Disable unsupported firewall features on boitata

author Tom Hughes <tom@compton.nu>

Fri, 15 Mar 2019 16:45:22 +0000 (16:45 +0000)

committer Tom Hughes <tom@compton.nu>

Fri, 15 Mar 2019 16:50:54 +0000 (16:50 +0000)
author Tom Hughes <tom@compton.nu>
Fri, 15 Mar 2019 16:45:22 +0000 (16:45 +0000)
committer Tom Hughes <tom@compton.nu>
Fri, 15 Mar 2019 16:50:54 +0000 (16:50 +0000)
diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb

index e7dcf265cae7853b321c99240c724a0d2ec2d299..f7db87730f14ded5b8d719defc7f30957d654a12 100644 (file)
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -2,6 +2,10 @@ default[:networking][:firewall][:inet] = []
  default[:networking][:firewall][:inet6] = []
  default[:networking][:firewall][:http_rate_limit] = "-"
  default[:networking][:firewall][:http_connection_limit] = "-"
+default[:networking][:firewall][:log] = true
+default[:networking][:firewall][:mark] = true
+default[:networking][:firewall][:raw] = true
+default[:networking][:firewall][:mangle] = true
  default[:networking][:interfaces] = {}
  default[:networking][:nameservers] = []
  default[:networking][:search] = []
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb

index 51f3f4389aa1eb7dd4ec5f2078080e47131ac6e5..c45daae3fca5e4af0c6cf0596936e6213d43c148 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -185,6 +185,7 @@ template "/etc/shorewall/conntrack" do
    group "root"
    mode 0o644
    notifies :restart, "service[shorewall]"
+  only_if { node[:networking][:firewall][:raw] }
  end
  
  template "/etc/shorewall/policy" do
@@ -305,6 +306,7 @@ unless node.interfaces(:family => :inet6).empty?
      group "root"
      mode 0o644
      notifies :restart, "service[shorewall6]"
+    only_if { node[:networking][:firewall][:raw] }
    end
  
    template "/etc/shorewall6/policy" do
diff --git a/cookbooks/networking/templates/default/shorewall.conf.erb b/cookbooks/networking/templates/default/shorewall.conf.erb

index 8720866d2b0185b6addb644e202f4b08b5980594..290c73fb64fd7e2f1184d5c679b9edf4b9de0eaa 100644 (file)
--- a/cookbooks/networking/templates/default/shorewall.conf.erb
+++ b/cookbooks/networking/templates/default/shorewall.conf.erb
@@ -28,7 +28,11 @@ FIREWALL=
  #                             L O G G I N G
  ###############################################################################
  
+<% if node[:networking][:firewall][:log] -%>
  LOG_LEVEL="info"
+<% else -%>
+LOG_LEVEL="none"
+<% end -%>
  
  BLACKLIST_LOG_LEVEL=
  
@@ -142,7 +146,11 @@ BALANCE_PROVIDERS=No
  
  BASIC_FILTERS=No
  
+<% if node[:networking][:firewall][:raw] -%>
  BLACKLIST="NEW,INVALID,UNTRACKED"
+<% else -%>
+BLACKLIST="NEW,INVALID"
+<% end -%>
  
  CLAMPMSS=No
  
@@ -230,7 +238,11 @@ SAVE_ARPTABLES=No
  
  SAVE_IPSETS=No
  
+<% if node[:networking][:firewall][:mangle] -%>
  TC_ENABLED=Internal
+<% else -%>
+TC_ENABLED=No
+<% end -%>
  
  TC_EXPERT=No
  
diff --git a/cookbooks/networking/templates/default/shorewall6.conf.erb b/cookbooks/networking/templates/default/shorewall6.conf.erb

index c6c1104c7fe58e8496a65b49a5423028e01688c3..a98408e0bcd82b1310ebdb75c2d6fa95af1f85a6 100644 (file)
--- a/cookbooks/networking/templates/default/shorewall6.conf.erb
+++ b/cookbooks/networking/templates/default/shorewall6.conf.erb
@@ -28,7 +28,11 @@ FIREWALL=
  #                             L O G G I N G
  ###############################################################################
  
+<% if node[:networking][:firewall][:log] -%>
  LOG_LEVEL="info"
+<% else -%>
+LOG_LEVEL="none"
+<% end -%>
  
  BLACKLIST_LOG_LEVEL=
  
@@ -134,7 +138,11 @@ BALANCE_PROVIDERS=No
  
  BASIC_FILTERS=No
  
+<% if node[:networking][:firewall][:raw] -%>
  BLACKLIST="NEW,INVALID,UNTRACKED"
+<% else -%>
+BLACKLIST="NEW,INVALID"
+<% end -%>
  
  CLAMPMSS=No
  
@@ -156,7 +164,11 @@ EXPORTMODULES=Yes
  
  FASTACCEPT=No
  
+<% if node[:networking][:firewall][:mark] -%>
  FORWARD_CLEAR_MARK=Yes
+<% else -%>
+FORWARD_CLEAR_MARK=No
+<% end -%>
  
  HELPERS=
  
@@ -204,7 +216,11 @@ RESTORE_ROUTEMARKS=Yes
  
  SAVE_IPSETS=No
  
+<% if node[:networking][:firewall][:mangle] -%>
  TC_ENABLED=Shared
+<% else -%>
+TC_ENABLED=No
+<% end -%>
  
  TC_EXPERT=No
  
diff --git a/roles/boitata.rb b/roles/boitata.rb

index d0fcef8d3fbeb03a46b675cf831675ec66a317f1..8bf964a60392e9ab4897faa847d916256b71b650 100644 (file)
--- a/roles/boitata.rb
+++ b/roles/boitata.rb
@@ -3,6 +3,12 @@ description "Master role applied to boitata"
  
  default_attributes(
    :networking => {
+    :firewall => {
+      :log => false,
+      :mark => false,
+      :raw => false,
+      :mangle => false
+    },
      :interfaces => {
        :external_ipv4 => {
          :interface => "ens3",
author	Tom Hughes <tom@compton.nu>
	Fri, 15 Mar 2019 16:45:22 +0000 (16:45 +0000)
committer	Tom Hughes <tom@compton.nu>
	Fri, 15 Mar 2019 16:50:54 +0000 (16:50 +0000)
cookbooks/networking/attributes/default.rb		patch \| blob \| history
cookbooks/networking/recipes/default.rb		patch \| blob \| history
cookbooks/networking/templates/default/shorewall.conf.erb		patch \| blob \| history
cookbooks/networking/templates/default/shorewall6.conf.erb		patch \| blob \| history
roles/boitata.rb		patch \| blob \| history