|
58 | 58 | end |
59 | 59 | end |
60 | 60 |
|
61 | | -case node['platform_family'] |
62 | | -when 'debian' |
63 | | - iptable_rules = '/etc/iptables-rules' |
64 | | - ip6table_rules = '/etc/ip6tables-rules' |
65 | | -when 'rhel', 'fedora' |
66 | | - iptable_rules = '/etc/sysconfig/iptables' |
67 | | - ip6table_rules = '/etc/sysconfig/ip6tables' |
68 | | -end |
| 61 | +# maps protocol version to a character that will be used to differentiate |
| 62 | +# iptables* (ipv4) and ip6tables* (ipv6) |
| 63 | +v2s = {'ipv4' => '', 'ipv6' => '6'} |
| 64 | + |
| 65 | +node["simple_iptables"]["ip_versions"].each do |ip_version| |
| 66 | + v = v2s[ip_version] |
| 67 | + case node['platform_family'] |
| 68 | + when 'debian' |
| 69 | + iptable_rules = "/etc/ip#{v}tables-rules" |
| 70 | + when 'rhel', 'fedora' |
| 71 | + iptable_rules = "/etc/sysconfig/ip#{v}tables" |
| 72 | + end |
69 | 73 |
|
70 | | -if node["simple_iptables"]["ip_versions"].include?("ipv4") |
71 | | - ruby_block "test-iptables" do |
| 74 | + ruby_block "test-ip#{v}tables" do |
72 | 75 | block do |
73 | | - cmd = Mixlib::ShellOut.new("iptables-restore --test < #{iptable_rules}", |
| 76 | + cmd = Mixlib::ShellOut.new("ip#{v}tables-restore --test < #{iptable_rules}", |
74 | 77 | :user => "root") |
75 | 78 | cmd.run_command |
76 | 79 | if !Array(cmd.valid_exit_codes).include?(cmd.exitstatus) |
77 | 80 | msg = <<-eos |
78 | | - iptables-restore exited with code #{cmd.exitstatus} while testing new rules |
79 | | - STDOUT: |
80 | | - #{cmd.stdout} |
81 | | - STDERR: |
82 | | - #{cmd.stderr} |
83 | | - eos |
| 81 | +ip#{v}tables-restore exited with code #{cmd.exitstatus} while testing new rules |
| 82 | +STDOUT: |
| 83 | +#{cmd.stdout} |
| 84 | +STDERR: |
| 85 | +#{cmd.stderr} |
| 86 | +eos |
84 | 87 | match = cmd.stderr.match /line:?\s*(\d+)/ |
85 | 88 | if match |
86 | 89 | line_no = match[1].to_i |
|
95 | 98 | raise msg |
96 | 99 | end |
97 | 100 | end |
98 | | - notifies :run, "execute[reload-iptables]" |
| 101 | + notifies :run, "execute[reload-ip#{v}tables]" |
99 | 102 | action :nothing |
100 | 103 | end |
101 | 104 |
|
102 | | - execute "reload-iptables" do |
103 | | - command "iptables-restore < #{iptable_rules}" |
| 105 | + execute "reload-ip#{v}tables" do |
| 106 | + command "ip#{v}tables-restore < #{iptable_rules}" |
104 | 107 | user "root" |
105 | 108 | action :nothing |
106 | 109 | end |
107 | 110 |
|
108 | 111 | template iptable_rules do |
109 | | - source "iptables-rules.erb" |
| 112 | + source "ip#{v}tables-rules.erb" |
110 | 113 | cookbook "simple_iptables" |
111 | | - notifies :create, "ruby_block[test-iptables]" |
| 114 | + notifies :create, "ruby_block[test-ip#{v}tables]" |
112 | 115 | action :create |
113 | 116 | end |
114 | | -end |
115 | 117 |
|
116 | | -if node["simple_iptables"]["ip_versions"].include?("ipv6") |
117 | | - ruby_block "test-ip6tables" do |
118 | | - block do |
119 | | - cmd = Mixlib::ShellOut.new("ip6tables-restore --test < #{ip6table_rules}", |
120 | | - :user => "root") |
121 | | - cmd.run_command |
122 | | - if !Array(cmd.valid_exit_codes).include?(cmd.exitstatus) |
123 | | - msg = <<-eos |
124 | | - ip6tables-restore exited with code #{cmd.exitstatus} while testing new rules |
125 | | - STDOUT: |
126 | | - #{cmd.stdout} |
127 | | - STDERR: |
128 | | - #{cmd.stderr} |
129 | | - eos |
130 | | - match = cmd.stderr.match /line:?\s*(\d+)/ |
131 | | - if match |
132 | | - line_no = match[1].to_i |
133 | | - msg << "Line #{line_no}: #{IO.readlines(ip6table_rules)[line_no-1]}" |
134 | | - end |
135 | | - # Delete the file so that the next Chef run is forced to recreate it |
136 | | - # and retest it. Otherwise, if the rules remain unchanged, the template |
137 | | - # resource won't recreate the file, won't notify the test resource, |
138 | | - # and the Chef run will be allowed to complete successfully despite |
139 | | - # and invalid rule being present. |
140 | | - File.delete(ip6table_rules) |
141 | | - raise msg |
142 | | - end |
143 | | - end |
144 | | - notifies :run, "execute[reload-ip6tables]" |
145 | | - action :nothing |
146 | | - end |
147 | | - |
148 | | - execute "reload-ip6tables" do |
149 | | - command "ip6tables-restore < #{ip6table_rules}" |
150 | | - user "root" |
151 | | - action :nothing |
152 | | - end |
153 | | - |
154 | | - template ip6table_rules do |
155 | | - source "ip6tables-rules.erb" |
156 | | - cookbook "simple_iptables" |
157 | | - notifies :create, "ruby_block[test-ip6tables]" |
158 | | - action :create |
159 | | - end |
160 | | -end |
161 | | - |
162 | | -case node['platform_family'] |
163 | | -when 'debian' |
164 | | - |
165 | | - if node["simple_iptables"]["ip_versions"].include?("ipv4") |
| 118 | + case node['platform_family'] |
| 119 | + when 'debian' |
166 | 120 | # TODO: Generalize this for other platforms somehow |
167 | | - file "/etc/network/if-up.d/iptables-rules" do |
168 | | - owner "root" |
169 | | - group "root" |
170 | | - mode "0755" |
171 | | - content "#!/bin/bash\niptables-restore < #{iptable_rules}\n" |
172 | | - action :create |
173 | | - end |
174 | | - end |
175 | | - |
176 | | - if node["simple_iptables"]["ip_versions"].include?("ipv6") |
177 | | - file "/etc/network/if-up.d/ip6tables-rules" do |
| 121 | + file "/etc/network/if-up.d/ip#{v}tables-rules" do |
178 | 122 | owner "root" |
179 | 123 | group "root" |
180 | 124 | mode "0755" |
181 | | - content "#!/bin/bash\nip6tables-restore < #{ip6table_rules}\n" |
| 125 | + content "#!/bin/bash\nip#{v}tables-restore < #{iptable_rules}\n" |
182 | 126 | action :create |
183 | 127 | end |
184 | 128 | end |
185 | | - |
186 | 129 | end |
| 130 | + |
0 commit comments