Improve compatibility with chef 13. Eliminate cloned resource warnings

.foodcritic

@@ -0,0 +1 @@
+~FC014

.kitchen.yml

@@ -4,10 +4,14 @@ driver:
 
 provisioner:
   name: chef_zero
+  require_chef_omnibus: '12'
+  deprecations_as_errors: true
+  client_rb:
+    chef_license: accept
   data_path: test/shared
 
 platforms:
-  - name: centos-6.5
+  - name: centos-7
 
 suites:
   - name: default

metadata.rb

@@ -5,8 +5,12 @@
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          "0.8.0"
 name             "simple_iptables"
+issues_url 'https://github.com/rtkwlf/cookbook-simple-iptables/issues'
+source_url 'https://github.com/rtkwlf/cookbook-simple-iptables/'
 
 supports "debian", ">= 6.0"
 supports "centos", ">= 5.8"
 supports "redhat", ">= 5.8"
 supports "ubuntu", ">= 10.04"
+
+chef_version '> 12.5.0'

recipes/default.rb

@@ -38,12 +38,12 @@
     node.rm_normal("simple_iptables", "ipv6")
     # Then run all the simple_iptables_* resources
     run_context.resource_collection.each do |resource|
-      if resource.kind_of?(Chef::Resource::SimpleIptablesRule)
+      if resource.resource_name == :simple_iptables_rule
         Chef::Log.debug("about to run simple_iptables_rule[#{resource.chain}]")
-        resource.run_action(resource.action)
-      elsif resource.kind_of?(Chef::Resource::SimpleIptablesPolicy)
+        resource.run_action(resource.action.first)
+      elsif resource.resource_name == :simple_iptables_policy
         Chef::Log.debug("about to run simple_iptables_policy[#{resource.chain}]")
-        resource.run_action(resource.action)
+        resource.run_action(resource.action.first)
       end
     end
 

recipes/redhat.rb

@@ -38,15 +38,15 @@
   ip_version :ipv4
 end
 
-simple_iptables_rule "reject" do
+simple_iptables_rule "reject_input" do
   chain "INPUT"
   rule ""
   jump "REJECT --reject-with icmp-host-prohibited"
   weight 90
   ip_version :ipv4
 end
 
-simple_iptables_rule "reject" do
+simple_iptables_rule "reject_forward" do
   direction "FORWARD"
   chain "FORWARD"
   rule ""

resources/policy.rb

@@ -1,13 +1,25 @@
-actions :set
+provides :simple_iptables_policy
 
 attribute :chain, :name_attribute => true, :equal_to => ["INPUT", "FORWARD", "OUTPUT", "PREROUTING", "POSTROUTING"]
 attribute :table, :equal_to => ["filter", "nat", "mangle", "raw"], :default => "filter"
 attribute :policy, :equal_to => ["ACCEPT", "DROP"], :required => true
 attribute :ip_version, :equal_to => [:ipv4, :ipv6, :both], :default => :ipv4
 
+default_action :set
 
-def initialize(*args)
-  super
-  @action = :set
+def handle_policy(new_resource, ip_version)
+  Chef::Log.debug("[#{ip_version}] setting policy for #{new_resource.chain} to #{new_resource.policy}")
+  node.default["simple_iptables"][ip_version]["policy"][new_resource.table][new_resource.chain] = new_resource.policy
+  return true
 end
 
+action :set do
+  updated = false
+  if [:ipv4, :both].include?(new_resource.ip_version)
+    updated |= handle_policy(new_resource, "ipv4")
+  end
+  if [:ipv6, :both].include?(new_resource.ip_version)
+    updated |= handle_policy(new_resource, "ipv6")
+  end
+  new_resource.updated_by_last_action(updated)
+end

resources/rule.rb

@@ -1,4 +1,7 @@
-actions :append
+require 'chef/mixin/shell_out'
+include Chef::Mixin::ShellOut
+
+provides :simple_iptables_rule
 
 attribute :chain, :name_attribute => true, :kind_of => String
 attribute :table, :equal_to => ["filter", "nat", "mangle", "raw"], :default => "filter"
@@ -10,8 +13,65 @@
 attribute :comment, :kind_of => String
 attribute :ip_version, :equal_to => [:ipv4, :ipv6, :both], :default => :ipv4
 
