From 84b5aa673d3d29cbf124c93abaa4c6995b9c1ea5 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 7 Mar 2023 19:55:11 +0000 Subject: [PATCH 1/1] Reintroduce helper support and implement it --- cookbooks/networking/attributes/default.rb | 1 + cookbooks/networking/resources/firewall_rule.rb | 11 +++++++++++ .../networking/templates/default/nftables.conf.erb | 7 +++++++ 3 files changed, 19 insertions(+) diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index dcecbb5f6..9832ce8f3 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -1,5 +1,6 @@ default[:networking][:firewall][:enabled] = true default[:networking][:firewall][:sets] = [] +default[:networking][:firewall][:helpers] = [] default[:networking][:firewall][:incoming] = [] default[:networking][:firewall][:outgoing] = [] default[:networking][:firewall][:http_rate_limit] = nil diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 385727647..6f429ac5d 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -33,6 +33,7 @@ property :dest_ports, :kind_of => [String, Integer, Array] property :source_ports, :kind_of => [String, Integer, Array] property :rate_limit, :kind_of => String property :connection_limit, :kind_of => [String, Integer] +property :helper, :kind_of => String property :compile_time, TrueClass, :default => true @@ -114,6 +115,16 @@ action_class do rule << "update @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }" end + if new_resource.helper + helper = "#{new_resource.rule}-#{new_resource.helper}" + + node.default[:networking][:firewall][:helpers] << { + :name => helper, :helper => new_resource.helper, :protocol => proto + } + + rule << "ct helper set #{helper}" + end + rule << case action when :accept then "accept" when :drop then "jump log-and-drop" diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb index 957955af4..cc3cd8f7f 100644 --- a/cookbooks/networking/templates/default/nftables.conf.erb +++ b/cookbooks/networking/templates/default/nftables.conf.erb @@ -57,6 +57,13 @@ table inet chef-filter { <%- end %> } +<%- end %> + +<%- node[:networking][:firewall][:helpers].each do |helper| %> + ct helper <%= helper[:name] %> { + type "<%= helper[:helper] %>" protocol <%= helper[:protocol] %> + } + <%- end %> chain log-and-drop { limit rate 1/second log -- 2.39.5