]> git.openstreetmap.org Git - chef.git/commitdiff
projects / chef.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 71f4169)
Avoid dropping third party tables when stopping an nftables firewall
authorTom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)
committerTom Hughes <tom@compton.nu>
Sat, 4 Mar 2023 14:58:19 +0000 (14:58 +0000)
cookbooks/networking/recipes/default.rb patch | blob | history
cookbooks/networking/templates/default/nftables.conf.erb patch | blob | history

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index a299a67cdd2adec0d37bc98cc7b76b54be0fe46a..427cd794ae1063595f422b68f1cce1ede11df408 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -690,6 +690,19 @@ elsif node[:networking][:firewall][:engine] == "nftables"
     notifies :restart, "service[nftables]"
   end
 
+  stop_commands = [
+    "/usr/sbin/nft delete table inet filter"
+  ]
+
+  stop_commands << "/usr/sbin/nft delete table ip nat" if node[:roles].include?("gateway")
+
+  systemd_service "nftables-stop" do
+    service "nftables"
+    dropin "stop"
+    exec_reload ""
+    exec_stop stop_commands
+  end
+
   if node[:networking][:firewall][:enabled]
     service "nftables" do
       action [:enable, :start]
diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 65d090db31d3cd6ed2b19b3ded337c516402e745..7f0b1e17e6bb68135d73ce48bc4d80c9a068de20 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -5,8 +5,6 @@ define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> }
 define ip-private-addresses = { 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 }
 define ip6-private-addresses = { 2001:db8::/32, fc00::/7 }
 
-flush ruleset
-
 table inet filter {
   set ip-osm-addresses {
     type ipv4_addr
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.