From cc045c868bf15083df4db4442c0d92814441951e Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 4 Mar 2023 12:46:14 +0000 Subject: [PATCH] Use named sets for OSM IP addresses --- cookbooks/networking/resources/firewall_rule.rb | 4 ++-- .../networking/templates/default/nftables.conf.erb | 13 ++++++++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb index 0eca03176..48a5074d7 100644 --- a/cookbooks/networking/resources/firewall_rule.rb +++ b/cookbooks/networking/resources/firewall_rule.rb @@ -114,7 +114,7 @@ action_class do end if new_resource.source == "osm" - rule << "#{ip} saddr { $#{ip}-osm-addresses }" + rule << "#{ip} saddr @#{ip}-osm-addresses" elsif new_resource.source =~ /^net:(.*)$/ addresses = Regexp.last_match(1).split(",").join(", ") @@ -122,7 +122,7 @@ action_class do end if new_resource.dest == "osm" - rule << "#{ip} daddr $#{ip}-osm-addresses" + rule << "#{ip} daddr @#{ip}-osm-addresses" elsif new_resource.dest =~ /^net:(.*)$/ addresses = Regexp.last_match(1).split(",").join(", ") diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb index 923437f77..63f45a0c8 100644 --- a/cookbooks/networking/templates/default/nftables.conf.erb +++ b/cookbooks/networking/templates/default/nftables.conf.erb @@ -5,12 +5,19 @@ define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> } define ip-private-addresses = { 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 } define ip6-private-addresses = { 2001:db8::/32, fc00::/7 } -define ip-osm-addresses = { <%= Array(@hosts["inet"]).sort.join(", ") %> } -define ip6-osm-addresses = { <%= Array(@hosts["inet6"]).sort.join(", ") %> } - flush ruleset table inet filter { + set ip-osm-addresses { + type ipv4_addr + elements = { <%= Array(@hosts["inet"]).sort.join(", ") %> } + } + + set ip6-osm-addresses { + type ipv6_addr + elements = { <%= Array(@hosts["inet6"]).sort.join(", ") %> } + } + set ip-blacklist { type ipv4_addr flags dynamic -- 2.39.5