Closed pduersteler closed 8 years ago
This is because you are using iptables attribute set and these attributes are added. Create another attribute set like default['iptables']['rules'] and iterate over that. That should solve this issue.
closing this as its over 6 months old now and seems to not be a bug
I've run into a similar issue. My recipe file has:
iptables_rule 'vpn_forward' do
lines '-I FORWARD -j ACCEPT'
end
the file is created with correct content in /etc/iptables.d/vpn_forward
The error is about a -t option:
sudo rebuild-iptables
iptables-restore v1.6.0: The -t option (seen in line 7) cannot be used in iptables-restore.
Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
cp: cannot create regular file '/etc/sysconfig/iptables': No such file or directory
The issue and solution are addressed here:
http://stackoverflow.com/questions/35272615/the-t-option-cannot-be-used-in-iptables-restore
The solution in the context of this cookbook is to use a template such as
*nat
# Redirect VPN traffic
-A POSTROUTING -s <%= node['openvpn']['subnet'] %>/<%= node['openvpn']['netmask'] %> -o <%= node['network']['default_interface'] %> -j MASQUERADE
Hope this helps someone.
A possible improvement/enhancement is for the line
method to do some validity checks before writing the iptable snippet. However, down this path you're like to descend in to regexp hell....
This issue is also affecting me. The cause is that Ubuntu does not use /etc/sysconfig, and my tests fail in Ubuntu 14.04 for this reason. The correct location would be /etc/network. The previous iteration of this script created an /etc/iptables directory for this purpose, which would also work.
@lamont-granquist is this worth re-opening?
I don't see how @dpnsan's comment relates to the other error messages here or how it relates to the refactoring of the iptables cookbook in https://github.com/chef-cookbooks/iptables/commit/d8b00099b143702ac2c9534cfb95acca609444c7 which seems to still leave the /etc/iptables/general file in place, so i can't see how that broke anything.
At this point it would be better to open a PR to show me rather than tell me, because IDK what to fix here.
I'm having the same issue on Debian 7 ( Test Kitchen). I tried the recommended rule on README:
iptables_rule 'http_8080' do
lines '-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080'
end
then manually run this command to load it :
/sbin/iptables-restore < /etc/iptables/general
which failed on line 7 ( COMMIT)
It seems the file /etc/iptables/general
is written in incorrect format.
I used template and it works fine.
Cookbook version
Current master branch at 32bbecd
Chef-client version
Chef: 12.10.24
Platform Details
Developing on OS X, client runs Debian GNU/Linux 8.4 (jessie)
Scenario:
Rules are not applied to iptables. The rule files are put in /etc/iptables.d/, but are not being loaded due to an error thrown by rebuild-iptables.
Steps to Reproduce:
depends 'iptables'
to metadata.rbiptables_rule 'http_80' { lines '-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT' }
kitchen converge
iptables -L
rebuild-iptables
to tryiptables -L
Expected Result:
iptables -L
should display rules, and manually runningrebuild-iptables
should not throw an error.Actual Result:
When running
rebuild-iptables
, the following error message is displayed:Also, there is no /etc/sysconfig on jessie.