[Thincrust-devel] Re: [PATCH ace] add FORWARD chain and in_interface options

[Joey Boggs]

I'd like to get this into ace ASAP to support nat for ovirt nodes. Let 
me know if you need anything from me. I've attached an example to help 
with testing

------------------------------
import 'firewall'
firewall::setup{'setup':
    status => 'enabled'
}

firewall_rule{"nat-1": chain => "FORWARD", in_interface => "ovirtbr0", 
out_interface => "wlan0", protocol => ""}
firewall_rule{"nat-2": table => "nat", chain => "POSTROUTING", 
out_interface => "eth0", protocol => "", action => "MASQUERADE"}
firewall_rule{"ssh": destination_port => "22"}
------------------------------


# Generated by iptables-save v1.4.1.1 on Tue Feb 17 20:57:15 2009
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [1202:80855]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Feb 17 20:57:15 2009
# Generated by iptables-save v1.4.1.1 on Tue Feb 17 20:57:15 2009
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [138851:101321182]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "[IPTABLES] INPUT : "
-A FORWARD -i ovirtbr0 -o wlan0 -j ACCEPT
COMMIT
# Completed on Tue Feb 17 20:57:15 2009





Joey Boggs wrote:
> The FORWARD chain and in_interface options of iptables are required to support nat
>
> ---
>  modules/firewall/manifests/firewall.pp |    5 +++--
>  modules/firewall/templates/rule.erb    |    3 +++
>  2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/modules/firewall/manifests/firewall.pp b/modules/firewall/manifests/firewall.pp
> index 2b03cc0..51a8ca2 100644
> --- a/modules/firewall/manifests/firewall.pp
> +++ b/modules/firewall/manifests/firewall.pp
> @@ -41,7 +41,7 @@ class firewall {
>          notify          => Exec["reload-firewall"],
>      }
>  
> -    file { [ "$firewall_dir/filter/INPUT", "$firewall_dir/filter/OUTPUT" ]:
> +    file { [ "$firewall_dir/filter/INPUT", "$firewall_dir/filter/OUTPUT", "$firewall_dir/filter/FORWARD" ]:
>          ensure          => directory,
>          mode            => 0755,
>          require         => File["${firewall_dir}/filter"],
> @@ -141,7 +141,8 @@ define firewall_rule (
>      $destination = '',
>      $action = 'ACCEPT',
>      $table = 'filter',
> -    $out_interface = ''
> +    $out_interface = '',
> +    $in_interface = ''
>      ) {
>      file { "/usr/share/firewall/${table}/${chain}/${name}":
>          owner           => root,
> diff --git a/modules/firewall/templates/rule.erb b/modules/firewall/templates/rule.erb
> index 75b06df..6a480c8 100644
> --- a/modules/firewall/templates/rule.erb
> +++ b/modules/firewall/templates/rule.erb
> @@ -21,6 +21,9 @@
>  --source-port <%= source_port + " " -%>
>  <% end -%>
>  <% end -%>
> +<% unless in_interface.empty? -%>
> +--in-interface <%= in_interface %> <%= " " -%>
> +<% end -%>
>  <% unless out_interface.empty? -%>
>  --out-interface <%= out_interface %> <%= " " -%>
>  <% end -%>
>