Browse files

Exported AFW.create_rule() module function to create rule from extern…

…al cookbooks during compile time
  • Loading branch information...
1 parent 2356c15 commit ee4dc6485f7b7a401905aeeede53225d10cf5172 Julien Vehent committed Sep 26, 2012
Showing with 42 additions and 0 deletions.
  1. +27 −0 README.md
  2. +15 −0 libraries/create_rule.rb
View
27 README.md
@@ -163,6 +163,33 @@ ip_list.each do |ip|
end
```
+### Creating rules from external cookbooks
+If you want a cookbook to create firewal rules directly, as opposed to storing
+these rules in a roles, then you need to use the `create_rule()` function from
+the `AFW` module.
+Example: create outbound firewall rule for haproxy in the haproxy cookbook
+#### depend in AFW in the metadata
+`cookbooks/haproxy/metadata.rb`
+```
+[...]
+depends 'AFW'
+```
+#### create the rule from the recipe using ruby
+```
+ # Call the AFW module to create the rule
+ AFW.create_rule(node,
+ "Haproxy outbound to #{destination}:#{port}",
+ {'protocol' => 'tcp',
+ 'direction' => 'out',
+ 'user' => 'haproxy',
+ 'destination' => "#{destination}",
+ 'dport' => "#{port}"
+ })
+```
+Note that `AFW.create_rule()` must be called from a normal section of ruby code
+directly (not from a `ruby_block`) to ensure that the rules are compiled at
+chef compile time. The AFW template will later (at runtime) populate these rules
+into the `iptables-restore` file.
### Predefined rules
Predefined rules are iptables rules that are used directly by AFW. Those rules
View
15 libraries/create_rule.rb
@@ -0,0 +1,15 @@
+module AFW
+ extend AFWCore
+ module_function
+
+ def create_rule(node, name, params)
+ node['afw']['rules'][name] = params
+ # Wrapper around `process_rule`
+ #
+ Chef::Log.info("AFW.create_rule(): processing '#{name}'")
+ if process_rule(node, name, params)
+ Chef::Log.info("AFW.create_rule(): finished processing '#{name}'")
+ end
+ return true
+ end
+end

0 comments on commit ee4dc64

Please sign in to comment.