This should work on buster

ab76d420 · m.pausch · 7ab9d286 · ab76d420 · ab76d420
Commit ab76d420 authored May 05, 2022 by m.pausch
--- a/resources/nftables.rb
+++ b/resources/nftables.rb
@@ -26,28 +26,6 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION

  action_class do
    include Sys::Helpers::Nftables
-
-    def lookup_or_create_service(name)
-      begin
-        nftables_service = Chef.run_context.resource_collection.find(service: name)
-      rescue
-        nftables_service = service name do
-          action :nothing
-        end
-      end
-      nftables_service
-    end
-
-    def lookup_or_create_rulesfile(name)
-      begin
-        nftables_file = Chef.run_context.resource_collection.find(file: name)
-      rescue
-        nftables_file = file name do
-          action :nothing
-        end
-      end
-      nftables_file
-    end
  end

  provides :nftables, os: 'linux', platform: %w(debian)
@@ -80,53 +58,38 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION

  action :install do
    # Ensure the package is installed
-    nft_pkg = package 'nftables' do
-      action :nothing
-    end
-    nft_pkg.run_action(:install)
-
-    with_run_context :root do
-      edit_resource('sys_nftables', new_resource.name) do
-        action :nothing
-        delayed_action :rebuild
-        forward_policy new_resource.forward_policy
-        output_policy new_resource.output_policy
-        input_policy new_resource.input_policy
-        table_ip_nat new_resource.table_ip_nat
-        table_ip6_nat new_resource.table_ip6_nat
-      end
+    package 'nftables' do
+      action :install
+      notifies :rebuild, "nftables[#{new_resource.name}]"
    end
  end

  action :rebuild do
    ensure_default_rules_exist(new_resource)

-    # this takes the commands in each hash entry and builds a rule file
-    nftables_file = lookup_or_create_rulesfile('/etc/nftables.conf')
-    nftables_file.content "#!/usr/sbin/nft -f\nflush ruleset\n#{build_rule_file(new_resource.rules)}"
-    nftables_file.run_action(:create)
+    file '/etc/nftables.conf' do
+      content "#!/usr/sbin/nft -f\nflush ruleset\n#{build_rule_file(new_resource.rules)}"
+      mode '0750'
+      owner 'root'
+      group 'root'
+      notifies :restart, 'service[nftables]'
+    end

    return if new_resource.action.include?(:disable)
-
-    nftables_service = lookup_or_create_service('nftables')
-    nftables_service.run_action(:enable)
-
-    if nftables_file.updated_by_last_action?
-      nftables_service.run_action(:restart)
-    else
-      nftables_service.run_action(:start)
+    service 'nftables' do
+      action [:enable, :start]
    end
  end

  action :restart do
-    nftables_service = lookup_or_create_service('nftables')
-    nftables_service.run_action(:restart)
+    service 'nftables' do
+      action :restart
+    end
  end

  action :disable do
-    nftables_service = lookup_or_create_service('nftables')
-    %i(disable stop).each do |a|
-      nftables_service.run_action(a)
+    service 'nftables' do
+      action [:disable, :stop]
    end
  end
 end
--- a/resources/nftables_rule.rb
+++ b/resources/nftables_rule.rb
@@ -122,7 +122,7 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION

    with_run_context :root do
      begin
-        edit_resource!('sys_nftables', new_resource.nftables_name) do |fw_rule|
+        edit_resource!('nftables', new_resource.nftables_name) do |fw_rule|
          r = rules.dup || {}
          r.merge!({
            fwr => fw_rule.position,