iptables - filter configuration LCFG component
This component configures the iptables network filters.
The chains resource specifies which chains we want to add rules to. For each tag in the list, there's a corresponding rule_tag resource giving the rule to be inserted, or alternatively a rules_tag resource giving the rule file to be applied. A policy_tag resource can also optionally be specified; the component checks at configure time whether this is meaningful for the chain in question or not.
The prechains and postchains resources specify additional chains which should be processed before and after the chains chains respectively. It is expected that these will be set as system-wide defaults, rather than for individual machines.
One-off rules can be defined by making an entry in the rules list, each tag of which should have a corresponding rule_tag entry giving the entry to be inserted in the generated script. These rules are then invoked by adding "@tag" to one of the rules_... lists above. */
The final output script is assembled from rules generated by the component itself and rules taken from ruleset files in this list of directories.
It's sometimes useful to have the configure method automatically run any new rule-file it generates. On the other hand, it's sometimes important not to have this happen. Setting this resource causes the file to be run; otherwise it won't be.
If set, define the machine's (external) input and output interfaces respectively.
We may want to rsync in some files first. Which? And where should we put them?
Some kernel modules may have to be loaded first. Which?
We may want to send a helpful mail message if the rules change. This is where we should send it.
This is the name of a postprocessing filter for the assembled rules. It's unlikely that anything other than the default would be appropriate here.