Reintroduce helper support and implement it

[chef.git] / cookbooks / networking / templates / default / nftables.conf.erb

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index d98237d6e4649532b78655a8e8de69afed0a8feb..cc3cd8f7fe69465d0e208643793f00cb1d0f9384 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -24,12 +24,12 @@ table inet chef-filter {
 
   set ip-blocklist {
     type ipv4_addr
-    flags dynamic
+    flags interval
   }
 
   set ip6-blocklist {
     type ipv6_addr
-    flags dynamic
+    flags interval
   }
 
   set ratelimit-icmp-echo-ip {
@@ -57,6 +57,13 @@ table inet chef-filter {
 <%- end %>
   }
 
+<%- end %>
+
+<%- node[:networking][:firewall][:helpers].each do |helper| %>
+  ct helper <%= helper[:name] %> {
+    type "<%= helper[:helper] %>" protocol <%= helper[:protocol] %>
+  }
+
 <%- end %>
   chain log-and-drop {
     limit rate 1/second log