* Allow custom chains to be present, other than the INPUT, FORWARD, OUTPUT default chains. * Adding missing endif * Require the packages to be installed first. * Test should use rules as key, not rule. * Making it a array list, instead of a dict. * convert rules to a list instead of a dict. * Only if policy is defined, include this statement. * Only ensure chains if not container :) * The chain is only ensured if we are not a container. * Do not run at all for containers.

7 년 전 · dd2d4cfe84
--- a/iptables/_rule.sls
+++ b/iptables/_rule.sls
@@ -57,4 +57,8 @@ iptables_{{ chain_name }}_{{ rule_name }}:
  - require_in:
    - iptables: iptables_{{ chain_name }}_policy
  {%- endif %}
  {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
  - require:
    - iptables: iptables_{{ chain_name }}{% if rule.family is defined %}_{{ rule.family }}{% endif %}
  {%- endif %}
  - save: True
--- a/iptables/rules.sls
+++ b/iptables/rules.sls
@@ -1,7 +1,30 @@
 {% from "iptables/map.jinja" import service with context %}
 {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}

 {%- for chain_name, chain in service.get('chain', {}).iteritems() %}

 iptables_{{ chain_name }}:
  iptables.chain_present:
    - family: ipv4
    - name: {{ chain_name }}
    - table: filter
    - require:
      - pkg: iptables_packages

 {%-   if grains.ipv6|default(False) and service.ipv6|default(True) %}
 iptables_{{ chain_name }}_ipv6:
  iptables.chain_present:
    - family: ipv6
    - name: {{ chain_name }}
    - table: filter
    - require:
      - pkg: iptables_packages
 {%-     if chain.policy is defined %}
    - require_in:
      - iptables: iptables_{{ chain_name }}_ipv6_policy
 {%-     endif  %}
 {%-   endif %}

 {%- if chain.policy is defined %}
 iptables_{{ chain_name }}_policy:
  iptables.set_policy:
@@ -9,6 +32,8 @@ iptables_{{ chain_name }}_policy:
    - chain: {{ chain_name }}
    - policy: {{ chain.policy }}
    - table: filter
    - require:
      - iptables: iptables_{{ chain_name }}

 {%-   if grains.ipv6|default(False) and service.ipv6|default(True) %}
 iptables_{{ chain_name }}_ipv6_policy:
@@ -17,6 +42,8 @@ iptables_{{ chain_name }}_ipv6_policy:
    - chain: {{ chain_name }}
    - policy: {{ chain.policy }}
    - table: filter
    - require:
      - iptables: iptables_{{ chain_name }}_ipv6
 {%-   endif %}
 {%- endif %}

@@ -41,3 +68,4 @@ iptables_{{ chain_name }}_ipv6_policy:
 {%- endfor %}

 {%- endfor %}
 {%- endif %}
--- a/tests/pillar/iptables_server.sls
+++ b/tests/pillar/iptables_server.sls
@@ -3,9 +3,8 @@ iptables:
    enabled: true
    chain:
      INPUT:
        rule:
          test:
            position: 1
        rules:
          - position: 1
            table: filter
            protocol: tcp
            destination_port: 8088