rtkwlf
diff --git a/‎.kitchen.yml‎
Lines changed: 8 additions & 0 deletions b/‎.kitchen.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 31 additions & 0 deletions b/‎README.md‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎attributes/default.rb‎
Lines changed: 9 additions & 4 deletions b/‎attributes/default.rb‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎providers/policy.rb‎
Lines changed: 11 additions & 2 deletions b/‎providers/policy.rb‎
Lines changed: 11 additions & 2 deletions
diff --git a/‎providers/rule.rb‎
Lines changed: 18 additions & 9 deletions b/‎providers/rule.rb‎
Lines changed: 18 additions & 9 deletions
diff --git a/‎recipes/default.rb‎
Lines changed: 112 additions & 46 deletions b/‎recipes/default.rb‎
Lines changed: 112 additions & 46 deletions
diff --git a/‎recipes/redhat.rb‎
Lines changed: 8 additions & 1 deletion b/‎recipes/redhat.rb‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎resources/policy.rb‎
Lines changed: 1 addition & 0 deletions b/‎resources/policy.rb‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎resources/rule.rb‎
Lines changed: 1 addition & 0 deletions b/‎resources/rule.rb‎
Lines changed: 1 addition & 0 deletions
@@ -14,7 +14,15 @@ suites:
     run_list:
       - recipe[smoke]
     attributes:
+  - name: ipv6_default
+    run_list:
+      - recipe[smoke::ipv6_default]
+    attributes:
   - name: list_of_tables
     run_list:
       - recipe[smoke::tables]
     attributes:
+  - name: ipv6_list_of_tables
+    run_list:
+      - recipe[smoke::ipv6_tables]
+    attributes:
@@ -220,6 +220,37 @@ COMMIT
 # Completed
 ```
 
+`IPv6` support
+--------------
+
+To support IPv6, you will need to add `ipv6` the attribute like:
+default["simple_iptables"]["ip_versions"] = ["ipv4", "ipv6"]
+
+When using `simple_iptables_policy` or `simple_iptables_rule` resources, you
+can enable the policy/rule for either `:ipv4`, `:ipv6` or `:both` using the
+`ip_version` parameter. For example:
+
+    simple_iptables_rule "management_interface" do
+      direction "INPUT"
+      chain_condition "-i eth1"
+      rule [ "-p tcp --dport 80", "-p tcp --dport 443" ]
+      jump "ACCEPT"
+      ip_version :both
+    end
+
+will set the rule for both IPv4 and IPv6,
+
+    simple_iptables_rule "management_interface" do
+      direction "INPUT"
+      chain_condition "-i eth1"
+      rule [ "-p tcp --dport 80", "-p tcp --dport 443" ]
+      jump "ACCEPT"
+      ip_version :ipv6
+    end
+
+will set it for IPv6 only. The default is to set the rule/policy for ipv4 only.
+
+
 Example
 =======
 
 
@@ -1,5 +1,10 @@
-default["simple_iptables"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
-default["simple_iptables"]["chains"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
-default["simple_iptables"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
+default["simple_iptables"]["ipv4"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+default["simple_iptables"]["ipv4"]["chains"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+default["simple_iptables"]["ipv4"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
+default["simple_iptables"]["ipv6"]["rules"] = {"filter" => [], "mangle" => [], "raw" => []}
+default["simple_iptables"]["ipv6"]["chains"] = {"filter" => [], "mangle" => [], "raw" => []}
+default["simple_iptables"]["ipv6"]["policy"] = {"filter" => {}, "mangle" => {}, "raw" => {}}
 
-default["simple_iptables"]["tables"] = %w(filter nat mangle raw)
+default["simple_iptables"]["ipv4"]["tables"] = %w(filter nat mangle raw)
