bundles/nftables: store rules in dedicated files instead of nftables.conf

2021-12-14 14:03:13 +01:00 · 2021-12-14 14:03:13 +01:00 · 0101e0c92d
commit 0101e0c92d
parent 1742f51778
11 changed files with 77 additions and 102 deletions
--- a/bundles/dhcpd/metadata.py
+++ b/bundles/dhcpd/metadata.py
@ -37,20 +37,18 @@ def get_static_allocations(metadata):


@metadata_reactor.provides(
-    'nftables/rules/input/dhcpd',
+    'nftables/rules/10-dhcpd',
 )
 def nftables(metadata):
    rules = set()
    for iface in node.metadata.get('dhcpd/subnets', {}):
-        rules.add(f'udp dport {{ 67, 68 }} iif {iface} accept')
+        rules.add(f'inet filter input udp dport {{ 67, 68 }} iif {iface} accept')

    return {
        'nftables': {
            'rules': {
-                'input': {
-                    # can't use port_rules here, because we're generating interface based rules.
-                    'dhcpd': sorted(rules),
-                },
+                # can't use port_rules here, because we're generating interface based rules.
+                '10-dhcpd': sorted(rules),
            },
        }
    }