Browse Source

Allow custom chains to be present (#12)

* Allow custom chains to be present, other than the INPUT, FORWARD, OUTPUT default chains.

* Adding missing endif

* Require the packages to be installed first.

* Test should use rules as key, not rule.

* Making it a array list, instead of a dict.

* convert rules to a list instead of a dict.

* Only if policy is defined, include this statement.

* Only ensure chains if not container :)

* The chain is only ensured if we are not a container.

* Do not run at all for containers.
pull/16/head
Michel Nederlof 7 years ago
parent
commit
dd2d4cfe84
3 changed files with 34 additions and 3 deletions
  1. +4
    -0
      iptables/_rule.sls
  2. +28
    -0
      iptables/rules.sls
  3. +2
    -3
      tests/pillar/iptables_server.sls

+ 4
- 0
iptables/_rule.sls View File

- require_in: - require_in:
- iptables: iptables_{{ chain_name }}_policy - iptables: iptables_{{ chain_name }}_policy
{%- endif %} {%- endif %}
{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
- require:
- iptables: iptables_{{ chain_name }}{% if rule.family is defined %}_{{ rule.family }}{% endif %}
{%- endif %}
- save: True - save: True

+ 28
- 0
iptables/rules.sls View File

{% from "iptables/map.jinja" import service with context %} {% from "iptables/map.jinja" import service with context %}
{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}


{%- for chain_name, chain in service.get('chain', {}).iteritems() %} {%- for chain_name, chain in service.get('chain', {}).iteritems() %}


iptables_{{ chain_name }}:
iptables.chain_present:
- family: ipv4
- name: {{ chain_name }}
- table: filter
- require:
- pkg: iptables_packages

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
iptables_{{ chain_name }}_ipv6:
iptables.chain_present:
- family: ipv6
- name: {{ chain_name }}
- table: filter
- require:
- pkg: iptables_packages
{%- if chain.policy is defined %}
- require_in:
- iptables: iptables_{{ chain_name }}_ipv6_policy
{%- endif %}
{%- endif %}

{%- if chain.policy is defined %} {%- if chain.policy is defined %}
iptables_{{ chain_name }}_policy: iptables_{{ chain_name }}_policy:
iptables.set_policy: iptables.set_policy:
- chain: {{ chain_name }} - chain: {{ chain_name }}
- policy: {{ chain.policy }} - policy: {{ chain.policy }}
- table: filter - table: filter
- require:
- iptables: iptables_{{ chain_name }}


{%- if grains.ipv6|default(False) and service.ipv6|default(True) %} {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
iptables_{{ chain_name }}_ipv6_policy: iptables_{{ chain_name }}_ipv6_policy:
- chain: {{ chain_name }} - chain: {{ chain_name }}
- policy: {{ chain.policy }} - policy: {{ chain.policy }}
- table: filter - table: filter
- require:
- iptables: iptables_{{ chain_name }}_ipv6
{%- endif %} {%- endif %}
{%- endif %} {%- endif %}


{%- endfor %} {%- endfor %}


{%- endfor %} {%- endfor %}
{%- endif %}

+ 2
- 3
tests/pillar/iptables_server.sls View File

enabled: true enabled: true
chain: chain:
INPUT: INPUT:
rule:
test:
position: 1
rules:
- position: 1
table: filter table: filter
protocol: tcp protocol: tcp
destination_port: 8088 destination_port: 8088

Loading…
Cancel
Save