Rule Order - am I missing something?
supergicko opened this issue · comments
Cookbook version
4.2.0
Chef-client version
13.0.118
Platform Details
CentOS 6.8, 7.3
Scenario:
I do not fully understand how the cookbook assembles the final order of the iptables configuration of rules applied with iptables_rule. Background: I want to define the order, f.e when talking about performance. So if i miss something in the explanation or my expectation please let me know.
I´m defining rules in templates, f.e i have templates for
- drop_default
- http
- https
- keep_established
- drop_invalid
- ssh
- icmp
- loopback
So far so good, then have a attribute where users can select which rules they want to apply, lets call it
default['firewall']['rules'] = %(drop_default loopback drop_invalid keep_established icmp ssh)
in the cookbook, i iterate over the rules and enable each of them
Expected Result:
The iptables -S command shows the rules in the defined order of the attributes
-P INPUT DROP # drop_default template
-P FORWARD DROP # drop_default template
-P OUTPUT ACCEPT # drop_default template
-A INPUT -i lo -j ACCEPT # loopback template
-A INPUT -m conntrack --ctstate INVALID -j DROP # drop_invalid template
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # keep_established template
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # icmp template
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # ssh template
Actual Result:
iptables -S does not show the rules in the defined order
-P INPUT DROP # drop_default template
-P FORWARD DROP # drop_default template
-P OUTPUT ACCEPT # drop_default template
-A INPUT -m conntrack --ctstate INVALID -j DROP drop_invalid template
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # icmp template
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # keep_established
-A INPUT -i lo -j ACCEPT # loopback template
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # ssh_template
The order of loading of the rules is actually determined by iptables. The rules are loaded alphabetically by filename, so regardless of the order of default['firewall']['rules']
, the final result by iptables when loading would be (in this case)
drop_default
drop_invalid
http
https
icmp
keep_established
loopback
ssh
A work around in your specific case would be to number your rules (i.e. prefix them with 01_, 02_, etc) but this obviously breaks down if multiple cookbooks are adding rules.
thanks @slillibri for clarification. Closing issue