Add chain_condition attribute to simple_iptables_rule

Defining a `simple_iptables_rule` resource actually creates a new chain with the name of the resource and a jump to the chain from the chain specified in the `direction` attribute. By default, the jump is unconditional. Introduce a `chain_condition` attribute to be able to make the jump conditional. For example: simple_iptables_rule "management_interface" do direction "INPUT" chain_condition "-i eth1" rule [ "-p tcp --dport 80", "-p tcp --dport 443" ] jump "ACCEPT" end The rules specified under the `rule` attribute will only be evaluate for packets for which the rule in `chain_condition` holds.
rtkwlf · Jul 20, 2014 · a2581e0 · a2581e0
1 parent 9362068
commit a2581e0
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -102,21 +102,21 @@ By default rules are added to the chain, in the order in which its occur in the
 You may use the weight parameter for control the order of the rules in chains. For example:
 
     simple_iptables_rule "reject" do
-      chain "INPUT"
+      direction "INPUT"
       rule ""
       jump "REJECT --reject-with icmp-host-prohibited"
       weight 90
     end
 
     simple_iptables_rule "established" do
-      chain "INPUT"
+      direction "INPUT"
       rule "-m conntrack --ctstate ESTABLISHED,RELATED"
       jump "ACCEPT"
       weight 1
     end
 
     simple_iptables_rule "icmp" do
-      chain "INPUT"
+      direction "INPUT"
       rule "--proto icmp"
       jump "ACCEPT"
       weight 2
@@ -128,6 +128,21 @@ This would generate the rules:
     -A INPUT --jump ACCEPT --proto icmp
     -A INPUT --jump REJECT --reject-with icmp-host-prohibited
 
+Defining a `simple_iptables_rule` resource actually creates a new chain with the name of
+the resource and a jump to the chain from the chain specified in the `direction` attribute.
+By default, the jump is unconditional. However, the `chain_condition` attribute can be
+specified to make the jump conditional. For example:
+
+    simple_iptables_rule "management_interface" do
+      direction "INPUT"
+      chain_condition "-i eth1"
+      rule [ "-p tcp --dport 80", "-p tcp --dport 443" ]
+      jump "ACCEPT"
+    end
+
+The rules specified under the `rule` attribute will only be evaluate for packets for which
+the rule in `chain_condition` holds.
+
 
 `simple_iptables_policy` Resource
 ---------------------------------

diff --git a/providers/rule.rb b/providers/rule.rb
@@ -11,7 +11,7 @@
   if not node["simple_iptables"]["chains"][new_resource.table].include?(new_resource.chain)
     node.set["simple_iptables"]["chains"][new_resource.table] = node["simple_iptables"]["chains"][new_resource.table].dup << new_resource.chain unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain)
     unless new_resource.chain == new_resource.direction
-      node.set["simple_iptables"]["rules"][new_resource.table] << {:rule => "-A #{new_resource.direction} --jump #{new_resource.chain}", :weight => new_resource.weight}
+      node.set["simple_iptables"]["rules"][new_resource.table] << {:rule => "-A #{new_resource.direction} #{new_resource.chain_condition} --jump #{new_resource.chain}", :weight => new_resource.weight}
     end
   end
 

diff --git a/resources/rule.rb b/resources/rule.rb
@@ -5,6 +5,7 @@
 attribute :rule, :kind_of => [String, Array], :required => true
 attribute :jump, :kind_of => [String, FalseClass], :default => "ACCEPT"
 attribute :direction, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"], :default => "INPUT"
+attribute :chain_condition, :kind_of => [String]
 attribute :weight, :kind_of => Integer, :default => 50
 
 def initialize(*args)