+default["simple_iptables"]["ipv6"]["tables"] = %w(filter mangle raw)
+default["simple_iptables"]["ip_versions"] = ["ipv4"]
@@ -1,5 +1,14 @@
 action :set do
-  Chef::Log.debug("setting policy for #{new_resource.chain} to #{new_resource.policy}")
-  node.set["simple_iptables"]["policy"][new_resource.table][new_resource.chain] = new_resource.policy
+  if [:ipv4, :both].include?(new_resource.ip_version)
+    handle_policy(new_resource, "ipv4")
+  end
+  if [:ipv6, :both].include?(new_resource.ip_version)
+    handle_policy(new_resource, "ipv6")
+  end
+end
+
+def handle_policy(new_resource, ip_version)
+  Chef::Log.debug("[#{ip_version}] setting policy for #{new_resource.chain} to #{new_resource.policy}")
+  node.set["simple_iptables"][ip_version]["policy"][new_resource.table][new_resource.chain] = new_resource.policy
   new_resource.updated_by_last_action(true)
 end
@@ -1,30 +1,39 @@
 require 'chef/mixin/shell_out'
 include Chef::Mixin::ShellOut
 
+
 action :append do
+  if [:ipv4, :both].include?(new_resource.ip_version)
+    handle_rule(new_resource, "ipv4")
+  end
+  if [:ipv6, :both].include?(new_resource.ip_version)
+    handle_rule(new_resource, "ipv6")
+  end
+end
+
+def handle_rule(new_resource, ip_version)
   if new_resource.rule.kind_of?(String)
     rules = [new_resource.rule]
   else
     rules = new_resource.rule
   end
-
-  if not node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.chain)
-    node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain)
+  if not node["simple_iptables"][ip_version]["chains"][new_resource.table].include?(new_resource.chain)
+    node.set["simple_iptables"][ip_version]["chains"][new_resource.table] = node["simple_iptables"][ip_version]["chains"][new_resource.table].dup << new_resource.chain unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain)
     unless new_resource.chain == new_resource.direction || new_resource.direction == :none
-      node.set["simple_iptables"]["rules"][new_resource.table] << {:rule => "-A #{new_resource.direction} #{new_resource.chain_condition} --jump #{new_resource.chain}", :weight => new_resource.weight}
+      node.set["simple_iptables"][ip_version]["rules"][new_resource.table] << {:rule => "-A #{new_resource.direction} #{new_resource.chain_condition} --jump #{new_resource.chain}", :weight => new_resource.weight}
     end
   end
 
   # Then apply the rules to the node
   rules.each do |rule|
     new_rule = rule_string(new_resource, rule, false)
-    if not node["simple_iptables"]["rules"][new_resource.table].include?({:rule => new_rule, :weight => new_resource.weight})
-      node.set["simple_iptables"]["rules"][new_resource.table] << {:rule => new_rule, :weight => new_resource.weight}
-      node.set["simple_iptables"]["rules"][new_resource.table].sort! {|a,b| a[:weight] <=> b[:weight]}
+    if not node["simple_iptables"][ip_version]["rules"][new_resource.table].include?({:rule => new_rule, :weight => new_resource.weight})
+      node.set["simple_iptables"][ip_version]["rules"][new_resource.table] << {:rule => new_rule, :weight => new_resource.weight}
+      node.set["simple_iptables"][ip_version]["rules"][new_resource.table].sort! {|a,b| a[:weight] <=> b[:weight]}
       new_resource.updated_by_last_action(true)
-      Chef::Log.debug("added rule '#{new_rule}'")
+      Chef::Log.debug("[#{ip_version}] added rule '#{new_rule}'")
     else
-      Chef::Log.debug("ignoring duplicate simple_iptables_rule '#{new_rule}'")
+      Chef::Log.debug("[#{ip_version}] ignoring duplicate simple_iptables_rule '#{new_rule}'")
     end
   end
 end
 
