IPv6 nat support

[maniaque]

Found in providers/rule.rb

(36) # ipv6 doesn't support nat (37) next if new_resource.table == 'nat' && ip_version == 6

Well, IPv6 does support NAT, because NAT is just an address replacement. Sometimes we really need it when connecting private and public networks. Sure, there is also sysctl for IP forwarding - net.ipv6.conf.all.forwarding

So please, remove this stupid check.

[chr4]

Thanks for your report.

At the time of writing, ip6tables did not implement the nat table yet. See man iptables for details. Can you specify on which distributions and versions the nat table has been implemented and is working with ip6tables? Did you check whether the tests run through with the check disabled?

[maniaque]

Thanks for the reply :)

I have a working IPv6 NAT on Ubuntu 14.04 (ip6tables v1.4.21), so I'm sure it will work for 14.10 and on. I use it for DNAT and MASQUERADE targets, it works fine.

I've found the check in two files, providers/rule.rb and libraries/create_iptables_rules.rb, commented it out, sure it should pass.

In my case, I still can't make it working - I call iptables_ng_rule LWRP, but it doesn't regenerate files in /etc/iptables.

[chr4]

Just running some tests.

$ kitchen test lwrp-rule-create-default-debian-608
STDERR: ip6tables-restore v1.4.8: ip6tables-restore: unable to initialize table 'nat'

$ kitchen test lwrp-rule-create-default-ubuntu-1404
<PASS>

We should find out for which distributions nat support was introduced and then implement an attribute accordingly. I'd suggest something like node['iptables-ng']['ip6tables_nat_support'], which can default to true for recent releases.

[maniaque]

node['iptables-ng']['ip6tables_nat_support'] looks nice.

After working with the recipe for some time by now, I would also add some feature like 'I am the only caller of this recipe, please flush iptables (or just rm -rf /etc/iptables.d) before processing the rules'

[chr4]

I'm releasing a new version with ipv6 nat support.

I still think that "purging" would not be the chef-way of doing things, as no defautl resource provides such an option. You are always responsible of removing e.g. your files manually. I think to do this cleanly one would need to collect all lwrp rules and attribute rules and then compile a list of things to remove.

Maybe a "purge" recipe that just runs rm -rf /etc/iptables.d would feasible, that can be optionally included in case this behaviour is wanted?

[maniaque]

Thanks for the release!

Well, I think a "purge" recipe would be nice. Sometimes you could create a rule, change something and forget to remove it. So include_recipe pugre would be a nice option.

[chr4]

nat support released in v2.2.4 I'm still not sure about the purge recipe. As this can be easily done manually with a directory :delete ressource, and it feels like it is not "The Chef way".

Closing this, if you think it is a good idea, feel free to open up an issue for the purge recipe!