Adds iptables element

Creates a common iptables element where the logic required
to handle iptables rules is consolidated. This change uses
the check (-C) argument to check whether a rule matching
the specification does exist in the selected chain.  Based
on the exit code of the check, a rule is added to iptables.
There is no longer a need to store an .ok file in a stateful
manner.

Change-Id: Ib746ff487a286557a05f9d39ab330853564ef98f
Closes-Bug: 1269151
Co-Authored-By: Ronelle Landy <rlandy@redhat.com>

elements/iptables/README.md

@@ -0,0 +1,8 @@
+##iptables
+
+This element installs a single script that consolidates the logic required
+to handle inserting iptables rules. This script uses the check (-C) argument
+to check whether a rule matching the specification does exist in the selected
+chain before inserting it.
+
+RULE: The rule to insert into iptables

elements/iptables/bin/add-rule

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Script to add iptables rules per element
+#
+# The only input argument is an iptables rule without the command option.
+# This case covers all of the current usage of elements that insert rules
+# in the 97-iptables files.
+# Example usage:
+# add-rule INPUT -p tcp -m multiport --dports 3260,8776 -j ACCEPT
+# add-rule INPUT -p tcp --dport 4730 -j ACCEPT
+# add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
+
+set -eu
+
+RULE="$@"
+
+DISTRO=`lsb_release -si` || true
+
+if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
+
+    # Check if the iptables service is active
+    if systemctl is-active iptables.service ; then
+        IPT_FILE=/etc/sysconfig/iptables
+        if [ -f $IPT_FILE ]; then
+            iptables-restore < $IPT_FILE
+        fi
+
+        iptables -C $RULE || iptables -I $RULE
+
+        iptables-save > $IPT_FILE
+    fi
+
+fi