Browse Source

Make ipv6 optional; remove spurious tabs from the readme.

pull/3/head
Dennis van Dok 8 years ago
parent
commit
396b23998f
3 changed files with 14 additions and 3 deletions
  1. +6
    -3
      README.rst
  2. +2
    -0
      iptables/rules.sls
  3. +6
    -0
      iptables/service.sls

+ 6
- 3
README.rst View File

@@ -22,6 +22,7 @@ ping
parametetrs:
iptables:
service:
enabled: True
chain:
INPUT:
rules:
@@ -89,21 +90,23 @@ Allow access from local network
jump: ACCEPT

IPv6 is supported as well
.. code-block:: yaml

parameters:
iptables:
service:
enabled: True
ipv6: True
chain:
INPUT:
rules:
- protocol: tcp
family: ipv6
family: ipv6
destination_port: 22
source_network: 2001:DB8::/32
jump: ACCEPT
Read more
=========


+ 2
- 0
iptables/rules.sls View File

@@ -10,12 +10,14 @@ iptables_{{ chain_name }}_policy:
- policy: {{ chain.policy }}
- table: filter

{%- if service.ipv6 %}
iptables_{{ chain_name }}_ipv6_policy:
iptables.set_policy:
- family: ipv6
- chain: {{ chain_name }}
- policy: {{ chain.policy }}
- table: filter
{%- endif %}
{%- endif %}

{%- for service_name, service in pillar.items() %}

+ 6
- 0
iptables/service.sls View File

@@ -37,6 +37,7 @@ iptables_{{ chain_name }}_policy:
- require_in:
- iptables: iptables_flush

{%- if service.ipv6 %}
iptables_{{ chain_name }}_ipv6_policy:
iptables.set_policy:
- chain: {{ chain_name }}
@@ -45,13 +46,18 @@ iptables_{{ chain_name }}_ipv6_policy:
- table: filter
- require_in:
- iptables: ip6tables_flush
{%- endif %}

{%- endfor %}

iptables_flush:
iptables.flush

{%- if service.ipv6 %}
ip6tables_flush:
iptables.flush:
- family: ipv6
{%- endif %}


{%- endif %}

Loading…
Cancel
Save