Commit ab76d420 authored by m.pausch's avatar m.pausch
Browse files

This should work on buster

parent 7ab9d286
...@@ -26,28 +26,6 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION ...@@ -26,28 +26,6 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION
action_class do action_class do
include Sys::Helpers::Nftables include Sys::Helpers::Nftables
def lookup_or_create_service(name)
begin
nftables_service = Chef.run_context.resource_collection.find(service: name)
rescue
nftables_service = service name do
action :nothing
end
end
nftables_service
end
def lookup_or_create_rulesfile(name)
begin
nftables_file = Chef.run_context.resource_collection.find(file: name)
rescue
nftables_file = file name do
action :nothing
end
end
nftables_file
end
end end
provides :nftables, os: 'linux', platform: %w(debian) provides :nftables, os: 'linux', platform: %w(debian)
...@@ -80,53 +58,38 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION ...@@ -80,53 +58,38 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION
action :install do action :install do
# Ensure the package is installed # Ensure the package is installed
nft_pkg = package 'nftables' do package 'nftables' do
action :nothing action :install
end notifies :rebuild, "nftables[#{new_resource.name}]"
nft_pkg.run_action(:install)
with_run_context :root do
edit_resource('sys_nftables', new_resource.name) do
action :nothing
delayed_action :rebuild
forward_policy new_resource.forward_policy
output_policy new_resource.output_policy
input_policy new_resource.input_policy
table_ip_nat new_resource.table_ip_nat
table_ip6_nat new_resource.table_ip6_nat
end
end end
end end
action :rebuild do action :rebuild do
ensure_default_rules_exist(new_resource) ensure_default_rules_exist(new_resource)
# this takes the commands in each hash entry and builds a rule file file '/etc/nftables.conf' do
nftables_file = lookup_or_create_rulesfile('/etc/nftables.conf') content "#!/usr/sbin/nft -f\nflush ruleset\n#{build_rule_file(new_resource.rules)}"
nftables_file.content "#!/usr/sbin/nft -f\nflush ruleset\n#{build_rule_file(new_resource.rules)}" mode '0750'
nftables_file.run_action(:create) owner 'root'
group 'root'
notifies :restart, 'service[nftables]'
end
return if new_resource.action.include?(:disable) return if new_resource.action.include?(:disable)
service 'nftables' do
nftables_service = lookup_or_create_service('nftables') action [:enable, :start]
nftables_service.run_action(:enable)
if nftables_file.updated_by_last_action?
nftables_service.run_action(:restart)
else
nftables_service.run_action(:start)
end end
end end
action :restart do action :restart do
nftables_service = lookup_or_create_service('nftables') service 'nftables' do
nftables_service.run_action(:restart) action :restart
end
end end
action :disable do action :disable do
nftables_service = lookup_or_create_service('nftables') service 'nftables' do
%i(disable stop).each do |a| action [:disable, :stop]
nftables_service.run_action(a)
end end
end end
end end
...@@ -122,7 +122,7 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION ...@@ -122,7 +122,7 @@ if Gem::Requirement.new('>= 12.15').satisfied_by?(Gem::Version.new(Chef::VERSION
with_run_context :root do with_run_context :root do
begin begin
edit_resource!('sys_nftables', new_resource.nftables_name) do |fw_rule| edit_resource!('nftables', new_resource.nftables_name) do |fw_rule|
r = rules.dup || {} r = rules.dup || {}
r.merge!({ r.merge!({
fwr => fw_rule.position, fwr => fw_rule.position,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment