Browse Source

reloadable

master
Sean Johnson 1 year ago
parent
commit
522a93eac3
  1. 15
      fwrules/init.sls
  2. 4
      fwrules/templates/_restart.nft.j2
  3. 1
      fwrules/templates/fwrules.service.j2

15
fwrules/init.sls

@ -48,7 +48,16 @@ nftables firewall table: @@ -48,7 +48,16 @@ nftables firewall table:
- require:
- file: /etc/firewall/sets.nft
- file: /etc/firewall/chains.nft
- backup: minion
- check_cmd: /usr/sbin/nft -c -f
/etc/firewall/_restart.nft:
file.managed:
- source: salt://fwrules/templates/_restart.nft.j2
- mode: "0750"
- user: root
- group: root
- require:
- file: /etc/firewall/firewall.nft
- check_cmd: /usr/sbin/nft -c -f
/lib/systemd/system/fwrules.service:
@ -71,17 +80,15 @@ fwrules: @@ -71,17 +80,15 @@ fwrules:
service.running:
- name: fwrules
- enable: true
- full_restart: true
- reload: true
- watch:
- file: /lib/systemd/system/fwrules.service
- file: /etc/firewall/firewall.nft
{% if ("nft"|which) is not none %}
{{ "nft"|which }} -f /etc/firewall/firewall.nft:
cron.absent:
- user: root
- special: "@reboot"
{% endif %}
None -f /etc/firewall/firewall.nft:
cron.absent:

4
fwrules/templates/_restart.nft.j2

@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
#!/usr/bin/env nft -f
flush table inet firewall
include "/etc/firewall/firewall.nft";

1
fwrules/templates/fwrules.service.j2

@ -11,6 +11,7 @@ Type=oneshot @@ -11,6 +11,7 @@ Type=oneshot
RemainAfterExit=yes
ExecStart={{ "nft"|which }} -f /etc/firewall/firewall.nft
ExecStop={{ "nft"|which }} flush table inet firewall
ExecReload={{ "nft"|which }} -f /etc/firewall/_restart.nft
[Install]
WantedBy=multi-user.target
Loading…
Cancel
Save