From 89142473eefb6cc4409dbbd0da6f004b38e8dd8f Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 11 Mar 2023 14:45:43 +0000 Subject: [PATCH 1/1] Generalise configuration of firewall sets --- cookbooks/networking/resources/firewall_rule.rb | 15 +++++++++++++-- .../templates/default/nftables.conf.erb | 14 ++++++-------- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 4cda0486b..7d7d45b7a 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -75,7 +75,9 @@ action_class do if new_resource.connection_limit set = "connlimit-#{new_resource.rule}-#{ip}" - node.default[:networking][:firewall][:sets] << set + node.default[:networking][:firewall][:sets] << { + :name => set, :type => set_type(ip), :flags => %w[dynamic] + } rule << "add @#{set} { #{ip} saddr ct count #{new_resource.connection_limit} }" end @@ -85,7 +87,9 @@ action_class do rate = Regexp.last_match(1) burst = Regexp.last_match(2) - node.default[:networking][:firewall][:sets] << set + node.default[:networking][:firewall][:sets] << { + :name => set, :type => set_type(ip), :flags => %w[dynamic], :timeout => 120 + } rule << "update @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }" end @@ -134,4 +138,11 @@ action_class do "{ #{Array(addresses).map(&:to_s).join(', ')} }" end end + + def set_type(ip) + case ip + when "ip" then "ipv4_addr" + when "ip6" then "ipv6_addr" + end + end end diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb index 4a16fb098..74d104fad 100644 --- a/cookbooks/networking/templates/default/nftables.conf.erb +++ b/cookbooks/networking/templates/default/nftables.conf.erb @@ -47,15 +47,13 @@ table inet chef-filter { } <% node[:networking][:firewall][:sets].each do |set| -%> - set <%= set %> { -<% if set.end_with?("-ip") -%> - type ipv4_addr -<% elsif set.end_with?("-ip6") -%> - type ipv6_addr + set <%= set[:name] %> { + type <%= set[:type] %> +<% if set[:flags] -%> + flags <%= set[:flags].join(", ") %> <% end -%> - flags dynamic -<% unless set.start_with?("connlimit-") -%> - timeout 120s +<% if set[:timeout] -%> + timeout <%= set[:timeout] %>s <% end -%> } -- 2.39.5