Adds iptables element
Creates a common iptables element where the logic required to handle iptables rules is consolidated. This change uses the check (-C) argument to check whether a rule matching the specification does exist in the selected chain. Based on the exit code of the check, a rule is added to iptables. There is no longer a need to store an .ok file in a stateful manner. Change-Id: Ib746ff487a286557a05f9d39ab330853564ef98f Closes-Bug: 1269151 Co-Authored-By: Ronelle Landy <rlandy@redhat.com>
This commit is contained in:
parent
d94af53567
commit
68eb5c4bbf
|
@ -0,0 +1,8 @@
|
|||
##iptables
|
||||
|
||||
This element installs a single script that consolidates the logic required
|
||||
to handle inserting iptables rules. This script uses the check (-C) argument
|
||||
to check whether a rule matching the specification does exist in the selected
|
||||
chain before inserting it.
|
||||
|
||||
RULE: The rule to insert into iptables
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Script to add iptables rules per element
|
||||
#
|
||||
# The only input argument is an iptables rule without the command option.
|
||||
# This case covers all of the current usage of elements that insert rules
|
||||
# in the 97-iptables files.
|
||||
# Example usage:
|
||||
# add-rule INPUT -p tcp -m multiport --dports 3260,8776 -j ACCEPT
|
||||
# add-rule INPUT -p tcp --dport 4730 -j ACCEPT
|
||||
# add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
|
||||
|
||||
set -eu
|
||||
|
||||
RULE="$@"
|
||||
|
||||
DISTRO=`lsb_release -si` || true
|
||||
|
||||
if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
|
||||
|
||||
# Check if the iptables service is active
|
||||
if systemctl is-active iptables.service ; then
|
||||
IPT_FILE=/etc/sysconfig/iptables
|
||||
if [ -f $IPT_FILE ]; then
|
||||
iptables-restore < $IPT_FILE
|
||||
fi
|
||||
|
||||
iptables -C $RULE || iptables -I $RULE
|
||||
|
||||
iptables-save > $IPT_FILE
|
||||
fi
|
||||
|
||||
fi
|
Loading…
Reference in New Issue