-def initialize(*args)
-  super
-  @action = :append
+default_action :append
+
+def handle_rule(new_resource, ip_version)
+  if new_resource.rule.kind_of?(String)
+    rules = [new_resource.rule]
+  elsif new_resource.rule.kind_of?(Array)
+    rules = new_resource.rule
+  else
+    rules = ['']
+  end
+
+  unless node["simple_iptables"][ip_version]["rules"][new_resource.table].include?(new_resource.weight)
+    node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] = []
+  end
+  unless node["simple_iptables"][ip_version]["chains"][new_resource.table].include?(new_resource.chain)
+    unless ["PREROUTING", "INPUT", "FORWARD", "OUTPUT", "POSTROUTING"].include?(new_resource.chain)
+      node.default["simple_iptables"][ip_version]["chains"][new_resource.table] << new_resource.chain
+    end
+    unless new_resource.chain == new_resource.direction || new_resource.direction == :none
+      node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight] << "-A #{new_resource.direction} #{new_resource.chain_condition} --jump #{new_resource.chain}"
+    end
+  end
+
+  # Then apply the rules to the node
+  updated = false
+  rules.each do |rule|
+    new_rule = rule_string(new_resource, rule, false)
+    table_rules = node.default["simple_iptables"][ip_version]["rules"][new_resource.table][new_resource.weight]
+
+    unless table_rules.include?(new_rule)
+      table_rules << new_rule
+      updated = true
+      Chef::Log.debug("[#{ip_version}] added rule '#{new_rule}'")
+    else
+      Chef::Log.debug("[#{ip_version}] ignoring duplicate simple_iptables_rule '#{new_rule}'")
+    end
+  end
+  updated
+end
+
+def rule_string(new_resource, rule, include_table)
+  jump = new_resource.jump ? "--jump #{new_resource.jump} " : ""
+  table = include_table ? "--table #{new_resource.table} " : ""
+  comment = %Q{ -m comment --comment "#{new_resource.comment || new_resource.name}"}
+  rule = "#{table}-A #{new_resource.chain} #{jump}#{rule}#{comment}"
+  rule
 end
 
+action :append do
+  updated = false
+  if [:ipv4, :both].include?(new_resource.ip_version)
+    updated |= handle_rule(new_resource, "ipv4")
+  end
+  if [:ipv6, :both].include?(new_resource.ip_version)
+    if new_resource.table == 'nat' &&
+        Gem::Version.new(/\d+(\.\d+(.\d+)?)?/.match(node['kernel']['release'])[0]) < Gem::Version.new('3.7')
+      raise "NAT table cannot be used with IPv6 before Kernel 3.7"
+    end
+    updated |= handle_rule(new_resource, "ipv6")
+  end
+  new_resource.updated_by_last_action(updated)
+end

test/integration/default/serverspec/default_spec.rb

@@ -1,13 +1,14 @@
-require_relative '../../../kitchen/data/spec_helper'
+require 'serverspec'
+set :backend, :exec
 
 describe iptables do
-  it { should have_rule('-A INPUT -j simple_rule') }
-  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') }
-  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') }
-  it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') }
-  it { should have_rule('-A INPUT -m state --state NEW -j jump_with_rule') }
-  it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') }
-  it { should have_rule('-A INPUT -j array_of_rules') }
+  it { should have_rule('-A INPUT.* -j simple_rule') }
+  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') }
+  it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') }
+  it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') }
+  it { should have_rule('-A INPUT.* -j array_of_rules') }
 end

test/integration/ipv6_default/serverspec/default_spec.rb

@@ -1,25 +1,26 @@
-require_relative '../../../kitchen/data/spec_helper'
+require 'serverspec'
+set :backend, :exec
 
