WIP:Allow creating rules without specifying exact line numbers

[jgitlin-p21]

Description

Adds a feature whereby iptables_rules can be added without specifying the exact line number and they will be placed at the next available line, I.E. at the end of the current rules. This makes it easier when you just want to specify the rules in order, from multiple recipes in the run-list

Issues Resolved

• 131

Check List

• [ ] All tests pass. See https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/TESTING.MD
• [ ] New functionality includes testing.
• [ ] New functionality has been documented in the README if applicable
• [X] All commits have been signed for the Developer Certificate of Origin. See https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

[jgitlin-p21]

This is a work-in-progress: I am soliciting feedback to see if we want this upstream. I have been using the above code for months and plan to continue to.

I will add tests and instructions in the README, if this change is something the community wants. Just let me know. Thanks!

[bmhughes]

I'm probably completely missing the point here but I just can't grasp the use case for this?

line_number isn't a required property and the default bevahiour is to push onto the end of the array which is the same thing? I can only sort of see this being a thing when adding and deleting rules during the chef run which seems a bit of a contrived use case.

[jgitlin-p21]

hmmm. This was a change I made almost a year ago and honestly, looking at the code now, I forget why simply omitting line_number was a problem because as you aid @bmhughes it looks optional and the default behavior is to push at the end.

I think the point was to allow one recipe to set up a default set of rules with final "block" rules, and allow later recipes to insert into the middle of the chain? E.G:

cookbooks/general/recipies/iptables.rb:

iptables_rule 'Permit established connections' do
  table :filter
  chain :INPUT
  line_number 1
  ip_version :ipv4
  extra_options '-m state --state RELATED,ESTABLISHED'
  jump 'ACCEPT'
end

and then in cookbooks/application_server/iptables.rb:

iptables_rule 'Permit SSH' do
  table :filter
  chain :INPUT
  line_number :next
  ip_version :ipv4
  protocol :tcp
  extra_options '-m state --state NEW -m tcp --dport 22'
  jump 'ACCEPT'
end

That's the pattern I was using, but I'm also including the "shared" rules at the very bottom of the run-list, so I don't even know why I (thought I) needed to build this feature...

Let me refactor my local cookbooks to stop using this, and if everything still works as I need it to then this was simply an unnecessary change. That may remind me of a use case that I've now forgotten.