From 68eb5c4bbf533578814559e2d88c6261c33640d5 Mon Sep 17 00:00:00 2001
From: Ryan Brady <rbrady@redhat.com>
Date: Thu, 16 Jan 2014 17:07:41 -0500
Subject: [PATCH] Adds iptables element

Creates a common iptables element where the logic required
to handle iptables rules is consolidated. This change uses
the check (-C) argument to check whether a rule matching
the specification does exist in the selected chain.  Based
on the exit code of the check, a rule is added to iptables.
There is no longer a need to store an .ok file in a stateful
manner.

Change-Id: Ib746ff487a286557a05f9d39ab330853564ef98f
Closes-Bug: 1269151
Co-Authored-By: Ronelle Landy <rlandy@redhat.com>
---
 elements/iptables/README.md    |  8 ++++++++
 elements/iptables/bin/add-rule | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 elements/iptables/README.md
 create mode 100644 elements/iptables/bin/add-rule

diff --git a/elements/iptables/README.md b/elements/iptables/README.md
new file mode 100644
index 000000000..b76b59f65
--- /dev/null
+++ b/elements/iptables/README.md
@@ -0,0 +1,8 @@
+##iptables
+
+This element installs a single script that consolidates the logic required
+to handle inserting iptables rules. This script uses the check (-C) argument
+to check whether a rule matching the specification does exist in the selected
+chain before inserting it.
+
+RULE: The rule to insert into iptables
\ No newline at end of file
diff --git a/elements/iptables/bin/add-rule b/elements/iptables/bin/add-rule
new file mode 100644
index 000000000..c49e12894
--- /dev/null
+++ b/elements/iptables/bin/add-rule
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Script to add iptables rules per element
+#
+# The only input argument is an iptables rule without the command option.
+# This case covers all of the current usage of elements that insert rules
+# in the 97-iptables files.
+# Example usage:
+# add-rule INPUT -p tcp -m multiport --dports 3260,8776 -j ACCEPT
+# add-rule INPUT -p tcp --dport 4730 -j ACCEPT
+# add-rule FORWARD -d 192.0.2.0/24 -j ACCEPT
+
+set -eu
+
+RULE="$@"
+
+DISTRO=`lsb_release -si` || true
+
+if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
+
+    # Check if the iptables service is active
+    if systemctl is-active iptables.service ; then
+        IPT_FILE=/etc/sysconfig/iptables
+        if [ -f $IPT_FILE ]; then
+            iptables-restore < $IPT_FILE
+        fi
+
+        iptables -C $RULE || iptables -I $RULE
+
+        iptables-save > $IPT_FILE
+    fi
+
+fi