "root" - group "root" - mode "644" - variables :family => "inet6" - notifies :restart, "service[shorewall6]" - end - - if node[:networking][:firewall][:enabled] - service "shorewall6" do - action [:enable, :start] - supports :restart => true - status_command "shorewall6 status" - ignore_failure true - end - else - service "shorewall6" do - action [:disable, :stop] - supports :restart => true - status_command "shorewall6 status" - ignore_failure true - end - end - - template "/etc/logrotate.d/shorewall6" do - source "logrotate.shorewall.erb" - owner "root" - group "root" - mode "644" - variables :name => "shorewall6" - end - - firewall_rule "limit-icmp6-echo" do - action :accept - family :inet6 - source "net" - dest "fw" - proto "ipv6-icmp" - dest_ports "echo-request" - rate_limit "s:1/sec:5" - end - end -elsif node[:networking][:firewall][:engine] == "nftables" - service "shorewall6" do - action :stop - end - - package "shorewall6" do - action :purge - end - - service "shorewall" do - action :stop - end - - systemd_service "shorewall-docker" do - action :delete - service "shorewall" - dropin "docker" - end - - package "shorewall" do - action :purge - end - - package "nftables" +node.interfaces(:role => :external).each do |interface| + interfaces << interface[:interface] +end - interfaces = [] +interfaces << "eth0" if kitchen? && interfaces.empty? - node.interfaces(:role => :external).each do |interface| - interfaces << interface[:interface] - end +template "/etc/nftables.conf" do + source "nftables.conf.erb" + owner "root" + group "root" + mode "755" + variables :interfaces => interfaces, :hosts => hosts + notifies :restart, "service[nftables]" +end - interfaces << "eth0" if kitchen? && interfaces.empty? +stop_commands = [ + "/usr/sbin/nft delete table inet filter" +] - template "/etc/nftables.conf" do - source "nftables.conf.erb" - owner "root" - group "root" - mode "755" - variables :interfaces => interfaces, :hosts => hosts - notifies :restart, "service[nftables]" - end - - stop_commands = [ - "/usr/sbin/nft delete table inet filter" - ] +stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway") - stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway") +systemd_service "nftables-stop" do + service "nftables" + dropin "stop" + exec_reload "" + exec_stop stop_commands +end - systemd_service "nftables-stop" do - service "nftables" - dropin "stop" - exec_reload "" - exec_stop stop_commands +if node[:networking][:firewall][:enabled] + service "nftables" do + action [:enable, :start] end - - if node[:networking][:firewall][:enabled] - service "nftables" do - action [:enable, :start] - end - else - service "nftables" do - action [:disable, :stop] - end +else + service "nftables" do + action [:disable, :stop] end end diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 75d73dc11..92256936a 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -51,44 +51,13 @@ end action_class do def add_rule(action) - if node[:networking][:firewall][:engine] == "shorewall" - add_shorewall_rule(action) - elsif node[:networking][:firewall][:engine] == "nftables" - if new_resource.family.nil? - add_nftables_rule(action, "inet") - add_nftables_rule(action, "inet6") - elsif new_resource.family.to_s == "inet" - add_nftables_rule(action, "inet") - elsif new_resource.family.to_s == "inet6" - add_nftables_rule(action, "inet6") - end - end - end - - def add_shorewall_rule(action) - rule = { - :action => action.to_s.upcase, - :source => new_resource.source, - :dest => new_resource.dest, - :proto => new_resource.proto, - :dest_ports => new_resource.dest_ports.to_s, - :source_ports => new_resource.source_ports.to_s, - :rate_limit => new_resource.rate_limit, - :connection_limit => new_resource.connection_limit.to_s, - :helper => new_resource.helper - } - if new_resource.family.nil? - node.default[:networking][:firewall][:inet] << rule - node.default[:networking][:firewall][:inet6] << rule + add_nftables_rule(action, "inet") + add_nftables_rule(action, "inet6") elsif new_resource.family.to_s == "inet" - node.default[:networking][:firewall][:inet] << rule + add_nftables_rule(action, "inet") elsif new_resource.family.to_s == "inet6" - node.default[:networking][:firewall][:inet6] << rule - else - log "Unsupported network family" do - level :error - end + add_nftables_rule(action, "inet6") end end diff --git a/cookbooks/networking/templates/default/shorewall-conntrack.erb b/cookbooks/networking/templates/default/shorewall-conntrack.erb deleted file mode 100644 index 4d5e726d3..000000000 --- a/cookbooks/networking/templates/default/shorewall-conntrack.erb +++ /dev/null @@ -1,7 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -?FORMAT 3 - -# ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH -NOTRACK:P lo - - - - - - -NOTRACK:O - lo - - - - - diff --git a/cookbooks/networking/templates/default/shorewall-default.erb b/cookbooks/networking/templates/default/shorewall-default.erb deleted file mode 100644 index 03f3ffcdb..000000000 --- a/cookbooks/networking/templates/default/shorewall-default.erb +++ /dev/null @@ -1,7 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# Allow shorewall to start -startup=1 - -# Program options -OPTIONS="" diff --git a/cookbooks/networking/templates/default/shorewall-hosts.erb b/cookbooks/networking/templates/default/shorewall-hosts.erb deleted file mode 100644 index 86c294cc6..000000000 --- a/cookbooks/networking/templates/default/shorewall-hosts.erb +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# ZONE HOST OPTIONS -<% node.interfaces(:family => :inet, :role => :external).each do |interface| -%> -<% if interface[:interface] -%> -<% @zones.keys.sort.each do |zone| -%> -<% if @zones[zone]["inet"] -%> -<% @zones[zone]["inet"].sort.each do |ra| -%> -<%= zone %> <%= interface[:interface] %>:<%= ra %> -<% end -%> -<% end -%> -<% end -%> -<% end -%> -<% end -%> diff --git a/cookbooks/networking/templates/default/shorewall-interfaces.erb b/cookbooks/networking/templates/default/shorewall-interfaces.erb deleted file mode 100644 index 3090a47cc..000000000 --- a/cookbooks/networking/templates/default/shorewall-interfaces.erb +++ /dev/null @@ -1,16 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -?FORMAT 2 - -# ZONE INTERFACE OPTIONS -<% node[:networking][:interfaces].each do |name,interface| -%> -<% if interface[:interface] && interface[:family] == "inet" -%> -<% if interface[:role] == "internal" -%> -loc <%= interface[:interface] %> nosmurfs,tcpflags -<% elsif interface[:role] == "external" -%> -net <%= interface[:interface] %> nosmurfs,tcpflags -<% end -%> -<% end -%> -<% end -%> -loc wg+ nosmurfs,tcpflags -dock docker0 bridge diff --git a/cookbooks/networking/templates/default/shorewall-policy.erb b/cookbooks/networking/templates/default/shorewall-policy.erb deleted file mode 100644 index 4f29377d8..000000000 --- a/cookbooks/networking/templates/default/shorewall-policy.erb +++ /dev/null @@ -1,5 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# FROM TO POLICY LOG LEVEL BURST:LIMIT -net all DROP -all all ACCEPT diff --git a/cookbooks/networking/templates/default/shorewall-rules.erb b/cookbooks/networking/templates/default/shorewall-rules.erb deleted file mode 100644 index c5101bed2..000000000 --- a/cookbooks/networking/templates/default/shorewall-rules.erb +++ /dev/null @@ -1,9 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -?SECTION NEW - -# ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER -# PORTS PORTS DEST LIMIT GROUP -<% node[:networking][:firewall][@family].each do |r| # ~FC034 -%> -<%= r[:action] %> <%= r[:source] %> <%= r[:dest] %> <%= r[:proto] %> <%= r[:dest_ports] %> <%= r[:source_ports] %> - <%= r[:rate_limit] %> - - <%= r[:connection_limit] %> - - - <%= r[:helper] %> -<% end -%> diff --git a/cookbooks/networking/templates/default/shorewall-snat.erb b/cookbooks/networking/templates/default/shorewall-snat.erb deleted file mode 100644 index 59c6da61a..000000000 --- a/cookbooks/networking/templates/default/shorewall-snat.erb +++ /dev/null @@ -1,8 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY -<% node.interfaces(:role => :external).each do |external| -%> -<% node.interfaces(:role => :internal).each do |internal| -%> -SNAT(detect) <%= internal[:network] %>/<%= internal[:prefix] %> <%= external[:interface] %> -<% end -%> -<% end -%> diff --git a/cookbooks/networking/templates/default/shorewall-stoppedrules.erb b/cookbooks/networking/templates/default/shorewall-stoppedrules.erb deleted file mode 100644 index 276e00a4c..000000000 --- a/cookbooks/networking/templates/default/shorewall-stoppedrules.erb +++ /dev/null @@ -1,2 +0,0 @@ -ACCEPT - - -ACCEPT - $FW diff --git a/cookbooks/networking/templates/default/shorewall-zones.erb b/cookbooks/networking/templates/default/shorewall-zones.erb deleted file mode 100644 index f4d7a4772..000000000 --- a/cookbooks/networking/templates/default/shorewall-zones.erb +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS -fw firewall -loc <%= @type %> -net <%= @type %> -dock <%= @type %> -osm:net <%= @type %> -ucl:osm <%= @type %> -ams:osm <%= @type %> -bm:osm <%= @type %> -dub:osm <%= @type %> diff --git a/cookbooks/networking/templates/default/shorewall.conf.erb b/cookbooks/networking/templates/default/shorewall.conf.erb deleted file mode 100644 index 17eef48da..000000000 --- a/cookbooks/networking/templates/default/shorewall.conf.erb +++ /dev/null @@ -1,307 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -############################################################################### -# S T A R T U P E N A B L E D -############################################################################### - -STARTUP_ENABLED=Yes - -############################################################################### -# V E R B O S I T Y -############################################################################### - -VERBOSITY=1 - -############################################################################### -# P A G E R -############################################################################### - -PAGER= - -############################################################################### -# F I R E W A L L -############################################################################### - -FIREWALL= - -############################################################################### -# L O G G I N G -############################################################################### - -<% if node[:networking][:firewall][:log] -%> -LOG_LEVEL="info" -<% else -%> -LOG_LEVEL="none" -<% end -%> - -BLACKLIST_LOG_LEVEL= - -INVALID_LOG_LEVEL= - -LOG_BACKEND= - -LOG_MARTIANS=Yes - -LOG_VERBOSITY=2 - -LOGALLNEW= - -LOGFILE=/var/log/messages - -LOGFORMAT="%s %s " - -LOGTAGONLY=No - -LOGLIMIT="s:1/sec:10" - -MACLIST_LOG_LEVEL="$LOG_LEVEL" - -RELATED_LOG_LEVEL= - -RPFILTER_LOG_LEVEL="$LOG_LEVEL" - -SFILTER_LOG_LEVEL="$LOG_LEVEL" - -SMURF_LOG_LEVEL="$LOG_LEVEL" - -STARTUP_LOG=/var/log/shorewall-init.log - -TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" - -UNTRACKED_LOG_LEVEL= - -############################################################################### -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -############################################################################### - -ARPTABLES= - -CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall" - -GEOIPDIR=/usr/share/xt_geoip/LE - -IPTABLES= - -IP= - -IPSET= - -LOCKFILE= - -MODULESDIR= - -NFACCT= - -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" - -PERL=/usr/bin/perl - -RESTOREFILE=restore - -SHOREWALL_SHELL=/bin/sh - -SUBSYSLOCK="" - -TC= - -############################################################################### -# D E F A U L T A C T I O N S / M A C R O S -############################################################################### - -ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)" - -############################################################################### -# R S H / R C P C O M M A N D S -############################################################################### - -RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' -RSH_COMMAND='ssh ${root}@${system} ${command}' - -############################################################################### -# F I R E W A L L O P T I O N S -############################################################################### - -ACCOUNTING=Yes - -ACCOUNTING_TABLE=filter - -ADD_IP_ALIASES=No - -ADD_SNAT_ALIASES=No - -ADMINISABSENTMINDED=Yes - -AUTOCOMMENT=Yes - -AUTOHELPERS=Yes - -AUTOMAKE=Yes - -BALANCE_PROVIDERS=No - -BASIC_FILTERS=No - -<% if node[:networking][:firewall][:raw] -%> -BLACKLIST="NEW,INVALID,UNTRACKED" -<% else -%> -BLACKLIST="NEW,INVALID" -<% end -%> - -CLAMPMSS=No - -CLEAR_TC=Yes - -COMPLETE=No - -DEFER_DNS_RESOLUTION=Yes - -DELETE_THEN_ADD=Yes - -DETECT_DNAT_IPADDRS=No - -DISABLE_IPV6=No - -DOCKER=Yes - -DONT_LOAD= - -DYNAMIC_BLACKLIST=Yes - -EXPAND_POLICIES=Yes - -EXPORTMODULES=Yes - -FASTACCEPT=No - -FORWARD_CLEAR_MARK= - -HELPERS= - -IGNOREUNKNOWNVARIABLES=No - -IMPLICIT_CONTINUE=No - -INLINE_MATCHES=No - -IPSET_WARNINGS=Yes - -IP_FORWARDING=Keep - -KEEP_RT_TABLES=No - -LOAD_HELPERS_ONLY=Yes - -MACLIST_TABLE=filter - -MACLIST_TTL= - -MANGLE_ENABLED=Yes - -MAPOLDACTIONS=No - -MARK_IN_FORWARD_CHAIN=No - -MINIUPNPD=No - -MULTICAST=No - -MUTEX_TIMEOUT=60 - -NULL_ROUTE_RFC1918=No - -OPTIMIZE=All - -OPTIMIZE_ACCOUNTING=No - -PERL_HASH_SEED=0 - -REJECT_ACTION= - -REQUIRE_INTERFACE=No - -RESTART=restart - -RESTORE_DEFAULT_ROUTE=Yes - -RESTORE_ROUTEMARKS=Yes - -RETAIN_ALIASES=No - -ROUTE_FILTER=Yes - -SAVE_ARPTABLES=No - -SAVE_IPSETS=No - -<% if node[:networking][:firewall][:mangle] -%> -TC_ENABLED=Internal -<% else -%> -TC_ENABLED=No -<% end -%> - -TC_EXPERT=No - -TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" - -TRACK_PROVIDERS=Yes - -TRACK_RULES=No - -USE_DEFAULT_RT=No - -USE_NFLOG_SIZE=No - -USE_PHYSICAL_NAMES=No - -USE_RT_NAMES=No - -VERBOSE_MESSAGES=Yes - -WARNOLDCAPVERSION=Yes - -WORKAROUNDS=No - -ZERO_MARKS=No - -ZONE2ZONE=- - -############################################################################### -# P A C K E T D I S P O S I T I O N -############################################################################### - -BLACKLIST_DISPOSITION=DROP - -INVALID_DISPOSITION=CONTINUE - -MACLIST_DISPOSITION=REJECT - -RELATED_DISPOSITION=ACCEPT - -RPFILTER_DISPOSITION=DROP - -SMURF_DISPOSITION=DROP - -SFILTER_DISPOSITION=DROP - -TCP_FLAGS_DISPOSITION=DROP - -UNTRACKED_DISPOSITION=CONTINUE - -################################################################################ -# P A C K E T M A R K L A Y O U T -################################################################################ - -TC_BITS= - -PROVIDER_BITS= - -PROVIDER_OFFSET= - -MASK_BITS= - -ZONE_BITS=0 diff --git a/cookbooks/networking/templates/default/shorewall6-hosts.erb b/cookbooks/networking/templates/default/shorewall6-hosts.erb deleted file mode 100644 index c2ac66356..000000000 --- a/cookbooks/networking/templates/default/shorewall6-hosts.erb +++ /dev/null @@ -1,12 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -# ZONE HOST OPTIONS -<% node.interfaces(:family => :inet6, :role => :external).each do |interface| -%> -<% @zones.keys.sort.each do |zone| -%> -<% if @zones[zone]["inet6"] -%> -<% @zones[zone]["inet6"].sort.each do |ra| -%> -<%= zone %> <%= interface[:interface] %>:[<%= ra %>] -<% end -%> -<% end -%> -<% end -%> -<% end -%> diff --git a/cookbooks/networking/templates/default/shorewall6-interfaces.erb b/cookbooks/networking/templates/default/shorewall6-interfaces.erb deleted file mode 100644 index 8ba6b8c82..000000000 --- a/cookbooks/networking/templates/default/shorewall6-interfaces.erb +++ /dev/null @@ -1,14 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -?FORMAT 2 - -# ZONE INTERFACE OPTIONS -<% node[:networking][:interfaces].each do |name,interface| -%> -<% if interface[:family] == "inet6" -%> -<% if interface[:role] == "internal" -%> -loc <%= interface[:interface] %> - -<% elsif interface[:role] == "external" -%> -net <%= interface[:interface] %> - -<% end -%> -<% end -%> -<% end -%> diff --git a/cookbooks/networking/templates/default/shorewall6.conf.erb b/cookbooks/networking/templates/default/shorewall6.conf.erb deleted file mode 100644 index a98408e0b..000000000 --- a/cookbooks/networking/templates/default/shorewall6.conf.erb +++ /dev/null @@ -1,287 +0,0 @@ -# DO NOT EDIT - This file is being maintained by Chef - -############################################################################### -# S T A R T U P E N A B L E D -############################################################################### - -STARTUP_ENABLED=Yes - -############################################################################### -# V E R B O S I T Y -############################################################################### - -VERBOSITY=1 - -############################################################################### -# P A G E R -############################################################################### - -PAGER= - -############################################################################### -# F I R E W A L L -############################################################################### - -FIREWALL= - -############################################################################### -# L O G G I N G -############################################################################### - -<% if node[:networking][:firewall][:log] -%> -LOG_LEVEL="info" -<% else -%> -LOG_LEVEL="none" -<% end -%> - -BLACKLIST_LOG_LEVEL= - -INVALID_LOG_LEVEL= - -LOG_BACKEND= - -LOG_VERBOSITY=2 - -LOGALLNEW= - -LOGFILE=/var/log/messages - -LOGFORMAT="%s %s " - -LOGLIMIT="s:1/sec:10" - -LOGTAGONLY=No - -MACLIST_LOG_LEVEL="$LOG_LEVEL" - -RELATED_LOG_LEVEL= - -RPFILTER_LOG_LEVEL="$LOG_LEVEL" - -SFILTER_LOG_LEVEL="$LOG_LEVEL" - -SMURF_LOG_LEVEL="$LOG_LEVEL" - -STARTUP_LOG=/var/log/shorewall6-init.log - -TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL" - -UNTRACKED_LOG_LEVEL= - -############################################################################### -# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S -############################################################################### - -CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall" - -GEOIPDIR=/usr/share/xt_geoip/LE - -IP6TABLES= - -IP= - -IPSET= - -LOCKFILE= - -MODULESDIR= - -NFACCT= - -PERL=/usr/bin/perl - -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" - -RESTOREFILE=restore - -SHOREWALL_SHELL=/bin/sh - -SUBSYSLOCK="" - -TC= - -############################################################################### -# D E F A U L T A C T I O N S / M A C R O S -############################################################################### - -ACCEPT_DEFAULT="none" -BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" -DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" -NFQUEUE_DEFAULT="none" -QUEUE_DEFAULT="none" -REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)" - -############################################################################### -# R S H / R C P C O M M A N D S -############################################################################### - -RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' -RSH_COMMAND='ssh ${root}@${system} ${command}' - -############################################################################### -# F I R E W A L L O P T I O N S -############################################################################### - -ACCOUNTING=Yes - -ACCOUNTING_TABLE=filter - -ADMINISABSENTMINDED=Yes - -AUTOCOMMENT=Yes - -AUTOHELPERS=Yes - -AUTOMAKE=Yes - -BALANCE_PROVIDERS=No - -BASIC_FILTERS=No - -<% if node[:networking][:firewall][:raw] -%> -BLACKLIST="NEW,INVALID,UNTRACKED" -<% else -%> -BLACKLIST="NEW,INVALID" -<% end -%> - -CLAMPMSS=No - -CLEAR_TC=No - -COMPLETE=No - -DEFER_DNS_RESOLUTION=Yes - -DELETE_THEN_ADD=Yes - -DONT_LOAD= - -DYNAMIC_BLACKLIST=Yes - -EXPAND_POLICIES=Yes - -EXPORTMODULES=Yes - -FASTACCEPT=No - -<% if node[:networking][:firewall][:mark] -%> -FORWARD_CLEAR_MARK=Yes -<% else -%> -FORWARD_CLEAR_MARK=No -<% end -%> - -HELPERS= - -IGNOREUNKNOWNVARIABLES=No - -IMPLICIT_CONTINUE=No - -INLINE_MATCHES=No - -IPSET_WARNINGS=Yes - -IP_FORWARDING=Keep - -KEEP_RT_TABLES=No - -LOAD_HELPERS_ONLY=Yes - -MACLIST_TABLE=filter - -MACLIST_TTL= - -MANGLE_ENABLED=Yes - -MARK_IN_FORWARD_CHAIN=No - -MINIUPNPD=No - -MUTEX_TIMEOUT=60 - -OPTIMIZE=All - -OPTIMIZE_ACCOUNTING=No - -PERL_HASH_SEED=0 - -REJECT_ACTION= - -REQUIRE_INTERFACE=No - -RESTART=restart - -RESTORE_DEFAULT_ROUTE=Yes - -RESTORE_ROUTEMARKS=Yes - -SAVE_IPSETS=No - -<% if node[:networking][:firewall][:mangle] -%> -TC_ENABLED=Shared -<% else -%> -TC_ENABLED=No -<% end -%> - -TC_EXPERT=No - -TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" - -TRACK_PROVIDERS=Yes - -TRACK_RULES=No - -USE_DEFAULT_RT=Yes - -USE_NFLOG_SIZE=No - -USE_PHYSICAL_NAMES=No - -USE_RT_NAMES=No - -VERBOSE_MESSAGES=Yes - -WARNOLDCAPVERSION=Yes - -WORKAROUNDS=No - -ZERO_MARKS=No - -ZONE2ZONE= - -############################################################################### -# P A C K E T D I S P O S I T I O N -############################################################################### - -BLACKLIST_DISPOSITION=DROP - -INVALID_DISPOSITION=CONTINUE - -MACLIST_DISPOSITION=REJECT - -RELATED_DISPOSITION=ACCEPT - -SFILTER_DISPOSITION=DROP - -RPFILTER_DISPOSITION=DROP - -SMURF_DISPOSITION=DROP - -TCP_FLAGS_DISPOSITION=DROP - -UNTRACKED_DISPOSITION=CONTINUE - -################################################################################ -# P A C K E T M A R K L A Y O U T -################################################################################ - -TC_BITS= - -PROVIDER_BITS= - -PROVIDER_OFFSET= - -MASK_BITS= - -ZONE_BITS=0 - -#LAST LINE -- DO NOT REMOVE diff --git a/roles/base.rb b/roles/base.rb index 2da7e4e24..d37a4097d 100644 --- a/roles/base.rb +++ b/roles/base.rb @@ -19,8 +19,8 @@ default_attributes( }, :networking => { :roles => { - :internal => { :metric => 200, :zone => "loc" }, - :external => { :metric => 100, :zone => "osm" } + :internal => { :metric => 200 }, + :external => { :metric => 100 } }, :search => ["openstreetmap.org"] }, diff --git a/roles/bytemark.rb b/roles/bytemark.rb index 8a3e6e256..8f23bd5d0 100644 --- a/roles/bytemark.rb +++ b/roles/bytemark.rb @@ -16,7 +16,6 @@ default_attributes( } }, :external => { - :zone => "bm", :inet => { :prefix => "28", :gateway => "89.16.162.17" -- 2.39.5