From eecd196e47c92e552804a16070e2aebcba6eb46e Mon Sep 17 00:00:00 2001
From: Andrew Heald <andrew@heald.co.uk>
Date: Sun, 7 Feb 2016 15:19:04 +0000
Subject: [PATCH 1/4] Allow NAT for IPv6.

---
 attributes/default.rb                 |  8 ++++----
 metadata.json                         |  2 +-
 metadata.rb                           |  2 +-
 recipes/default.rb                    |  6 +++---
 templates/default/ip6tables-rules.erb | 16 ++++++++++++++++
 5 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/attributes/default.rb b/attributes/default.rb
index 28df11c..72c92b9 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -1,10 +1,10 @@
 default["simple_iptables"]["ipv4"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
 default["simple_iptables"]["ipv4"]["chains"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
 default["simple_iptables"]["ipv4"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
-default["simple_iptables"]["ipv6"]["rules"] = {"filter" => [], "mangle" => [], "raw" => []}
-default["simple_iptables"]["ipv6"]["chains"] = {"filter" => [], "mangle" => [], "raw" => []}
-default["simple_iptables"]["ipv6"]["policy"] = {"filter" => {}, "mangle" => {}, "raw" => {}}
+default["simple_iptables"]["ipv6"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+default["simple_iptables"]["ipv6"]["chains"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+default["simple_iptables"]["ipv6"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
 
 default["simple_iptables"]["ipv4"]["tables"] = %w(filter nat mangle raw)
-default["simple_iptables"]["ipv6"]["tables"] = %w(filter mangle raw)
+default["simple_iptables"]["ipv6"]["tables"] = %w(filter nat mangle raw)
 default["simple_iptables"]["ip_versions"] = ["ipv4"]
diff --git a/metadata.json b/metadata.json
index 380279b..b20339b 100644
--- a/metadata.json
+++ b/metadata.json
@@ -29,5 +29,5 @@
   },
   "recipes": {
   },
-  "version": "0.7.4"
+  "version": "0.7.5"
 }
diff --git a/metadata.rb b/metadata.rb
index 19b3b22..a4aa6be 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -3,7 +3,7 @@
 license          "BSD"
 description      "Simple LWRP and recipe for managing iptables rules"
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          "0.7.4"
+version          "0.7.5"
 name             "simple_iptables"
 
 supports "debian", ">= 6.0"
diff --git a/recipes/default.rb b/recipes/default.rb
index 089ff5e..d588be8 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -40,9 +40,9 @@
     node.set["simple_iptables"]["ipv4"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
     node.set["simple_iptables"]["ipv4"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
 
-    node.set["simple_iptables"]["ipv6"]["chains"] = {"filter" => [], "mangle" => [], "raw" => []}
-    node.set["simple_iptables"]["ipv6"]["rules"] = {"filter" => [], "mangle" => [], "raw" => []}
-    node.set["simple_iptables"]["ipv6"]["policy"] = {"filter" => {}, "mangle" => {}, "raw" => {}}
+    node.set["simple_iptables"]["ipv6"]["chains"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+    node.set["simple_iptables"]["ipv6"]["rules"] = {"filter" => [], "nat" => [], "mangle" => [], "raw" => []}
+    node.set["simple_iptables"]["ipv6"]["policy"] = {"filter" => {}, "nat" => {}, "mangle" => {}, "raw" => {}}
     # Then run all the simple_iptables_* resources
     run_context.resource_collection.each do |resource|
       if resource.kind_of?(Chef::Resource::SimpleIptablesRule)
diff --git a/templates/default/ip6tables-rules.erb b/templates/default/ip6tables-rules.erb
index 9654348..6644abe 100644
--- a/templates/default/ip6tables-rules.erb
+++ b/templates/default/ip6tables-rules.erb
@@ -1,3 +1,19 @@
+<% if node["simple_iptables"]["ipv6"]["tables"].include?('nat') %>
+# This file generated by Chef. Changes will be overwritten.
+*nat
+:PREROUTING <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["PREROUTING"] || "ACCEPT" %> [0:0]<% if Gem::Version.new(/\d+(\.\d+(.\d+)?)?/.match(node["kernel"]["release"])[0]) > Gem::Version.new("2.6.35") -%>
+:INPUT <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["INPUT"] || "ACCEPT" %> [0:0]<% end -%>
+:OUTPUT <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["OUTPUT"] || "ACCEPT" %> [0:0]
+:POSTROUTING <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["POSTROUTING"] || "ACCEPT" %> [0:0]
+<% node["simple_iptables"]["ipv6"]["chains"]["nat"].each do |chain| -%>
+:<%= chain %> - [0:0]
+<% end -%>
+<% node["simple_iptables"]["ipv6"]["rules"]["nat"].each do |rule| -%>
+<%= rule[:rule] %>
+<% end -%>
+COMMIT
+# Completed
+<% end %>
 <% if node["simple_iptables"]["ipv6"]["tables"].include?('mangle') %>
 # This file generated by Chef. Changes will be overwritten.
 *mangle

From 0807124cc39b13e026a1c1177756e7880828bab0 Mon Sep 17 00:00:00 2001
From: Andrew Heald <andrew@heald.co.uk>
Date: Mon, 8 Feb 2016 01:29:06 +0000
Subject: [PATCH 2/4] Remove conditional that isn'y needed.

