]> git.openstreetmap.org Git - chef.git/commitdiff
projects / chef.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: aa7b44f)
Drop tcp vs tcp:syn distinction
authorTom Hughes <tom@compton.nu>
Tue, 7 Mar 2023 19:13:38 +0000 (19:13 +0000)
committerTom Hughes <tom@compton.nu>
Tue, 7 Mar 2023 19:13:38 +0000 (19:13 +0000)
cookbooks/bind/recipes/default.rb patch | blob | history
cookbooks/exim/recipes/default.rb patch | blob | history
cookbooks/geodns/recipes/default.rb patch | blob | history
cookbooks/logstash/recipes/default.rb patch | blob | history
cookbooks/munin/recipes/default.rb patch | blob | history
cookbooks/networking/recipes/default.rb patch | blob | history
cookbooks/networking/resources/firewall_rule.rb patch | blob | history
cookbooks/openssh/recipes/default.rb patch | blob | history
cookbooks/prometheus/resources/exporter.rb patch | blob | history
cookbooks/rsyncd/recipes/default.rb patch | blob | history

diff --git a/cookbooks/bind/recipes/default.rb b/cookbooks/bind/recipes/default.rb
index 8c7ee11e790c92863a49939bab4738be4a763cc0..6c596420de79e514c3ac0af10886f6d2b197c01f 100644 (file)
--- a/cookbooks/bind/recipes/default.rb
+++ b/cookbooks/bind/recipes/default.rb
@@ -72,6 +72,6 @@ firewall_rule "accept-dns-tcp" do
   action :accept
   source "net"
   dest "fw"
-  proto "tcp:syn"
+  proto "tcp"
   dest_ports "domain"
 end
diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 219baa36d45c7d7d61b98a7b5672c982720ab4f9..1a82a22733cbfd2c5425e99d920e958dd45d9416 100644 (file)
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -234,7 +234,7 @@ if node[:exim][:smarthost_name]
       action :accept
       source "net"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports port
       source_ports "1024-65535"
     end
@@ -254,7 +254,7 @@ else
       family :inet
       source "net:#{smarthosts_inet.sort.join(',')}"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports port
       source_ports "1024-65535"
     end
@@ -264,7 +264,7 @@ else
       family :inet6
       source "net:#{smarthosts_inet6.sort.join(',')}"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports port
       source_ports "1024-65535"
     end
@@ -276,7 +276,7 @@ if node[:exim][:smarthost_via]
     action :reject
     source "fw"
     dest "net"
-    proto "tcp:syn"
+    proto "tcp"
     dest_ports "smtp"
   end
 end
diff --git a/cookbooks/geodns/recipes/default.rb b/cookbooks/geodns/recipes/default.rb
index 8afa85cc550e909e8b9372686b39640c56f38bf5..b40a7643f9c7082e6d035861f97f70c248d7058b 100644 (file)
--- a/cookbooks/geodns/recipes/default.rb
+++ b/cookbooks/geodns/recipes/default.rb
@@ -100,6 +100,6 @@ firewall_rule "accept-dns-tcp" do
   action :accept
   source "net"
   dest "fw"
-  proto "tcp:syn"
+  proto "tcp"
   dest_ports "domain"
 end
diff --git a/cookbooks/logstash/recipes/default.rb b/cookbooks/logstash/recipes/default.rb
index 81a0b79f8c1a2695017ea90c93f0a2c33c5528b4..56caa73129ff7a123c441107deaed3da3d595a5b 100644 (file)
--- a/cookbooks/logstash/recipes/default.rb
+++ b/cookbooks/logstash/recipes/default.rb
@@ -83,7 +83,7 @@ forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder|
       family interface[:family]
       source "net:#{interface[:address]}"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports "5043"
       source_ports "1024-65535"
     end
@@ -93,7 +93,7 @@ forwarders.sort_by { |n| n[:fqdn] }.each do |forwarder|
       family interface[:family]
       source "net:#{interface[:address]}"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports "5044"
       source_ports "1024-65535"
     end
@@ -109,7 +109,7 @@ gateways.sort_by { |n| n[:fqdn] }.each do |gateway|
       family interface[:family]
       source "net:#{interface[:address]}"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports "5043"
       source_ports "1024-65535"
     end
@@ -119,7 +119,7 @@ gateways.sort_by { |n| n[:fqdn] }.each do |gateway|
       family interface[:family]
       source "net:#{interface[:address]}"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports "5044"
       source_ports "1024-65535"
     end
diff --git a/cookbooks/munin/recipes/default.rb b/cookbooks/munin/recipes/default.rb
index 25b81a477dc670411ef263c0ce210bd3ac274005..c1233f9b9203804a9aafa4fe5e3f24a947b4c468 100644 (file)
--- a/cookbooks/munin/recipes/default.rb
+++ b/cookbooks/munin/recipes/default.rb
@@ -33,7 +33,7 @@ servers.each do |server|
       family interface[:family]
       source "net:#{interface[:address]}"
       dest "fw"
-      proto "tcp:syn"
+      proto "tcp"
       dest_ports "munin"
       source_ports "1024-65535"
     end
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 831d7ce84d714c74bfd7b23753e207f30fdf1588..799871963e100279457774c0e37be78f83ab4d1f 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -458,7 +458,7 @@ firewall_rule "accept-http" do
   action :accept
   source "net"
   dest "fw"
-  proto "tcp:syn"
+  proto "tcp"
   dest_ports %w[http https]
   rate_limit node[:networking][:firewall][:http_rate_limit]
   connection_limit node[:networking][:firewall][:http_connection_limit]
diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index 63970e661cbc32fddb8ea337557d4e1b920c0f90..6e6c72585a84923ebf3c354e419f2be40a08045d 100644 (file)
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -69,10 +69,7 @@ action_class do
          when "inet6" then "ip6"
          end
 
