Fix iptables insert vs. append, enhance iptables disabling
diff --git a/iptables/rules.sls b/iptables/rules.sls
new file mode 100644
index 0000000..2d517b1
--- /dev/null
+++ b/iptables/rules.sls
@@ -0,0 +1,70 @@
+{% from "iptables/map.jinja" import service with context %}
+
+{%- for chain_name, chain in service.get('chain', {}).iteritems() %}
+
+{%- if chain.policy is defined %}
+iptables_{{ chain_name }}_policy:
+ iptables.set_policy:
+ - chain: {{ chain_name }}
+ - policy: {{ chain.policy }}
+ - table: filter
+{%- endif %}
+
+{%- for rule_name, rule in chain.get('rule', {}).iteritems() %}
+
+iptables_{{ chain_name }}_{{ rule_name }}:
+ {%- if rule.position is defined %}
+ iptables.insert:
+ - position: {{ rule.position }}
+ {%- else %}
+ iptables.append:
+ {%- endif %}
+ {%- if rule.table is defined %}
+ - table: {{ rule.table }}
+ {%- endif %}
+ - chain: {{ chain_name }}
+ {%- if rule.jump is defined %}
+ - jump: {{ rule.jump }}
+ {%- endif %}
+ {%- if rule.match is defined %}
+ - match: {{ rule.match }}
+ {%- endif %}
+ {%- if rule.connection_state is defined %}
+ - connstate: {{ rule.connection_state }}
+ {%- endif %}
+ {%- if rule.protocol is defined %}
+ - proto: {{ rule.protocol }}
+ {%- endif %}
+ {%- if rule.destination_port is defined %}
+ - dport: {{ rule.destination_port }}
+ {%- endif %}
+ {%- if rule.source_port is defined %}
+ - sport: {{ rule.source_port }}
+ {%- endif %}
+ {%- if rule.in_interface is defined %}
+ - in-interface: {{ rule.in_interface }}
+ {%- endif %}
+ {%- if rule.out_interface is defined %}
+ - out-interface: {{ rule.out_interface }}
+ {%- endif %}
+ {%- if rule.to_destination is defined %}
+ - to-destination: {{ rule.to_destination }}
+ {%- endif %}
+ {%- if rule.to_source is defined %}
+ - to-source: {{ rule.to_source }}
+ {%- endif %}
+ {%- if rule.source_network is defined %}
+ - source: {{ rule.source_network }}
+ {%- endif %}
+ {%- if rule.destination_network is defined %}
+ - destination: {{ rule.destination_network }}
+ {%- endif %}
+ {%- if chain.policy is defined %}
+ - require_in:
+ - iptables: iptables_{{ chain_name }}_policy:
+ {%- endif %}
+ - save: True
+
+{%- endfor %}
+
+{%- endfor %}
diff --git a/iptables/service.sls b/iptables/service.sls
index 384bd35..75d47ef 100644
--- a/iptables/service.sls
+++ b/iptables/service.sls
@@ -1,6 +1,9 @@
{% from "iptables/map.jinja" import service with context %}
-{%- if pillar.iptables.service.enabled %}
+{%- if service.enabled %}
+
+include:
+ - iptables.rules
iptables_packages:
pkg.installed:
@@ -14,73 +17,6 @@
- require:
- pkg: iptables_packages
-{%- for chain_name, chain in service.get('chain', {}).iteritems() %}
-
-{%- if chain.policy is defined %}
-iptables_{{ chain_name }}_policy:
- iptables.set_policy:
- - chain: {{ chain_name }}
- - policy: {{ chain.policy }}
- - table: filter
-{%- endif %}
-
-{%- for rule_name, rule in chain.get('rule', {}).iteritems() %}
-
-iptables_{{ chain_name }}_{{ rule_name }}:
- iptables.insert:
- {%- if rule.position is defined %}
- - position: {{ rule.position }}
- {%- endif %}
- {%- if rule.table is defined %}
- - table: {{ rule.table }}
- {%- endif %}
- - chain: {{ chain_name }}
- {%- if rule.jump is defined %}
- - jump: {{ rule.jump }}
- {%- endif %}
- {%- if rule.match is defined %}
- - match: {{ rule.match }}
- {%- endif %}
- {%- if rule.connection_state is defined %}
- - connstate: {{ rule.connection_state }}
- {%- endif %}
- {%- if rule.protocol is defined %}
- - proto: {{ rule.protocol }}
- {%- endif %}
- {%- if rule.destination_port is defined %}
- - dport: {{ rule.destination_port }}
- {%- endif %}
- {%- if rule.source_port is defined %}
- - sport: {{ rule.source_port }}
- {%- endif %}
- {%- if rule.in_interface is defined %}
- - in-interface: {{ rule.in_interface }}
- {%- endif %}
- {%- if rule.out_interface is defined %}
- - out-interface: {{ rule.out_interface }}
- {%- endif %}
- {%- if rule.to_destination is defined %}
- - to-destination: {{ rule.to_destination }}
- {%- endif %}
- {%- if rule.to_source is defined %}
- - to-source: {{ rule.to_source }}
- {%- endif %}
- {%- if rule.source_network is defined %}
- - source: {{ rule.source_network }}
- {%- endif %}
- {%- if rule.destination_network is defined %}
- - destination: {{ rule.destination_network }}
- {%- endif %}
- {%- if chain.policy is defined %}
- - require_in:
- - iptables: iptables_{{ chain_name }}_policy:
- {%- endif %}
- - save: True
-
-{%- endfor %}
-
-{%- endfor %}
-
{%- else %}
iptables_services:
@@ -88,4 +24,17 @@
- enable: false
- name: {{ service.service }}
+{%- for chain_name in ['INPUT', 'OUTPUT', 'FORWARD'] %}
+iptables_{{ chain_name }}_policy:
+ iptables.set_policy:
+ - chain: {{ chain_name }}
+ - policy: ACCEPT
+ - table: filter
+ - require_in:
+ - iptables: iptables_flush
+{%- endfor %}
+
+iptables_flush:
+ iptables.flush
+
{%- endif %}