---
 templates/default/ip6tables-rules.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/default/ip6tables-rules.erb b/templates/default/ip6tables-rules.erb
index 6644abe..6e40ef5 100644
--- a/templates/default/ip6tables-rules.erb
+++ b/templates/default/ip6tables-rules.erb
@@ -1,8 +1,8 @@
 <% if node["simple_iptables"]["ipv6"]["tables"].include?('nat') %>
 # This file generated by Chef. Changes will be overwritten.
 *nat
-:PREROUTING <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["PREROUTING"] || "ACCEPT" %> [0:0]<% if Gem::Version.new(/\d+(\.\d+(.\d+)?)?/.match(node["kernel"]["release"])[0]) > Gem::Version.new("2.6.35") -%>
-:INPUT <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["INPUT"] || "ACCEPT" %> [0:0]<% end -%>
+:PREROUTING <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["PREROUTING"] || "ACCEPT" %> [0:0]
+:INPUT <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["INPUT"] || "ACCEPT" %> [0:0]
 :OUTPUT <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["OUTPUT"] || "ACCEPT" %> [0:0]
 :POSTROUTING <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["POSTROUTING"] || "ACCEPT" %> [0:0]
 <% node["simple_iptables"]["ipv6"]["chains"]["nat"].each do |chain| -%>

From 5863d159b2d987b8203dc133b3af3275dc5ba54b Mon Sep 17 00:00:00 2001
From: Andrew Heald <andrew@heald.co.uk>
Date: Mon, 8 Feb 2016 11:23:22 +0000
Subject: [PATCH 3/4] 1. Don't allow NAT rules on IPv6 on kernels older that
 3.7. 2. Don't set up the IPv6 NAT table if no NAT rules are defined.

---
 providers/rule.rb                     | 4 ++++
 templates/default/ip6tables-rules.erb | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/providers/rule.rb b/providers/rule.rb
index 7f95d87..ec2622e 100644
--- a/providers/rule.rb
+++ b/providers/rule.rb
@@ -8,6 +8,10 @@
     updated |= handle_rule(new_resource, "ipv4")
   end
   if [:ipv6, :both].include?(new_resource.ip_version)
+    if new_resource.table == 'nat' &&
+        Gem::Version.new(/\d+(\.\d+(.\d+)?)?/.match(node['kernel']['release'])[0]) < Gem::Version.new('3.7')
+      raise "NAT table cannot be used with IPv6 before Kernel 3.7"
+    end
     updated |= handle_rule(new_resource, "ipv6")
   end
   new_resource.updated_by_last_action(updated)
diff --git a/templates/default/ip6tables-rules.erb b/templates/default/ip6tables-rules.erb
index 6e40ef5..55bf2c1 100644
--- a/templates/default/ip6tables-rules.erb
+++ b/templates/default/ip6tables-rules.erb
@@ -1,4 +1,5 @@
-<% if node["simple_iptables"]["ipv6"]["tables"].include?('nat') %>
+<% if node["simple_iptables"]["ipv6"]["tables"].include?('nat') &&
+    node["simple_iptables"]["ipv6"]["rules"]["nat"].size > 0 %>
 # This file generated by Chef. Changes will be overwritten.
 *nat
 :PREROUTING <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["PREROUTING"] || "ACCEPT" %> [0:0]

From fb821bd3c52bf410aa09707912e681b5fe5a8f5d Mon Sep 17 00:00:00 2001
From: Andrew Heald <andrew@heald.co.uk>
Date: Wed, 10 Feb 2016 21:05:38 +0000
Subject: [PATCH 4/4] Always include a NAT table when on kernel 3.7 or better.

---
 templates/default/ip6tables-rules.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/default/ip6tables-rules.erb b/templates/default/ip6tables-rules.erb
index 55bf2c1..7cfbbe3 100644
--- a/templates/default/ip6tables-rules.erb
+++ b/templates/default/ip6tables-rules.erb
@@ -1,5 +1,5 @@
 <% if node["simple_iptables"]["ipv6"]["tables"].include?('nat') &&
-    node["simple_iptables"]["ipv6"]["rules"]["nat"].size > 0 %>
+    Gem::Version.new(/\d+(\.\d+(.\d+)?)?/.match(node['kernel']['release'])[0]) >= Gem::Version.new('3.7') %>
 # This file generated by Chef. Changes will be overwritten.
 *nat
 :PREROUTING <%= node["simple_iptables"]["ipv6"]["policy"]["nat"]["PREROUTING"] || "ACCEPT" %> [0:0]