-    proto = case new_resource.proto
-            when "udp" then "udp"
-            when "tcp", "tcp:syn" then "tcp"
-            end
+    proto = new_resource.proto
 
     if new_resource.source_ports
       rule << "#{proto} sport { #{nftables_source_ports} }"
@@ -98,9 +95,7 @@ action_class do
       rule << "#{ip} daddr { #{addresses} }"
     end
 
-    if new_resource.proto == "tcp:syn"
-      rule << "ct state new"
-    end
+    rule << "ct state new" if new_resource.proto == "tcp"
 
     if new_resource.connection_limit != "-"
       set = "connlimit-#{new_resource.rule}-#{ip}"
diff --git a/cookbooks/openssh/recipes/default.rb b/cookbooks/openssh/recipes/default.rb
index 06a88e8b5613a9d8a31b353c2ef37f0b3e158f2e..6a299d22695dc7d9d2804e4fab876984a2e95a48 100644 (file)
--- a/cookbooks/openssh/recipes/default.rb
+++ b/cookbooks/openssh/recipes/default.rb
@@ -86,6 +86,6 @@ firewall_rule "accept-ssh" do
   action :accept
   source "net"
   dest "fw"
-  proto "tcp:syn"
+  proto "tcp"
   dest_ports node[:openssh][:port]
 end
diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb
index 581c961ddd4709de25cad39b564eeacb18de921f..782f84aa3669dbfe7ff11c176a8a6535a8cb2b19 100644 (file)
--- a/cookbooks/prometheus/resources/exporter.rb
+++ b/cookbooks/prometheus/resources/exporter.rb
@@ -74,7 +74,7 @@ action :create do
     action :accept
     source "osm"
     dest "fw"
-    proto "tcp:syn"
+    proto "tcp"
     dest_ports new_resource.port
     only_if { node[:prometheus][:mode] == "external" }
   end
diff --git a/cookbooks/rsyncd/recipes/default.rb b/cookbooks/rsyncd/recipes/default.rb
index 12131fc8313450bf8e0af1b29dd592dbfbfba429..bcc0046e467a03521466432778e44490f28ed442 100644 (file)
--- a/cookbooks/rsyncd/recipes/default.rb
+++ b/cookbooks/rsyncd/recipes/default.rb
@@ -79,7 +79,7 @@ firewall_rule "accept-rsync" do
   action :accept
   source "net"
   dest "fw"
-  proto "tcp:syn"
+  proto "tcp"
   dest_ports "rsync"
   source_ports "1024-65535"
 end
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.