kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 1 Releases Activity

bundles/iptables: don't apply iptables rules if a rules file is missing

Browse source
This commit is contained in:
Franzi 2021-03-21 11:44:27 +01:00
parent 4b00c8b55a
commit 3bc5e55400
Signed by: kunsi
GPG key ID: 12E3D2136B818350
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
bundles/iptables/items.py
View file

@ -23,6 +23,11 @@ files = {
}, },
} }
enforce_deps = {
'directory:/etc/iptables-rules.d',
'file:/usr/local/sbin/iptables-enforce',
}
for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items(): for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items():
files[f'/etc/iptables-rules.d/20-{bundle}'] = { files[f'/etc/iptables-rules.d/20-{bundle}'] = {
# We must never use sorted() here. Bundles might rely on their order. # We must never use sorted() here. Bundles might rely on their order.
@ -31,6 +36,7 @@ for bundle, rules in node.metadata.get('iptables/bundle_rules', {}).items():
'action:iptables_enforce', 'action:iptables_enforce',
}, },
} }
enforce_deps.add(f'file:/etc/iptables-rules.d/20-{bundle}')
if 'custom_rules' in node.metadata.get('iptables', {}): if 'custom_rules' in node.metadata.get('iptables', {}):
files['/etc/iptables-rules.d/40-custom'] = { files['/etc/iptables-rules.d/40-custom'] = {
@ -39,12 +45,14 @@ if 'custom_rules' in node.metadata.get('iptables', {}):
'action:iptables_enforce', 'action:iptables_enforce',
}, },
} }
enforce_deps.add('file:/etc/iptables-rules.d/40-custom')
actions = { actions = {
'iptables_enforce': { 'iptables_enforce': {
'command': '/usr/local/sbin/iptables-enforce', 'command': '/usr/local/sbin/iptables-enforce',
'triggered': True, 'triggered': True,
'needs': enforce_deps,
}, },
} }