There is a way to manage tables in rules, but there is no way to
manage tables for chains when setting policy.
Looks like pillar structure is bad from the beginning and to
not break backward compatibility, as same chain names may occur in
different tables, so it is proposed to check if 'chain.policy' is
map. And if it is, specific policies would be ensured for specific
tables, otherwise table 'filter' would be used as a fallback.
To ensure chains in specific tables we iterate over all rules in
each chain.
This hash is valid:
parameters:
iptables:
service:
enabled: true
chain:
OUTPUT:
policy: ACCEPT
FORWARD:
policy:
- table: mangle
policy: DROP
INPUT:
policy:
- table: nat
policy: ACCEPT
rules:
- jump: ACCEPT
protocol: icmp
POSTROUTING:
rules:
- jump: MASQUERADE
protocol: icmp
out_interface: ens3
table: nat
Prod-Related: CEEMCP-12
Prod-Related: EME-313
Change-Id: Ib5ba97dad165d3ef2dec7e053b391ea36a996103
Closes: #2
* add the option to specify the family per rule to support ipv6
* include policy updates for ipv6
* update documentation to mention ipv6
* Make ipv6 optional; remove spurious tabs from the readme.
* set ipv6 policies only if ipv6 is enabled on the host and not explicitly turned off for this service
Dzmitry Stremkouski
Piotr Pieprzycki
Piotr Pieprzycki
Nitin Madhok
Dennis van Dok
Filip Pytloun