From 16cf95d7200dd5e042ac96505d4f3eede84ceb87 Mon Sep 17 00:00:00 2001 From: Russell Sim Date: Mon, 19 Mar 2018 20:06:46 +0100 Subject: Move table and target to before the other rule arguments Some commands in IPTables are order dependent. In particular, I have seen this with the --to-dest and the --to-source arguments for DNAT and SNAT respectively. Below is an example rule which demonstrates the issue. $ iptables -A PREROUTING -p tcp -i eth0 --dport 4000 \ --to-dest 10.3.0.6:4000 -t nat -j DNAT iptables v1.6.0: unknown option "--to-dest" $ iptables -A PREROUTING -p tcp -i eth0 --dport 4000 \ -j DNAT --to-dest 10.3.0.6:4000 -t nat Signed-off-by: Russell Sim --- src/Propellor/Property/Firewall.hs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs index 736a4458..bbc14473 100644 --- a/src/Propellor/Property/Firewall.hs +++ b/src/Propellor/Property/Firewall.hs @@ -44,8 +44,8 @@ rule c tb tg rs = property ("firewall rule: " <> show r) addIpTable toIpTable :: Rule -> [CommandParam] toIpTable r = map Param $ val (ruleChain r) : - toIpTableArg (ruleRules r) ++ - ["-t", val (ruleTable r), "-j", val (ruleTarget r)] + ["-t", val (ruleTable r), "-j", val (ruleTarget r)] ++ + toIpTableArg (ruleRules r) toIpTableArg :: Rules -> [String] toIpTableArg Everything = [] -- cgit v1.2.3