Refactor to allow both explicit position and append
diff --git a/iptables/_rule.sls b/iptables/_rule.sls
new file mode 100644
index 0000000..35068d0
--- /dev/null
+++ b/iptables/_rule.sls
@@ -0,0 +1,54 @@
+iptables_{{ chain_name }}_{{ rule_name }}:
+ {%- if rule.position is defined %}
+ iptables.insert:
+ - position: {{ rule.position }}
+ {%- else %}
+ iptables.append:
+ {%- if loop.index != 1 %}
+ - require:
+ - iptables: iptables_{{ chain_name }}_{{ loop.index - 1 }}
+ {%- endif %}
+ {%- endif %}
+ - table: {{ rule.get('table', 'filter') }}
+ - chain: {{ chain_name }}
+ {%- if rule.jump is defined %}
+ - jump: {{ rule.jump }}
+ {%- endif %}
+ {%- if rule.match is defined %}
+ - match: {{ rule.match }}
+ {%- endif %}
+ {%- if rule.connection_state is defined %}
+ - connstate: {{ rule.connection_state }}
+ {%- endif %}
+ {%- if rule.protocol is defined %}
+ - proto: {{ rule.protocol }}
+ {%- endif %}
+ {%- if rule.destination_port is defined %}
+ - dport: {{ rule.destination_port }}
+ {%- endif %}
+ {%- if rule.source_port is defined %}
+ - sport: {{ rule.source_port }}
+ {%- endif %}
+ {%- if rule.in_interface is defined %}
+ - in-interface: {{ rule.in_interface }}
+ {%- endif %}
+ {%- if rule.out_interface is defined %}
+ - out-interface: {{ rule.out_interface }}
+ {%- endif %}
+ {%- if rule.to_destination is defined %}
+ - to-destination: {{ rule.to_destination }}
+ {%- endif %}
+ {%- if rule.to_source is defined %}
+ - to-source: {{ rule.to_source }}
+ {%- endif %}
+ {%- if rule.source_network is defined %}
+ - source: {{ rule.source_network }}
+ {%- endif %}
+ {%- if rule.destination_network is defined %}
+ - destination: {{ rule.destination_network }}
+ {%- endif %}
+ {%- if chain.policy is defined %}
+ - require_in:
+ - iptables: iptables_{{ chain_name }}_policy
+ {%- endif %}
+ - save: True
diff --git a/iptables/rules.sls b/iptables/rules.sls
index 2d517b1..afc238b 100644
--- a/iptables/rules.sls
+++ b/iptables/rules.sls
@@ -10,61 +10,13 @@
- table: filter
{%- endif %}
+{%- for rule in chain.get('rules', []) %}
+{%- set rule_name = loop.index %}
+{% include "iptables/_rule.sls" %}
+{%- endfor %}
+
{%- for rule_name, rule in chain.get('rule', {}).iteritems() %}
-
-iptables_{{ chain_name }}_{{ rule_name }}:
- {%- if rule.position is defined %}
- iptables.insert:
- - position: {{ rule.position }}
- {%- else %}
- iptables.append:
- {%- endif %}
- {%- if rule.table is defined %}
- - table: {{ rule.table }}
- {%- endif %}
- - chain: {{ chain_name }}
- {%- if rule.jump is defined %}
- - jump: {{ rule.jump }}
- {%- endif %}
- {%- if rule.match is defined %}
- - match: {{ rule.match }}
- {%- endif %}
- {%- if rule.connection_state is defined %}
- - connstate: {{ rule.connection_state }}
- {%- endif %}
- {%- if rule.protocol is defined %}
- - proto: {{ rule.protocol }}
- {%- endif %}
- {%- if rule.destination_port is defined %}
- - dport: {{ rule.destination_port }}
- {%- endif %}
- {%- if rule.source_port is defined %}
- - sport: {{ rule.source_port }}
- {%- endif %}
- {%- if rule.in_interface is defined %}
- - in-interface: {{ rule.in_interface }}
- {%- endif %}
- {%- if rule.out_interface is defined %}
- - out-interface: {{ rule.out_interface }}
- {%- endif %}
- {%- if rule.to_destination is defined %}
- - to-destination: {{ rule.to_destination }}
- {%- endif %}
- {%- if rule.to_source is defined %}
- - to-source: {{ rule.to_source }}
- {%- endif %}
- {%- if rule.source_network is defined %}
- - source: {{ rule.source_network }}
- {%- endif %}
- {%- if rule.destination_network is defined %}
- - destination: {{ rule.destination_network }}
- {%- endif %}
- {%- if chain.policy is defined %}
- - require_in:
- - iptables: iptables_{{ chain_name }}_policy:
- {%- endif %}
- - save: True
-
+{% include "iptables/_rule.sls" %}
{%- endfor %}
{%- endfor %}