Merge pull request #35 from Kasen/master

rtkmparrott · rtkmparrott · commit 175ef164be30 · 2014-04-14T12:25:32.000-04:00
The mechanism of weights added
diff --git a/README.md b/README.md
@@ -100,6 +100,36 @@ By default rules are added to the filter table but the nat and mangle tables are
       rule "-p tcp -o eth0 -d 10/8 --jump REJECT --reject-with tcp-reset"
     end
 
+By default rules are added to the chain, in the order in which its occur in the recipes.
+You may use the weight parameter for control the order of the rules in chains. For example:
+
+  simple_iptables_rule "reject" do
+    chain "INPUT"
+    rule ""
+    jump "REJECT --reject-with icmp-host-prohibited"
+    weight 90
+  end
+
+  simple_iptables_rule "established" do
+    chain "INPUT"
+    rule "-m conntrack --ctstate ESTABLISHED,RELATED"
+    jump "ACCEPT"
+    weight 1
+  end
+
+  simple_iptables_rule "icmp" do
+    chain "INPUT"
+    rule "--proto icmp"
+    jump "ACCEPT"
+    weight 2
+  end
+
+This would generate the rules:
+  -A INPUT --jump ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
+  -A INPUT --jump ACCEPT --proto icmp
+  -A INPUT --jump REJECT --reject-with icmp-host-prohibited
+
+
 `simple_iptables_policy` Resource
 ---------------------------------
 
@@ -265,6 +295,8 @@ Which results in the following iptables configuration:
 Changes
 =======
 
+* 0.6.1 (April 14, 2014)
+    * Add support mechanism weights.
 * 0.6.0 (March 19, 2014)
     * Add support for the raw table (#33 - Ray Ruvinskiy)
     * Add :delete semantics to iptables rules (#34 - Michael Parrott)
diff --git a/metadata.json b/metadata.json
@@ -29,5 +29,5 @@
   },
   "recipes": {
   },
-  "version": "0.6.0"
+  "version": "0.6.1"
 }
diff --git a/metadata.rb b/metadata.rb
@@ -3,7 +3,7 @@
 license          "BSD"
 description      "Simple LWRP and recipe for managing iptables rules"
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "0.6.0"
+version          "0.6.1"
 name             "simple_iptables"
 
 supports "debian", ">= 6.0"
diff --git a/providers/rule.rb b/providers/rule.rb
@@ -7,22 +7,22 @@
   else
     rules = new_resource.rule
   end
-
   # Ensure that the rules are actually valid iptable rules by testing with a temporary chain
   test_rules(new_resource, rules)
 
   if not node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.chain)
     node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain)
     unless new_resource.chain == new_resource.direction
-      node.set["simple_iptables"]["rules"][new_resource.table] = node["simple_iptables"]["rules"][new_resource.table].dup << "-A #{new_resource.direction} --jump #{new_resource.chain}"
+      node.set["simple_iptables"]["rules"][new_resource.table] << ["-A #{new_resource.direction} --jump #{new_resource.chain}", new_resource.weight]
     end
   end
 
   # Then apply the rules to the node
   rules.each do |rule|
     new_rule = rule_string(new_resource, rule, false)
-    if not node["simple_iptables"]["rules"][new_resource.table].include?(new_rule)
-      node.set["simple_iptables"]["rules"][new_resource.table] = node["simple_iptables"]["rules"][new_resource.table].dup << new_rule
+    if not node["simple_iptables"]["rules"][new_resource.table].include?([new_rule, new_resource.weight])
+      node.set["simple_iptables"]["rules"][new_resource.table] << [new_rule, new_resource.weight]
+      node.set["simple_iptables"]["rules"][new_resource.table].sort! {|a,b| a[1] <=> b[1]}
       new_resource.updated_by_last_action(true)
       Chef::Log.debug("added rule '#{new_rule}'")
     else
@@ -68,3 +68,4 @@ def rule_string(new_resource, rule, include_table)
   rule = "#{table}-A #{new_resource.chain} #{jump}#{rule}"
   rule
 end
+
diff --git a/resources/rule.rb b/resources/rule.rb
@@ -5,7 +5,7 @@
 attribute :rule, :kind_of => [String, Array], :required => true
 attribute :jump, :kind_of => [String, FalseClass], :default => "ACCEPT"
 attribute :direction, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"], :default => "INPUT"
-
+attribute :weight, :kind_of => Integer, :default => 50
 
 def initialize(*args)
   super
diff --git a/templates/default/iptables-rules.erb b/templates/default/iptables-rules.erb
@@ -8,7 +8,7 @@
 :<%= chain %> - [0:0]
 <% end -%>
 <% node["simple_iptables"]["rules"]["nat"].each do |rule| -%>
-<%= rule %>
+<%= rule[0] %>
 <% end -%>
 COMMIT
 # Completed
@@ -23,7 +23,7 @@ COMMIT
 :<%= chain %> - [0:0]
 <% end -%>
 <% node["simple_iptables"]["rules"]["mangle"].each do |rule| -%>
-<%= rule %>
+<%= rule[0] %>
 <% end -%>
 COMMIT
 # Completed
@@ -36,7 +36,7 @@ COMMIT
 :<%= chain %> - [0:0]
 <% end -%>
 <% node["simple_iptables"]["rules"]["filter"].each do |rule| -%>
-<%= rule %>
+<%= rule[0] %>
 <% end -%>
 COMMIT
 # Completed
@@ -48,7 +48,7 @@ COMMIT
 :<%= chain %> - [0:0]
 <% end -%>
 <% node["simple_iptables"]["rules"]["raw"].each do |rule| -%>
-<%= rule %>
+<%= rule[0] %>
 <% end -%>
 COMMIT
 # Completed

Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,5 @@`
`29`	`29`	`},`
`30`	`30`	`"recipes": {`
`31`	`31`	`},`
`32`		`- "version": "0.6.0"`
	`32`	`+ "version": "0.6.1"`
`33`	`33`	`}`