Merge pull request #31 from svanharmelen/multiple-commits

Multiple commits updated to be merged with tip...
rtkwlf · Mar 18, 2014 · d468039 · d468039
2 parents a7ef77b + be8cba1
commit d468039
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 14 deletions.
diff --git a/providers/rule.rb b/providers/rule.rb
@@ -11,8 +11,10 @@
   test_rules(new_resource, rules)
 
   if not node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.chain)
-    node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain
-    node.set["simple_iptables"]["rules"][new_resource.table] = node["simple_iptables"]["rules"][new_resource.table].dup << "-A #{new_resource.direction} --jump #{new_resource.chain}"
+    node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain)
+    unless new_resource.chain == new_resource.direction
+      node.set["simple_iptables"]["rules"][new_resource.table] = node["simple_iptables"]["rules"][new_resource.table].dup << "-A #{new_resource.direction} --jump #{new_resource.chain}"
+    end
   end
 
   # Then apply the rules to the node
@@ -29,26 +31,39 @@
 end
 
 def test_rules(new_resource, rules)
-  #always flush and remove first in case the previous run left it lying around. Ignore any return values.
-  shell_out("iptables --table #{new_resource.table} --flush _chef_lwrp_test")
-  shell_out("iptables --table #{new_resource.table} --delete-chain _chef_lwrp_test")
-  #create the test chain
-  shell_out!("iptables --table #{new_resource.table} --new-chain _chef_lwrp_test")
+  test_chains = ["_chef_lwrp_test1"]
+  cleanup_test_chain(new_resource.table, test_chains.first)
+  shell_out!("iptables --table #{new_resource.table} --new-chain #{test_chains.first}")
   begin
     rules.each do |rule|
       new_rule = rule_string(new_resource, rule, true)
-      new_rule.gsub!("-A #{new_resource.chain}", "-A _chef_lwrp_test")
+      new_rule.gsub!("-A #{new_resource.chain}", "-A #{test_chains.first}")
+
+      # Test for jumps to chains that are not actually created on the system yet, but are already processed in the current recipe
+      if node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.jump)
+        test_chains.push("_chef_lwrp_test2")
+        cleanup_test_chain(new_resource.table, test_chains.last)
+        shell_out!("iptables --table #{new_resource.table} --new-chain #{test_chains.last}")
+        new_rule.gsub!("--jump #{new_resource.jump}", "--jump #{test_chains.last}")
+      end
       shell_out!("iptables #{new_rule}")
     end
   ensure
-    shell_out("iptables --table #{new_resource.table} --flush _chef_lwrp_test")
-    shell_out("iptables --table #{new_resource.table} --delete-chain _chef_lwrp_test")
+    test_chains.each do |test_chain|
+      cleanup_test_chain(new_resource.table, test_chain)
+    end
   end
 end
 
+def cleanup_test_chain(table, chain)
+  #always flush and remove first in case the previous run left it lying around. Ignore any return values.
+  shell_out("iptables --table #{table} --flush #{chain}")
+  shell_out("iptables --table #{table} --delete-chain #{chain}")
+end
+
 def rule_string(new_resource, rule, include_table)
-  jump = new_resource.jump ? " --jump #{new_resource.jump}" : ""
+  jump = new_resource.jump ? "--jump #{new_resource.jump} " : ""
   table = include_table ? "--table #{new_resource.table} " : ""
-  rule = "#{table}-A #{new_resource.chain} #{rule}#{jump}"
+  rule = "#{table}-A #{new_resource.chain} #{jump}#{rule}"
   rule
 end
diff --git a/templates/default/iptables-rules.erb b/templates/default/iptables-rules.erb
@@ -39,5 +39,4 @@ COMMIT
 <%= rule %>
 <% end -%>
 COMMIT
-# Completed
-
+# Completed