X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/48fcb7f97fbf5bc0b637b8b3e4c228173cda55ae..ccfa52cb5bce88a14e36a9967c5803570321c325:/cookbooks/networking/resources/firewall_rule.rb

diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index a3e2e7eb0..0dd9a488a 100644
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -51,6 +51,21 @@ end
 
 action_class do
   def add_rule(action)
+    if node[:networking][:firewall][:engine] == "shorewall"
+      add_shorewall_rule(action)
+    elsif node[:networking][:firewall][:engine] == "nftables"
+      if new_resource.family.nil?
+        add_nftables_rule(action, "inet")
+        add_nftables_rule(action, "inet6")
+      elsif new_resource.family.to_s == "inet"
+        add_nftables_rule(action, "inet")
+      elsif new_resource.family.to_s == "inet6"
+        add_nftables_rule(action, "inet6")
+      end
+    end
+  end
+
+  def add_shorewall_rule(action)
     rule = {
       :action => action.to_s.upcase,
       :source => new_resource.source,
@@ -76,4 +91,72 @@ action_class do
       end
     end
   end
+
+  def add_nftables_rule(action, family)
+    rule = []
+
+    ip = case family
+         when "inet" then "ip"
+         when "inet6" then "ip6"
+         end
+
+    proto = case new_resource.proto
+            when "udp" then "udp"
+            when "tcp", "tcp:syn" then "tcp"
+            end
+
+    if new_resource.source_ports != "-"
+      rule << "#{proto} sport { #{new_resource.source_ports} }"
+    end
+
+    if new_resource.dest_ports != "-"
+      rule << "#{proto} dport { #{new_resource.dest_ports} }"
+    end
+
+    if new_resource.source == "osm"
+      rule << "#{ip} saddr { $#{ip}-osm-addresses }"
+    elsif new_resource.source =~ /^net:(.*)$/
+      addresses = Regexp.last_match(1).split(",").join(", ")
+
+      rule << "#{ip} saddr { #{addresses} }"
+    end
+
+    if new_resource.dest == "osm"
+      rule << "#{ip} daddr $#{ip}-osm-addresses"
+    elsif new_resource.dest =~ /^net:(.*)$/
+      addresses = Regexp.last_match(1).split(",").join(", ")
+
+      rule << "#{ip} daddr { #{addresses} }"
+    end
+
+    if new_resource.proto == "tcp:syn"
+      rule << "ct state new"
+    end
+
+    if new_resource.connection_limit != "-"
+      rule << "ct count #{new_resource.connection_limit}"
+    end
+
+    if new_resource.rate_limit =~ %r{^s:(\d+)/sec:(\d+)$}
+      set = "#{new_resource.rule}-#{ip}"
+      rate = Regexp.last_match(1)
+      burst = Regexp.last_match(2)
+
+      node.default[:networking][:firewall][:sets] << set
+
+      rule << "add @#{set} { #{ip} saddr limit rate #{rate}/second burst #{burst} packets }"
+    end
+
+    rule << case action
+            when :accept then "accept"
+            when :drop then "jump log-and-drop"
+            when :reject then "jump log-and-reject"
+            end
+
+    if new_resource.source == "fw"
+      node.default[:networking][:firewall][:outcoming] << rule.join(" ")
+    elsif new_resource.dest == "fw"
+      node.default[:networking][:firewall][:incoming] << rule.join(" ")
+    end
+  end
 end