Generalise configuration of firewall sets

[chef.git] / cookbooks / networking / templates / default / nftables.conf.erb

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 4a16fb0985df84bb0263d398f2b6b09384510876..74d104fadae5cf9e38f7f698bd148c8f3d9175c3 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -47,15 +47,13 @@ table inet chef-filter {
   }
 
 <% node[:networking][:firewall][:sets].each do |set| -%>
-  set <%= set %> {
-<% if set.end_with?("-ip") -%>
-    type ipv4_addr
-<% elsif set.end_with?("-ip6") -%>
-    type ipv6_addr
+  set <%= set[:name] %> {
+    type <%= set[:type] %>
+<% if set[:flags] -%>
+    flags <%= set[:flags].join(", ") %>
 <% end -%>
-    flags dynamic
-<% unless set.start_with?("connlimit-") -%>
-    timeout 120s
+<% if set[:timeout] -%>
+    timeout <%= set[:timeout] %>s
 <% end -%>
   }