modify nodes and bundles for new nftables syntax

2021-06-03 13:59:15 +02:00 · 2021-06-03 13:59:15 +02:00 · d569b00960
commit d569b00960
parent ecb67d012b
30 changed files with 172 additions and 126 deletions
--- a/bundles/dhcpd/metadata.py
+++ b/bundles/dhcpd/metadata.py
@ -37,18 +37,20 @@ def get_static_allocations(metadata):


@metadata_reactor.provides(
-    'iptables/bundle_rules/dhcpd',
+    'nftables/rules/input/dhcpd',
 )
-def iptables(metadata):
+def nftables(metadata):
    rules = set()
-    for subnet in node.metadata.get('dhcpd/subnets', {}):
-        rules.add('iptables -A INPUT -i {} -p udp --dport 67:68 -j ACCEPT'.format(subnet))
+    for iface in node.metadata.get('dhcpd/subnets', {}):
+        rules.add(f'udp dport {{ 67, 68 }} iif {iface} accept')

    return {
-        'iptables': {
-            'bundle_rules': {
-                # can't use port_rules here, because we're generating interface based rules.
-                'dhcpd': sorted(list(rules)),
+        'nftables': {
+            'rules': {
+                'input': {
+                    # can't use port_rules here, because we're generating interface based rules.
+                    'dhcpd': sorted(rules),
+                },
            },
        }
    }