diff --git a/providers/rule.rb b/providers/rule.rb index 86f588a..9e9b96a 100644 --- a/providers/rule.rb +++ b/providers/rule.rb @@ -11,8 +11,10 @@ test_rules(new_resource, rules) if not node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.chain) - node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain - node.set["simple_iptables"]["rules"][new_resource.table] = node["simple_iptables"]["rules"][new_resource.table].dup << "-A #{new_resource.direction} --jump #{new_resource.chain}" + node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain) + unless new_resource.chain == new_resource.direction + node.set["simple_iptables"]["rules"][new_resource.table] = node["simple_iptables"]["rules"][new_resource.table].dup << "-A #{new_resource.direction} --jump #{new_resource.chain}" + end end # Then apply the rules to the node @@ -29,26 +31,39 @@ end def test_rules(new_resource, rules) - #always flush and remove first in case the previous run left it lying around. Ignore any return values. - shell_out("iptables --table #{new_resource.table} --flush _chef_lwrp_test") - shell_out("iptables --table #{new_resource.table} --delete-chain _chef_lwrp_test") - #create the test chain - shell_out!("iptables --table #{new_resource.table} --new-chain _chef_lwrp_test") + test_chains = ["_chef_lwrp_test1"] + cleanup_test_chain(new_resource.table, test_chains.first) + shell_out!("iptables --table #{new_resource.table} --new-chain #{test_chains.first}") begin rules.each do |rule| new_rule = rule_string(new_resource, rule, true) - new_rule.gsub!("-A #{new_resource.chain}", "-A _chef_lwrp_test") + new_rule.gsub!("-A #{new_resource.chain}", "-A #{test_chains.first}") + + # Test for jumps to chains that are not actually created on the system yet, but are already processed in the current recipe + if node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.jump) + test_chains.push("_chef_lwrp_test2") + cleanup_test_chain(new_resource.table, test_chains.last) + shell_out!("iptables --table #{new_resource.table} --new-chain #{test_chains.last}") + new_rule.gsub!("--jump #{new_resource.jump}", "--jump #{test_chains.last}") + end shell_out!("iptables #{new_rule}") end ensure - shell_out("iptables --table #{new_resource.table} --flush _chef_lwrp_test") - shell_out("iptables --table #{new_resource.table} --delete-chain _chef_lwrp_test") + test_chains.each do |test_chain| + cleanup_test_chain(new_resource.table, test_chain) + end end end +def cleanup_test_chain(table, chain) + #always flush and remove first in case the previous run left it lying around. Ignore any return values. + shell_out("iptables --table #{table} --flush #{chain}") + shell_out("iptables --table #{table} --delete-chain #{chain}") +end + def rule_string(new_resource, rule, include_table) - jump = new_resource.jump ? " --jump #{new_resource.jump}" : "" + jump = new_resource.jump ? "--jump #{new_resource.jump} " : "" table = include_table ? "--table #{new_resource.table} " : "" - rule = "#{table}-A #{new_resource.chain} #{rule}#{jump}" + rule = "#{table}-A #{new_resource.chain} #{jump}#{rule}" rule end diff --git a/templates/default/iptables-rules.erb b/templates/default/iptables-rules.erb index 7a7d556..1078e67 100644 --- a/templates/default/iptables-rules.erb +++ b/templates/default/iptables-rules.erb @@ -39,5 +39,4 @@ COMMIT <%= rule %> <% end -%> COMMIT -# Completed - +# Completed \ No newline at end of file