-
Notifications
You must be signed in to change notification settings - Fork 33
/
rule.rb
75 lines (64 loc) · 2.27 KB
/
rule.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#
# Cookbook Name:: iptables-ng
# Provider:: rule
#
# Copyright 2012, Chris Aumann
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
action :create do
edit_rule(:create)
end
action :create_if_missing do
edit_rule(:create_if_missing)
end
action :delete do
edit_rule(:delete)
end
def edit_rule(exec_action)
# Create rule for given ip_versions
Array(new_resource.ip_version).each do |ip_version|
# Skip nat table if ip6tables doesn't support it
next if new_resource.table == 'nat' &&
node['iptables-ng']['ip6tables_nat_support'] == false &&
ip_version == 6
# Create chain if it doesn't exist
iptables_ng_chain "#{new_resource.chain}:#{new_resource.table}:#{new_resource.name}" do
chain new_resource.chain
table new_resource.table
action :create_if_missing
not_if { exec_action == :delete }
end
rule_file = ''
Array(new_resource.rule).each { |r| rule_file << "--append #{new_resource.chain} #{r.chomp}\n" }
directory "/etc/iptables.d/#{new_resource.table}/#{new_resource.chain}" do
owner 'root'
group node['root_group']
mode 00700
not_if { exec_action == :delete }
end
rule_path = "/etc/iptables.d/#{new_resource.table}/#{new_resource.chain}/#{new_resource.name}.rule_v#{ip_version}"
r = file rule_path do
owner 'root'
group node['root_group']
mode 00600
content rule_file
notifies :create, 'ruby_block[create_rules]', :delayed
notifies :create, 'ruby_block[restart_iptables]', :delayed
action exec_action
end
new_resource.updated_by_last_action(true) if r.updated_by_last_action?
end
# TODO: link to .rule for rhel compatibility?
end