]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/networking/templates/default/nftables.erb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Preserve blocklists over firewall restarts
[chef.git] / cookbooks / networking / templates / default / nftables.erb
diff --git a/cookbooks/networking/templates/default/nftables.erb b/cookbooks/networking/templates/default/nftables.erb
new file mode 100644 (file)
index 0000000..82064d7
--- /dev/null
+++ b/cookbooks/networking/templates/default/nftables.erb
@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+start() {
+  /usr/sbin/nft -f /etc/nftables.conf
+  [ -f /var/lib/nftables/ip-blocklist.nft ] && /usr/sbin/nft -f /var/lib/nftables/ip-blocklist.nft || :
+  [ -f /var/lib/nftables/ip6-blocklist.nft ] && /usr/sbin/nft -f /var/lib/nftables/ip6-blocklist.nft || :
+}
+
+stop() {
+  /usr/sbin/nft list set inet chef-filter ip-blocklist > /var/lib/nftables/ip-blocklist.nft
+  /usr/sbin/nft list set inet chef-filter ip6-blocklist > /var/lib/nftables/ip6-blocklist.nft
+  /usr/sbin/nft delete table inet chef-filter
+<% if node[:roles].include?("gateway") -%>
+  /usr/sbin/nft delete table inet chef-nat
+<% end -%>
+}
+
+reload() {
+  stop
+  start
+}
+
+case "$1" in
+  start) start;;
+  stop) stop;;
+  reload) reload;;
+esac
+
+exit 0
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.