@@ -36,10 +36,13 @@
     # Before executing the simple_iptables_* resources, reset the
     # node attributes to their defaults. This gives "action :delete"
     # semantics for free by removing a resource from a recipe.
-    node.set["simple_iptables"]["chains"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
-    node.set["simple_iptables"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
-    node.set["simple_iptables"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
+    node.set["simple_iptables"]["ipv4"]["chains"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+    node.set["simple_iptables"]["ipv4"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+    node.set["simple_iptables"]["ipv4"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
 
+    node.set["simple_iptables"]["ipv6"]["chains"] = {"filter" => [], "mangle" => [], "raw" => []}
+    node.set["simple_iptables"]["ipv6"]["rules"] = {"filter" => [], "mangle" => [], "raw" => []}
+    node.set["simple_iptables"]["ipv6"]["policy"] = {"filter" => {}, "mangle" => {}, "raw" => {}}
     # Then run all the simple_iptables_* resources
     run_context.resource_collection.each do |resource|
       if resource.kind_of?(Chef::Resource::SimpleIptablesRule)
@@ -58,63 +61,126 @@
 case node['platform_family']
 when 'debian'
   iptable_rules = '/etc/iptables-rules'
+  ip6table_rules = '/etc/ip6tables-rules'
 when 'rhel', 'fedora'
   iptable_rules = '/etc/sysconfig/iptables'
+  ip6table_rules = '/etc/sysconfig/ip6tables'
 end
 
-ruby_block "test-iptables" do
-  block do
-    cmd = Mixlib::ShellOut.new("iptables-restore --test < #{iptable_rules}",
-                               :user => "root")
-    cmd.run_command
-    if !Array(cmd.valid_exit_codes).include?(cmd.exitstatus)
-      msg = <<-eos
-iptables-restore exited with code #{cmd.exitstatus} while testing new rules
-STDOUT:
-#{cmd.stdout}
-STDERR:
-#{cmd.stderr}
-eos
-      match = cmd.stderr.match /line:?\s*(\d+)/
-      if match
-        line_no = match[1].to_i
-        msg << "Line #{line_no}: #{IO.readlines(iptable_rules)[line_no-1]}"
+if node["simple_iptables"]["ip_versions"].include?("ipv4")
+  ruby_block "test-iptables" do
+    block do
+      cmd = Mixlib::ShellOut.new("iptables-restore --test < #{iptable_rules}",
+                                 :user => "root")
+      cmd.run_command
+      if !Array(cmd.valid_exit_codes).include?(cmd.exitstatus)
+        msg = <<-eos
+  iptables-restore exited with code #{cmd.exitstatus} while testing new rules
+  STDOUT:
+  #{cmd.stdout}
+  STDERR:
+  #{cmd.stderr}
+  eos
+        match = cmd.stderr.match /line:?\s*(\d+)/
+        if match
+          line_no = match[1].to_i
+          msg << "Line #{line_no}: #{IO.readlines(iptable_rules)[line_no-1]}"
+        end
+        # Delete the file so that the next Chef run is forced to recreate it
+        # and retest it. Otherwise, if the rules remain unchanged, the template
+        # resource won't recreate the file, won't notify the test resource,
+        # and the Chef run will be allowed to complete successfully despite
+        # and invalid rule being present.
+        File.delete(iptable_rules)
+        raise msg
       end
-      # Delete the file so that the next Chef run is forced to recreate it
-      # and retest it. Otherwise, if the rules remain unchanged, the template
-      # resource won't recreate the file, won't notify the test resource,
-      # and the Chef run will be allowed to complete successfully despite
-      # and invalid rule being present.
-      File.delete(iptable_rules)
-      raise msg
     end
+    notifies :run, "execute[reload-iptables]"
+    action :nothing
   end
-  notifies :run, "execute[reload-iptables]"
-  action :nothing
-end
 
-execute "reload-iptables" do
-  command "iptables-restore < #{iptable_rules}"
-  user "root"
-  action :nothing
+  execute "reload-iptables" do
+    command "iptables-restore < #{iptable_rules}"
+    user "root"
+    action :nothing
+  end
+
+  template iptable_rules do
+    source "iptables-rules.erb"
+    cookbook "simple_iptables"
+    notifies :create, "ruby_block[test-iptables]"
+    action :create
+  end
 end
 
-template iptable_rules do
-  source "iptables-rules.erb"
-  cookbook "simple_iptables"
-  notifies :create, "ruby_block[test-iptables]"
-  action :create
+if node["simple_iptables"]["ip_versions"].include?("ipv6")
+  ruby_block "test-ip6tables" do
+    block do
+      cmd = Mixlib::ShellOut.new("ip6tables-restore --test < #{ip6table_rules}",
+                                 :user => "root")
+      cmd.run_command
+      if !Array(cmd.valid_exit_codes).include?(cmd.exitstatus)
+        msg = <<-eos
+  ip6tables-restore exited with code #{cmd.exitstatus} while testing new rules
+  STDOUT:
+  #{cmd.stdout}
+  STDERR:
+  #{cmd.stderr}
+  eos
+        match = cmd.stderr.match /line:?\s*(\d+)/
+        if match
+          line_no = match[1].to_i
+          msg << "Line #{line_no}: #{IO.readlines(ip6table_rules)[line_no-1]}"
+        end
+        # Delete the file so that the next Chef run is forced to recreate it
+        # and retest it. Otherwise, if the rules remain unchanged, the template
+        # resource won't recreate the file, won't notify the test resource,
+        # and the Chef run will be allowed to complete successfully despite
+        # and invalid rule being present.
