From f4a0305a479f4177a21d60d9b726b42e0562a875 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 12 Mar 2023 11:07:07 +0000 Subject: [PATCH] Preserve blocklists over firewall restarts --- cookbooks/networking/recipes/default.rb | 30 +++++++++++++------ .../networking/templates/default/nftables.erb | 29 ++++++++++++++++++ 2 files changed, 50 insertions(+), 9 deletions(-) create mode 100644 cookbooks/networking/templates/default/nftables.erb diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index f33714900..5d7718508 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -409,22 +409,34 @@ template "/etc/nftables.conf" do group "root" mode "755" variables :interfaces => interfaces, :hosts => hosts - notifies :restart, "service[nftables]" + notifies :reload, "service[nftables]" end -stop_commands = [ - "-/usr/sbin/nft delete table inet filter", - "-/usr/sbin/nft delete table inet chef-filter" -] +directory "/var/lib/nftables" do + owner "root" + group "root" + mode "755" +end -stop_commands << "-/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway") -stop_commands << "-/usr/sbin/nft delete table ip chef-nat" if node[:roles].include?("gateway") +template "/usr/local/bin/nftables" do + source "nftables.erb" + owner "root" + group "root" + mode "755" +end systemd_service "nftables-stop" do + action :delete service "nftables" dropin "stop" - exec_reload "" - exec_stop stop_commands +end + +systemd_service "nftables-chef" do + service "nftables" + dropin "chef" + exec_start "/usr/local/bin/nftables start" + exec_reload "/usr/local/bin/nftables reload" + exec_stop "/usr/local/bin/nftables stop" end if node[:networking][:firewall][:enabled] diff --git a/cookbooks/networking/templates/default/nftables.erb b/cookbooks/networking/templates/default/nftables.erb new file mode 100644 index 000000000..82064d7f5 --- /dev/null +++ b/cookbooks/networking/templates/default/nftables.erb @@ -0,0 +1,29 @@ +#!/bin/sh -e + +start() { + /usr/sbin/nft -f /etc/nftables.conf + [ -f /var/lib/nftables/ip-blocklist.nft ] && /usr/sbin/nft -f /var/lib/nftables/ip-blocklist.nft || : + [ -f /var/lib/nftables/ip6-blocklist.nft ] && /usr/sbin/nft -f /var/lib/nftables/ip6-blocklist.nft || : +} + +stop() { + /usr/sbin/nft list set inet chef-filter ip-blocklist > /var/lib/nftables/ip-blocklist.nft + /usr/sbin/nft list set inet chef-filter ip6-blocklist > /var/lib/nftables/ip6-blocklist.nft + /usr/sbin/nft delete table inet chef-filter +<% if node[:roles].include?("gateway") -%> + /usr/sbin/nft delete table inet chef-nat +<% end -%> +} + +reload() { + stop + start +} + +case "$1" in + start) start;; + stop) stop;; + reload) reload;; +esac + +exit 0 -- 2.39.5