From: Tom Hughes <tom@compton.nu>
Date: Mon, 11 Jul 2022 07:42:52 +0000 (+0100)
Subject: Update shorewall to use snat configuration file instead of masq
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/ed505da4d7553ab26bda2169bec0b08ee76cfd1f

Update shorewall to use snat configuration file instead of masq
---

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 3a30f20f9..162e0c3a8 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -512,16 +512,24 @@ if node[:networking][:wireguard][:enabled]
   end
 end
 
+file "/etc/shorewall/masq" do
+  action :delete
+end
+
+file "/etc/shorewall/masq.bak" do
+  action :delete
+end
+
 if node[:roles].include?("gateway")
-  template "/etc/shorewall/masq" do
-    source "shorewall-masq.erb"
+  template "/etc/shorewall/snat" do
+    source "shorewall-snat.erb"
     owner "root"
     group "root"
     mode "644"
     notifies :restart, "service[shorewall]"
   end
 else
-  file "/etc/shorewall/masq" do
+  file "/etc/shorewall/snat" do
     action :delete
     notifies :restart, "service[shorewall]"
   end
diff --git a/cookbooks/networking/templates/default/shorewall-masq.erb b/cookbooks/networking/templates/default/shorewall-masq.erb
deleted file mode 100644
index 856f60e56..000000000
--- a/cookbooks/networking/templates/default/shorewall-masq.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-# DO NOT EDIT - This file is being maintained by Chef
-
-# INTERFACE	SOURCE		ADDRESS
-<% node.interfaces(:role => :external).each do |external| -%>
-<% node.interfaces(:role => :internal).each do |internal| -%>
-<%= external[:interface] %>		<%= internal[:network] %>/<%= internal[:prefix] %>	detect
-<% end -%>
-<% end -%>
diff --git a/cookbooks/networking/templates/default/shorewall-snat.erb b/cookbooks/networking/templates/default/shorewall-snat.erb
new file mode 100644
index 000000000..59c6da61a
--- /dev/null
+++ b/cookbooks/networking/templates/default/shorewall-snat.erb
@@ -0,0 +1,8 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+# ACTION        SOURCE          DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+<% node.interfaces(:role => :external).each do |external| -%>
+<% node.interfaces(:role => :internal).each do |internal| -%>
+SNAT(detect)	<%= internal[:network] %>/<%= internal[:prefix] %>	<%= external[:interface] %>
+<% end -%>
+<% end -%>