+        File.delete(ip6table_rules)
+        raise msg
+      end
+    end
+    notifies :run, "execute[reload-ip6tables]"
+    action :nothing
+  end
+
+  execute "reload-ip6tables" do
+    command "ip6tables-restore < #{ip6table_rules}"
+    user "root"
+    action :nothing
+  end
+
+  template ip6table_rules do
+    source "ip6tables-rules.erb"
+    cookbook "simple_iptables"
+    notifies :create, "ruby_block[test-ip6tables]"
+    action :create
+  end
 end
 
 case node['platform_family']
 when 'debian'
 
-  # TODO: Generalize this for other platforms somehow
-  file "/etc/network/if-up.d/iptables-rules" do
-    owner "root"
-    group "root"
-    mode "0755"
-    content "#!/bin/bash\niptables-restore < #{iptable_rules}\n"
-    action :create
+  if node["simple_iptables"]["ip_versions"].include?("ipv4")
+    # TODO: Generalize this for other platforms somehow
+    file "/etc/network/if-up.d/iptables-rules" do
+      owner "root"
+      group "root"
+      mode "0755"
+      content "#!/bin/bash\niptables-restore < #{iptable_rules}\n"
+      action :create
+    end
   end
+
+  if node["simple_iptables"]["ip_versions"].include?("ipv6")
+    file "/etc/network/if-up.d/ip6tables-rules" do
+      owner "root"
+      group "root"
+      mode "0755"
+      content "#!/bin/bash\nip6tables-restore < #{ip6table_rules}\n"
+      action :create
+    end
+  end
+
 end
@@ -3,41 +3,47 @@
 
 simple_iptables_policy "INPUT" do
   policy "ACCEPT"
+  ip_version :ipv4
 end
 
 simple_iptables_rule "established" do
   chain "INPUT"
   rule "-m conntrack --ctstate ESTABLISHED,RELATED"
   jump "ACCEPT"
   weight 1
+  ip_version :ipv4
 end
 
 simple_iptables_rule "icmp" do
   chain "INPUT"
   rule "--proto icmp"
   jump "ACCEPT"
   weight 2
+  ip_version :ipv4
 end
 
 simple_iptables_rule "loopback" do
   chain "INPUT"
   rule "--in-interface lo"
   jump "ACCEPT"
   weight 3
+  ip_version :ipv4
 end
 
 simple_iptables_rule "ssh" do
   chain "INPUT"
   rule "--proto tcp --dport 22 -m conntrack --ctstate NEW"
   jump "ACCEPT"
   weight 70
+  ip_version :ipv4
 end
 
 simple_iptables_rule "reject" do
   chain "INPUT"
   rule ""
   jump "REJECT --reject-with icmp-host-prohibited"
   weight 90
+  ip_version :ipv4
 end
 
 simple_iptables_rule "reject" do
@@ -46,4 +52,5 @@
   rule ""
   jump "REJECT --reject-with icmp-host-prohibited"
   weight 90
-end
+  ip_version :ipv4
+end
@@ -3,6 +3,7 @@
 attribute :chain, :name_attribute => true, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"], :default => "INPUT"
 attribute :table, :equal_to => ["filter", "nat", "mangle", "raw"], :default => "filter"
 attribute :policy, :equal_to => ["ACCEPT", "DROP"], :required => true
+attribute :ip_version, :equal_to => [:ipv4, :ipv6, :both], :default => :ipv4
 
 
 def initialize(*args)
 
@@ -7,6 +7,7 @@
 attribute :direction, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING", :none], :default => "INPUT"
 attribute :chain_condition, :kind_of => [String]
 attribute :weight, :kind_of => Integer, :default => 50
+attribute :ip_version, :equal_to => [:ipv4, :ipv6, :both], :default => :ipv4
 
 def initialize(*args)
   super