Merge pull request #18 from rtkmhart/mangle

Added support for mangle table and fix for chef fail in cases where _chef_lwrp_test chain is left around.

Author: rtkmparrott

README.md

@@ -70,7 +70,7 @@ Additionally, if you want to declare a module (such as log) you can define jump
       jump false
     end
 
-By default rules are added to the filter table but the nat table is also supported. For example:
+By default rules are added to the filter table but the nat and mangle tables are also supported. For example:
 
     # Tomcat redirects
     simple_iptables_rule "tomcat" do
@@ -81,6 +81,22 @@ By default rules are added to the filter table but the nat table is also support
       jump false
     end
 
+    #mangle example
+    #NOTE: set jump to false since iptables expects the -j MARK --set-mark in that order
+    simple_iptables_rule "mangle" do
+      table "mangle"
+      direction "PREROUTING"
+      jump false
+      rule "-i eth0 -j MARK --set-mark 0x6
+    end
+
+    #reject all outbound connections attempts to 10/8 on a dual-homed host
+    simple_iptables_rule "reset_10slash8_outbound" do
+      direction "OUTPUT"
+      jump false
+      rule "-p tcp -o eth0 -d 10/8 --jump REJECT --reject-with tcp-reset"
+    end
+
 `simple_iptables_policy` Resource
 ---------------------------------
 
@@ -229,6 +245,9 @@ Which results in the following iptables configuration:
 Changes
 =======
 
+* 0.4.0 (May 9, 2013)
+    * Added support for mangle table (#? - Michael Hart)
+    * Updated Gemfile to 11.4.4 (#? - Michael Hart)
 * 0.3.0 (March 5, 2013)
     * Added support for nat table (#10 - Nathan Mische)
     * Updated Gemfile for Travis-CI integration (#10 - Nathan Mische)

attributes/default.rb

@@ -1,6 +1,9 @@
 default["simple_iptables"]["rules"]["filter"] = []
 default["simple_iptables"]["rules"]["nat"] = []
+default["simple_iptables"]["rules"]["mangle"] = []
 default["simple_iptables"]["chains"]["filter"] = []
 default["simple_iptables"]["chains"]["nat"] = []
+default["simple_iptables"]["chains"]["mangle"] = []
 default["simple_iptables"]["policy"]["filter"] = {}
 default["simple_iptables"]["policy"]["nat"] = {}
+default["simple_iptables"]["policy"]["mangle"] = {}

providers/rule.rb

@@ -29,6 +29,10 @@
 end
 
 def test_rules(new_resource, rules)
+  #always flush and remove first in case the previous run left it lying around. Ignore any return values.
+  shell_out("iptables --table #{new_resource.table} --flush _chef_lwrp_test")
+  shell_out("iptables --table #{new_resource.table} --delete-chain _chef_lwrp_test")
+  #create the test chain
   shell_out!("iptables --table #{new_resource.table} --new-chain _chef_lwrp_test")
   begin
     rules.each do |rule|

resources/policy.rb

@@ -1,7 +1,7 @@
 actions :set
 
 attribute :chain, :name_attribute => true, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"], :default => "INPUT"
-attribute :table, :equal_to => ["filter", "nat"], :default => "filter"
+attribute :table, :equal_to => ["filter", "nat", "mangle"], :default => "filter"
 attribute :policy, :equal_to => ["ACCEPT", "DROP"], :required => true
 
 

resources/rule.rb

@@ -1,7 +1,7 @@
 actions :append
 
 attribute :chain, :name_attribute => true, :kind_of => String
-attribute :table, :equal_to => ["filter", "nat"], :default => "filter"
+attribute :table, :equal_to => ["filter", "nat", "mangle"], :default => "filter"
 attribute :rule, :kind_of => [String, Array], :required => true
 attribute :jump, :kind_of => [String, FalseClass], :default => "ACCEPT"
 attribute :direction, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"], :default => "INPUT"

templates/default/iptables-rules.erb

@@ -13,6 +13,21 @@
 COMMIT
 # Completed
 # This file generated by Chef. Changes will be overwritten.
+*mangle
+:PREROUTING <%= node["simple_iptables"]["policy"]["mangle"]["PREROUTING"] || "ACCEPT" %> [0:0]<% if Gem::Version.new(/\d+\.\d+.\d+/.match(node["kernel"]["release"])[0]) > Gem::Version.new("2.6.35") -%>
+:INPUT <%= node["simple_iptables"]["policy"]["mangle"]["INPUT"] || "ACCEPT" %> [0:0]<% end -%>
+:FORWARD <%= node["simple_iptables"]["policy"]["mangle"]["FORWARD"] || "ACCEPT" %> [0:0]
+:OUTPUT <%= node["simple_iptables"]["policy"]["mangle"]["OUTPUT"] || "ACCEPT" %> [0:0]
+:POSTROUTING <%= node["simple_iptables"]["policy"]["mangle"]["POSTROUTING"] || "ACCEPT" %> [0:0]
+<% node["simple_iptables"]["chains"]["mangle"].each do |chain| -%>
+:<%= chain %> - [0:0]
+<% end -%>
+<% node["simple_iptables"]["rules"]["mangle"].each do |rule| -%>
+<%= rule %>
+<% end -%>
+COMMIT
+# Completed
+# This file generated by Chef. Changes will be overwritten.
 *filter
 :INPUT <%= node["simple_iptables"]["policy"]["filter"]["INPUT"] || "ACCEPT" %> [0:0]
 :FORWARD <%= node["simple_iptables"]["policy"]["filter"]["FORWARD"] || "ACCEPT" %> [0:0]

test/support/Gemfile

@@ -1,5 +1,5 @@
 source "https://rubygems.org"
 
-gem 'chef', '~> 11.4.0'
+gem 'chef', '~> 11.4.4'
 gem 'foodcritic', :platforms => :ruby_19
 gem 'rake'