chr4-cookbooks / iptables-ng

Cookbook to maintain iptables rules and policies on different platforms, respecting the way the os handles these settings.
GNU General Public License v3.0
38 stars 32 forks source link

Creating NAT/FORWARD chains does not create the directory using iptables_ng_chain #67

Closed ramereth closed 7 years ago

ramereth commented 7 years ago

I've been working on updating our wrapper cookbook to use the latest version of this cookbook and I've run into an issue that only seems to affect chains that use tables other than filter.

Here's the code I'm using:

iptables_ng_chain 'nat_postrouting' do
  chain 'POSTROUTING'
  table 'nat'
end

iptables_ng_rule 'accept_nat_postrouting' do
  ip_version 4
  chain 'POSTROUTING'
  table 'nat'
  rule '--jump nat_postrouting'
end

When I run it in test kitchen I get the following:

* iptables_ng_chain[nat_postrouting] action create (up to date) 
* file[/etc/iptables.d/nat/POSTROUTING/default-1489515155-1884] action create (up to date) 
* iptables_ng_rule[accept_nat_postrouting] action create (up to date) 
* file[/etc/iptables.d/nat/POSTROUTING/accept_nat_postrouting.rule_v4] action create (up to date) 
* iptables_ng_rule[accept_nat_forward] action create (up to date) 
* file[/etc/iptables.d/nat/nat_postrouting/nat_postrouting.rule_v4] action create
  * Parent directory /etc/iptables.d/nat/nat_postrouting does not exist.
  ================================================================================
  Error executing action `create` on resource 'file[/etc/iptables.d/nat/nat_postrouting/nat_postrouting.rule_v4]'
  ================================================================================

  Chef::Exceptions::EnclosingDirectoryDoesNotExist
  ------------------------------------------------
  Parent directory /etc/iptables.d/nat/nat_postrouting does not exist.

  Resource Declaration:
  ---------------------
  # In /tmp/kitchen/cache/cookbooks/iptables-ng/providers/rule.rb

   44:     r = file new_resource.path_for_ip_version(ip_version) do
   45:       owner    'root'   
   46:       group    node['root_group']
   47:       mode     0o600    
   48:       content  rule_file
   49:       notifies :create, 'ruby_block[create_rules]', :delayed 
   50:       notifies :create, 'ruby_block[restart_iptables]', :delayed 
   51:       action   exec_action
   52:     end
   53: 

  Compiled Resource:
  ------------------
  # Declared in /tmp/kitchen/cache/cookbooks/iptables-ng/providers/rule.rb:44:in `block in edit_rule'

  file("/etc/iptables.d/nat/nat_postrouting/nat_postrouting.rule_v4") do
    action [:create]
    retries 0
    retry_delay 2
    default_guard_interpreter :default 
    declared_type :file
    cookbook_name "firewall"
    path "/etc/iptables.d/nat/nat_postrouting/nat_postrouting.rule_v4"
    owner "root"
    group "root"
    mode 384 
    content "--append nat_postrouting -o eth0 -j MASQUERADE\n--append nat_postrouting -o eth1 -j MASQUERADE\n"
  end

I've tried looking around to see what might be causing it but I suspect it might be a bug with the new version. I've confirmed this also affects FORWARD chains but I haven't looked at the other tables since we don't use it. When I run ChefSpec, everything passes which makes me think it's a bug with this cookbook.

Can you please let me know what might be causing it?

Thanks!

chr4 commented 7 years ago

I think the problem is the following: chain is the name_attribute in iptables_ng_chain. Therefore, nat_postrouting gets overwritten by POSTROUTING. Check whether the following works:

iptables_ng_chain 'nat_postrouting' do
  table 'nat'
end
ramereth commented 7 years ago

Yup that does work!