 describe iptables do
-  it { should have_rule('-A INPUT -j simple_rule') }
-  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') }
-  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') }
-  it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') }
-  it { should have_rule('-A INPUT -m state --state NEW -j jump_with_rule') }
-  it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') }
-  it { should have_rule('-A INPUT -j array_of_rules') }
+  it { should have_rule('-A INPUT.* -j simple_rule') }
+  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') }
+  it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') }
+  it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') }
+  it { should have_rule('-A INPUT.* -j array_of_rules') }
 end
 
 describe ip6tables do
-  it { should have_rule('-A INPUT -j simple_rule') }
-  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') }
-  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') }
-  it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') }
-  it { should_not have_rule('-A INPUT -m state --state NEW -j jump_with_rule') }
-  it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') }
-  it { should have_rule('-A INPUT -j array_of_rules') }
+  it { should have_rule('-A INPUT.* -j simple_rule') }
+  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') }
+  it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') }
+  it { should_not have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') }
+  it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') }
+  it { should have_rule('-A INPUT.* -j array_of_rules') }
 end

test/integration/ipv6_list_of_tables/serverspec/list_of_tables_spec.rb

@@ -1,33 +1,40 @@
-require_relative '../../../kitchen/data/spec_helper'
+require 'serverspec'
+set :backend, :exec
 
 describe iptables do
-  it { should have_rule('-A INPUT -j simple_rule') }
-  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') }
-  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') }
-  it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') }
-  it { should have_rule('-A INPUT -m state --state NEW -j jump_with_rule') }
-  it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') }
-  it { should have_rule('-A INPUT -j array_of_rules') }
-  it { should_not have_rule('*nat') }
-  it { should have_rule('*mangle') }
-  it { should have_rule('*filter') }
-  it { should_not have_rule('*raw') }
+  it { should have_rule('-A INPUT.* -j simple_rule') }
+  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') }
+  it { should have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') }
+  it { should have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') }
+  it { should have_rule('-A INPUT.* -j array_of_rules') }
+end
+
+describe file('/etc/sysconfig/iptables') do
+  its(:content) { should_not match /\*nat/ }
+  its(:content) { should match /\*mangle/ }
+  its(:content) { should match /\*filter/ }
+  its(:content) { should_not match /\*raw/ }
 end
 
 describe ip6tables do
-  it { should have_rule('-A INPUT -j simple_rule') }
-  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80 -j ACCEPT') }
-  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81 -j ACCEPT') }
-  it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82 -j ACCEPT') }
-  it { should_not have_rule('-A INPUT -m state --state NEW -j jump_with_rule') }
-  it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84 -j ACCEPT') }
-  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85 -j ACCEPT') }
-  it { should have_rule('-A INPUT -j array_of_rules') }
-  it { should_not have_rule('*nat') }
-  it { should have_rule('*mangle') }
-  it { should have_rule('*filter') }
-  it { should_not have_rule('*raw') }
+  it { should have_rule('-A INPUT.* -j simple_rule') }
+  it { should have_rule('-A simple_rule -p tcp -m tcp --dport 80.* -j ACCEPT') }
+  it { should have_rule('-A INPUT -p tcp -m tcp --dport 81.* -j ACCEPT') }
+  it { should_not have_rule('-A FORWARD -p tcp -m tcp --dport 82.* -j ACCEPT') }
+  it { should_not have_rule('-A INPUT -m state --state NEW.* -j jump_with_rule') }
+  it { should_not have_rule('-A jump_with_rule -p tcp -m tcp --dport 83.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 84.* -j ACCEPT') }
+  it { should have_rule('-A array_of_rules -p tcp -m tcp --dport 85.* -j ACCEPT') }
+  it { should have_rule('-A INPUT.* -j array_of_rules') }
+end
+
+describe file('/etc/sysconfig/ip6tables') do
+  its(:content) { should_not match /\*nat/ }
+  its(:content) { should match /\*mangle/ }
+  its(:content) { should match /\*filter/ }
+  its(:content) { should_not match /\*raw/ }
 end