Add tools to block and unblock addresses

diff --git a/cookbooks/networking/templates/default/nftables.erb b/cookbooks/networking/templates/default/nftables.erb
index 82064d7f5454e6b21c3940a381f41bce3c643426..c9ac8972ea3a1cf2b11ef6d7676a99d0cbb92422 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.erb
+++ b/cookbooks/networking/templates/default/nftables.erb
@@ -20,10 +20,35 @@ reload() {
   start
 }
 
-case "$1" in
+block() {
+  for address in "$@"
+  do
+    case "$address" in
+      *.*) /usr/sbin/nft add element inet chef-filter ip-blocklist "{ $address }";;
+      *:*) /usr/sbin/nft add element inet chef-filter ip6-blocklist "{ $address }";;
+    esac
+  done
+}
+
+unblock() {
+  for address in "$@"
+  do
+    case "$address" in
+      *.*) /usr/sbin/nft delete element inet chef-filter ip-blocklist "{ $address }";;
+      *:*) /usr/sbin/nft delete element inet chef-filter ip6-blocklist "{ $address }";;
+    esac
+  done
+}
+
+command=$1
+shift
+
+case "$command" in
   start) start;;
   stop) stop;;
   reload) reload;;
+  block) block "$@";;
+  unblock) unblock "$@";;
 esac
 
 exit 0