Cannot use parameter -i for OUTPUT

Question

Cannot use parameter -i for OUTPUT

Opened this issue 6 years ago · 2 comments

chaim1221 commented 6 years ago

Cookbook version: 2.7.0

Chef-client version: 14.7.17

Platform Details: Mac OS X (dom0); CentOS 7 (guest)

Scenario: Allow outbound loopback.

Steps to Reproduce:

firewall_rule 'local loopback' do
   interface 'lo'
   protocol :none
   command :allow
   direction :out
end

Expected Result:

-A OUTPUT -o lo -j ACCEPT

Actual Result:

Cannot use parameter -i with OUTPUT

What should happen is that for an outbound rule, with iptables, the interface is specified with -o.

Answer 1 · 2018-12-20T21:32:24.000Z

Workaround:

firewall_rule 'local loopback' do
  raw '-A OUTPUT -o lo -j ACCEPT'
  position 51
#   interface 'lo'
#   protocol :none
#   command :allow
#   direction :out
end

Answer 2 · 2018-12-21T13:59:57.000Z

Hi there -- here's what the cookbook is doing:

firewall_rule << "-i #{rule_resource.interface} " if rule_resource.interface
firewall_rule << "-o #{rule_resource.dest_interface} " if rule_resource.dest_interface

If you change interface 'lo' to dest_interface 'lo', it should work. We put those in different resource attributes, since they use different arguments.