add the option to specify the family per rule to support ipv6 (#3)
Closes: #2
* add the option to specify the family per rule to support ipv6
* include policy updates for ipv6
* update documentation to mention ipv6
* Make ipv6 optional; remove spurious tabs from the readme.
* set ipv6 policies only if ipv6 is enabled on the host and not explicitly turned off for this service
diff --git a/README.rst b/README.rst
index 5a046d8..5024293 100644
--- a/README.rst
+++ b/README.rst
@@ -22,6 +22,7 @@
parametetrs:
iptables:
service:
+ enabled: True
chain:
INPUT:
rules:
@@ -88,6 +89,24 @@
source_network: 192.168.1.0/24
jump: ACCEPT
+IPv6 is supported as well
+
+.. code-block:: yaml
+
+ parameters:
+ iptables:
+ service:
+ enabled: True
+ ipv6: True
+ chain:
+ INPUT:
+ rules:
+ - protocol: tcp
+ family: ipv6
+ destination_port: 22
+ source_network: 2001:DB8::/32
+ jump: ACCEPT
+
Read more
=========
diff --git a/iptables/_rule.sls b/iptables/_rule.sls
index e061306..1c658f7 100644
--- a/iptables/_rule.sls
+++ b/iptables/_rule.sls
@@ -11,6 +11,9 @@
{%- endif %}
- table: {{ rule.get('table', 'filter') }}
- chain: {{ chain_name }}
+ {%- if rule.family is defined %}
+ - family: {{ rule.family }}
+ {%- endif %}
{%- if rule.jump is defined %}
- jump: {{ rule.jump }}
{%- endif %}
diff --git a/iptables/rules.sls b/iptables/rules.sls
index 6721712..1deb606 100644
--- a/iptables/rules.sls
+++ b/iptables/rules.sls
@@ -5,9 +5,19 @@
{%- if chain.policy is defined %}
iptables_{{ chain_name }}_policy:
iptables.set_policy:
+ - family: ipv4
- chain: {{ chain_name }}
- policy: {{ chain.policy }}
- table: filter
+
+{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
+iptables_{{ chain_name }}_ipv6_policy:
+ iptables.set_policy:
+ - family: ipv6
+ - chain: {{ chain_name }}
+ - policy: {{ chain.policy }}
+ - table: filter
+{%- endif %}
{%- endif %}
{%- for service_name, service in pillar.items() %}
diff --git a/iptables/service.sls b/iptables/service.sls
index c6b76f4..3d041a1 100644
--- a/iptables/service.sls
+++ b/iptables/service.sls
@@ -36,9 +36,28 @@
- table: filter
- require_in:
- iptables: iptables_flush
+
+{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
+iptables_{{ chain_name }}_ipv6_policy:
+ iptables.set_policy:
+ - chain: {{ chain_name }}
+ - family: ipv6
+ - policy: ACCEPT
+ - table: filter
+ - require_in:
+ - iptables: ip6tables_flush
+{%- endif %}
+
{%- endfor %}
iptables_flush:
iptables.flush
+{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
+ip6tables_flush:
+ iptables.flush:
+ - family: ipv6
+{%- endif %}
+
+
{%- endif %}