Unhardcode tables for chains.
There is a way to manage tables in rules, but there is no way to
manage tables for chains when setting policy.
Looks like pillar structure is bad from the beginning and to
not break backward compatibility, as same chain names may occur in
different tables, so it is proposed to check if 'chain.policy' is
map. And if it is, specific policies would be ensured for specific
tables, otherwise table 'filter' would be used as a fallback.
To ensure chains in specific tables we iterate over all rules in
each chain.
This hash is valid:
parameters:
iptables:
service:
enabled: true
chain:
OUTPUT:
policy: ACCEPT
FORWARD:
policy:
- table: mangle
policy: DROP
INPUT:
policy:
- table: nat
policy: ACCEPT
rules:
- jump: ACCEPT
protocol: icmp
POSTROUTING:
rules:
- jump: MASQUERADE
protocol: icmp
out_interface: ens3
table: nat
Prod-Related: CEEMCP-12
Prod-Related: EME-313
Change-Id: Ib5ba97dad165d3ef2dec7e053b391ea36a996103
4 files changed