Refactor from the scratch
Customer-Found
Prod-Related: CEEMCP-19
Prod-Related: PROD-22620
Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
diff --git a/README.rst b/README.rst
index c079424..a59e5e8 100644
--- a/README.rst
+++ b/README.rst
@@ -1,7 +1,6 @@
-
-================
-iptables formula
-================
+=====================
+iptables salt formula
+=====================
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet
filter rules in the Linux kernel. Several different tables may be defined.
@@ -11,154 +10,76 @@
called a `target`, which may be a jump to a user-defined chain in the same
table.
+This version of a formula guarantees that manually added rules or rules which
+has been added in runtime would be removed.
+
+In order to ensure architecture, proper epoch value should be specified.
+Refer to an example.
+
Sample pillars
==============
-Most common rules - allow traffic on localhost, accept related,established and
-ping
-
.. code-block:: yaml
parameters:
iptables:
+ schema:
+ epoch: 1
service:
- enabled: True
- chain:
- INPUT:
- rules:
- - in_interface: lo
- jump: ACCEPT
- - connection_state: RELATED,ESTABLISHED
- match: state
- jump: ACCEPT
- - protocol: icmp
- jump: ACCEPT
+ v4:
+ enabled: true
+ persistent_config: /etc/iptables.v4
+ modules:
+ - nf_conntrack_ftp
+ - nf_conntrack_pptp
+ v6:
+ enabled: false
+ persistent_config: /etc/iptables.v6
+ modules:
+ - nf_conntrack_ipv6
+ defaults:
+ v4:
+ metadata_rules: false
+ policy: ACCEPT
+ ruleset:
+ action: ACCEPT
+ params: ""
+ rule: ""
+ v6:
+ metadata_rules: false
+ policy: DROP
+ ruleset:
+ action: ACCEPT
+ params: ""
+ rule: ""
+ tables:
+ v4:
+ filter:
+ chains:
+ INPUT:
+ ruleset:
+ 5:
+ action: log_drop
+ 10:
+ rule: -s 192.168.0.0/24 -p tcp
+ log_drop:
+ policy: DROP
+ ruleset:
+ 10:
+ action: LOG
+ comment: "Log my packets"
+ nat:
+ chains:
+ OUTPUT:
+ PREROUTING:
+ POSTROUTING:
+ policy: ACCEPT
+ ruleset:
+ 10:
+ rule: -s 192.168.0.0/24 -p tcp -o lo
+ action: SNAT
+ params: --to-source=127.0.0.1
-Accept connections on port 22
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- chain:
- INPUT:
- rules:
- - destination_port: 22
- protocol: tcp
- jump: ACCEPT
-
-Set drop policy on INPUT chain:
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- chain:
- INPUT:
- policy: DROP
-
-Redirect privileged port 443 to 8081
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- chain:
- PREROUTING:
- filter: nat
- destination_port: 443
- to_port: 8081
- protocol: tcp
- jump: REDIRECT
-
-Allow access from local network
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- chain:
- INPUT:
- rules:
- - protocol: tcp
- destination_port: 22
- source_network: 192.168.1.0/24
- jump: ACCEPT
- comment: Blah
-
-Support logging with custom prefix and log level
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- chain:
- POSTROUTING:
- rules:
- - table: nat
- protocol: tcp
- match: multiport
- destination_ports:
- - 21
- - 80
- - 443
- - 2220
- source_network: '10.20.30.0/24'
- log_level: 7
- log_prefix: 'iptables-logging: '
- jump: LOG
-
-
-IPv6 is supported as well
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- enabled: True
- ipv6: True
- chain:
- INPUT:
- rules:
- - protocol: tcp
- family: ipv6
- destination_port: 22
- source_network: 2001:DB8::/32
- jump: ACCEPT
-
-
-You may set policy for chain in specific table
-If 'table' key is omitted, 'filter' table is assumed
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- enabled: true
- chain:
- OUTPUT:
- policy: ACCEPT
-
-Specify policy directly
-
-.. code-block:: yaml
-
- parameters:
- iptables:
- service:
- enabled: true
- chain:
- FORWARD:
- policy:
- - table: mangle
- policy: DROP
Read more
=========
@@ -181,21 +102,9 @@
https://github.com/salt-formulas/salt-formula-iptables/issues
-For feature requests, bug reports or blueprints affecting entire ecosystem,
-use Launchpad salt-formulas project:
-
- https://launchpad.net/salt-formulas
-
-You can also join salt-formulas-users team and subscribe to mailing list:
-
- https://launchpad.net/~salt-formulas-users
Developers wishing to work on the salt-formulas projects should always base
their work on master branch and submit pull request against specific formula.
https://github.com/salt-formulas/salt-formula-iptables
-Any questions or feedback is always welcome so feel free to join our IRC
-channel:
-
- #salt-formulas @ irc.freenode.net