commit dd2d4cfe841199135703fc6fe19973fc2802d9c5
author Michel Nederlof <michel@nederlof.info> Tue Jun 27 15:12:36 2017 +0200
committer Filip Pytloun <filip@pytloun.cz> Tue Jun 27 15:12:36 2017 +0200
tree 7805d11a8329b454036e91835e582f0fcc8b525c
parent 2983e19198047d49e04b44e2a3a08d75ac2cfdcb

Allow custom chains to be present (#12)

* Allow custom chains to be present, other than the INPUT, FORWARD, OUTPUT default chains.

* Adding missing endif

* Require the packages to be installed first.

* Test should use rules as key, not rule.

* Making it a array list, instead of a dict.

* convert rules to a list instead of a dict.

* Only if policy is defined, include this statement.

* Only ensure chains if not container :)

* The chain is only ensured if we are not a container.

* Do not run at all for containers.

iptables/_rule.sls

diff --git a/iptables/_rule.sls b/iptables/_rule.sls
index 1c658f7..ebce336 100644
--- a/iptables/_rule.sls
+++ b/iptables/_rule.sls
@@ -57,4 +57,8 @@
   - require_in:
     - iptables: iptables_{{ chain_name }}_policy
   {%- endif %}
+  {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
+  - require:
+    - iptables: iptables_{{ chain_name }}{% if rule.family is defined %}_{{ rule.family }}{% endif %}
+  {%- endif %}
   - save: True

iptables/rules.sls

diff --git a/iptables/rules.sls b/iptables/rules.sls
index 1deb606..4e9e6e2 100644
--- a/iptables/rules.sls
+++ b/iptables/rules.sls
@@ -1,7 +1,30 @@
 {% from "iptables/map.jinja" import service with context %}
+{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
 
 {%- for chain_name, chain in service.get('chain', {}).iteritems() %}
 
+iptables_{{ chain_name }}:
+  iptables.chain_present:
+    - family: ipv4
+    - name: {{ chain_name }}
+    - table: filter
+    - require:
+      - pkg: iptables_packages
+
+{%-   if grains.ipv6|default(False) and service.ipv6|default(True) %}
+iptables_{{ chain_name }}_ipv6:
+  iptables.chain_present:
+    - family: ipv6
+    - name: {{ chain_name }}
+    - table: filter
+    - require:
+      - pkg: iptables_packages
+{%-     if chain.policy is defined %}
+    - require_in:
+      - iptables: iptables_{{ chain_name }}_ipv6_policy
+{%-     endif  %}
+{%-   endif %}
+
 {%- if chain.policy is defined %}
 iptables_{{ chain_name }}_policy:
   iptables.set_policy:
@@ -9,6 +32,8 @@
     - chain: {{ chain_name }}
     - policy: {{ chain.policy }}
     - table: filter
+    - require:
+      - iptables: iptables_{{ chain_name }}
 
 {%-   if grains.ipv6|default(False) and service.ipv6|default(True) %}
 iptables_{{ chain_name }}_ipv6_policy:
@@ -17,6 +42,8 @@
     - chain: {{ chain_name }}
     - policy: {{ chain.policy }}
     - table: filter
+    - require:
+      - iptables: iptables_{{ chain_name }}_ipv6
 {%-   endif %}
 {%- endif %}
 
@@ -41,3 +68,4 @@
 {%- endfor %}
 
 {%- endfor %}
+{%- endif %}

tests/pillar/iptables_server.sls

diff --git a/tests/pillar/iptables_server.sls b/tests/pillar/iptables_server.sls
index eb1feaa..7ef038d 100644
--- a/tests/pillar/iptables_server.sls
+++ b/tests/pillar/iptables_server.sls
@@ -3,9 +3,8 @@
     enabled: true
     chain:
       INPUT:
-        rule:
-          test:
-            position: 1
+        rules:
+          - position: 1
             table: filter
             protocol: tcp
             destination_port: 8088