Browse Source

Add support for external rules from meta _support services

pull/16/head
Bruno Binet 7 years ago
parent
commit
5cdedd8221
3 changed files with 16 additions and 2 deletions
  1. +1
    -1
      iptables/files/rules.v4
  2. +1
    -1
      iptables/files/rules.v6
  3. +14
    -0
      iptables/rules.sls

+ 1
- 1
iptables/files/rules.v4 View File

@@ -6,7 +6,7 @@
{%- endfor %}

{%- for chain_name, chain in chains.iteritems() %}
{%- for rule in chain.rules %}
{%- for rule in meta_rules + chain.rules %}
{%- if rule.get('table', 'filter').lower() == 'filter' and rule.get('family', 'ipv4') == 'ipv4' %}
{%- set r = {
'full': 'True',

+ 1
- 1
iptables/files/rules.v6 View File

@@ -6,7 +6,7 @@
{%- endfor %}

{%- for chain_name, chain in chains.iteritems() %}
{%- for rule in chain.rules %}
{%- for rule in meta_rules + chain.rules %}
{%- if rule.get('table', 'filter').lower() == 'filter' and rule.get('family', 'ipv4') == 'ipv6' %}
{%- set r = {
'full': 'True',

+ 14
- 0
iptables/rules.sls View File

@@ -2,6 +2,18 @@
{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}

{%- if grains.os_family == 'Debian' and service.get('provider') == "iptables-restore" %}

{%- set meta_rules = [] %}
{%- for service_name, service in pillar.items() %}
{%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}

{%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
{%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
{%- set grains_yaml = load_grains_file()|load_yaml %}
{%- set meta_rules = meta_rules + grains_yaml.iptables.rules %}

{%- endif %}
{%- endfor %}
/etc/iptables/rules.v4.tmp:
file.managed:
- source: salt://iptables/files/rules.v4
@@ -9,6 +21,7 @@
- makedirs: True
- defaults:
chains: {{ service.get('chain', {}) }}
meta_rules: {{ meta_rules }}
- require:
- pkg: iptables_packages
- file: /usr/share/netfilter-persistent/plugins.d/15-ip4tables
@@ -35,6 +48,7 @@ cp -a /etc/iptables/rules.v4 /etc/iptables/rules.v4.tmp:
- makedirs: True
- defaults:
chains: {{ service.get('chain', {}) }}
meta_rules: {{ meta_rules }}
- require:
- pkg: iptables_packages
- file: /usr/share/netfilter-persistent/plugins.d/25-ip6tables

Loading…
Cancel
Save