Merge pull request #54 from rtkwlf/chain_condition_nil

:none direction value

Author: rtkkdeng

README.md

@@ -143,6 +143,22 @@ specified to make the jump conditional. For example:
 The rules specified under the `rule` attribute will only be evaluate for packets for which
 the rule in `chain_condition` holds.
 
+Sometimes we might want to define a chain where we only want to jump from another chain we define. 
+By default, an automatic jump will be made to chains defined using the `simple_iptables_rule` resource
+from the chain specified using the `direction` attribute of the resource. To prevent jumping to the
+chain from the direction chains, we can set the direction attribute to the symbol `:none`.
+For example, consider a chain used to log
+
+    simple_iptables_rule "logging_drop" do
+      direction :none
+      rule ['-j LOG --log-level 4 --log-prefix "IPTABLES_DROP: "',
+            '-j DROP']
+      jump false
+    end
+
+We can then jump to this chain from other simple_iptables_rule chains, but an automatic jump to
+this chain won't be added.
+
 
 `simple_iptables_policy` Resource
 ---------------------------------
@@ -338,6 +354,10 @@ Which results in the following iptables configuration:
 
 Changes
 =======
+* 0.6.6 (Aug 1, 2014)
+    * Added `:none` to one of the values that the attribute `direction` can be set to.
+      When set to :none, a rule to jump to the chain created will not be added to any
+      direction chains.
 * 0.6.5 (July 20, 2014)
     * Fix one-shot testing code to work with Chef versions prior to 11.12.
     * Make one-shot testing error line detection code more robust (#48 - Kim Tore Jensen)

providers/rule.rb

@@ -10,7 +10,7 @@
 
   if not node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.chain)
     node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain)
-    unless new_resource.chain == new_resource.direction
+    unless new_resource.chain == new_resource.direction || new_resource.direction == :none
       node.set["simple_iptables"]["rules"][new_resource.table] << {:rule => "-A #{new_resource.direction} #{new_resource.chain_condition} --jump #{new_resource.chain}", :weight => new_resource.weight}
     end
   end

resources/rule.rb

@@ -4,7 +4,7 @@
 attribute :table, :equal_to => ["filter", "nat", "mangle", "raw"], :default => "filter"
 attribute :rule, :kind_of => [String, Array], :required => true
 attribute :jump, :kind_of => [String, FalseClass], :default => "ACCEPT"
-attribute :direction, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"], :default => "INPUT"
+attribute :direction, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING", :none], :default => "INPUT"
 attribute :chain_condition, :kind_of => [String]
 attribute :weight, :kind_of => Integer, :default => 50