path: root/src/Propellor
diff options
authorRussell Sim2018-03-19 20:06:46 +0100
committerJoey Hess2018-03-20 17:08:17 -0400
commit16cf95d7200dd5e042ac96505d4f3eede84ceb87 (patch)
tree91a47fde23bd5977ccb3181073aa6c7139660b73 /src/Propellor
parent5eff411be00981ccbbab5838ecb13a7530a1d0d9 (diff)
Move table and target to before the other rule arguments
Some commands in IPTables are order dependent. In particular, I have seen this with the --to-dest and the --to-source arguments for DNAT and SNAT respectively. Below is an example rule which demonstrates the issue. $ iptables -A PREROUTING -p tcp -i eth0 --dport 4000 \ --to-dest -t nat -j DNAT iptables v1.6.0: unknown option "--to-dest" $ iptables -A PREROUTING -p tcp -i eth0 --dport 4000 \ -j DNAT --to-dest -t nat Signed-off-by: Russell Sim <>
Diffstat (limited to 'src/Propellor')
1 files changed, 2 insertions, 2 deletions
diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index 736a4458..bbc14473 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -44,8 +44,8 @@ rule c tb tg rs = property ("firewall rule: " <> show r) addIpTable
toIpTable :: Rule -> [CommandParam]
toIpTable r = map Param $
val (ruleChain r) :
- toIpTableArg (ruleRules r) ++
- ["-t", val (ruleTable r), "-j", val (ruleTarget r)]
+ ["-t", val (ruleTable r), "-j", val (ruleTarget r)] ++
+ toIpTableArg (ruleRules r)
toIpTableArg :: Rules -> [String]
toIpTableArg Everything = []