saltstack-formulas
diff --git a/‎.travis.yml
Lines changed: 3 additions & 3 deletions b/‎.travis.yml
Lines changed: 3 additions & 3 deletions
diff --git a/‎Gemfile
Lines changed: 0 additions & 1 deletion b/‎Gemfile
Lines changed: 0 additions & 1 deletion
diff --git a/‎docs/README.rst
Lines changed: 107 additions & 91 deletions b/‎docs/README.rst
Lines changed: 107 additions & 91 deletions
diff --git a/‎iptables/defaults.yaml
Lines changed: 41 additions & 0 deletions b/‎iptables/defaults.yaml
Lines changed: 41 additions & 0 deletions
@@ -32,19 +32,19 @@ env:
     - INSTANCE: default-fedora-29-2019-2-py3
     # - INSTANCE: default-opensuse-leap-15-2019-2-py3
     # - INSTANCE: default-debian-9-2018-3-py2
-    # - INSTANCE: default-ubuntu-1604-2018-3-py2
+    - INSTANCE: default-ubuntu-1604-2018-3-py2
     # - INSTANCE: default-centos-7-2018-3-py2
     # - INSTANCE: default-fedora-29-2018-3-py2
     # TODO: Use this when fixed instead of `opensuse-leap-42`
     # Ref: https://github.com/netmanagers/salt-image-builder/issues/2
     # - INSTANCE: default-opensuse-leap-15-2018-3-py2
     # - INSTANCE: default-opensuse-leap-42-2018-3-py2
     # - INSTANCE: default-debian-8-2017-7-py2
-    # - INSTANCE: default-ubuntu-1604-2017-7-py2
+    # - INSTANCE: tables-ubuntu-1604-2017-7-py2
     # TODO: Enable after improving the formula to work with other than `systemd`
     # - INSTANCE: default-centos-6-2017-7-py2
     # - INSTANCE: default-fedora-28-2017-7-py2
-    # - INSTANCE: default-opensuse-leap-42-2017-7-py2
+    - INSTANCE: tables-opensuse-leap-42-2017-7-py2
 
 script:
   - bundle exec kitchen verify ${INSTANCE}
 
@@ -3,4 +3,3 @@ source "https://rubygems.org"
 gem 'kitchen-docker', '>= 2.9'
 gem 'kitchen-salt', '>= 0.6.0'
 gem 'kitchen-inspec', '>= 1.1'
-
@@ -54,142 +54,158 @@ All the configuration for the firewall is done via the pillar (see the pillar.ex
 
 Enable globally:
 
-`pillars/firewall.sls`
+``pillars/firewall.sls``
 
-```yaml
-firewall:
-  enabled: True
-  install: True  
-  strict: True
-```
+.. code-block:: yaml
+
+   firewall:
+     enabled: True
+     install: True  
+     strict: True
 
 Allow SSH:
 
-`pillars/firewall/ssh.sls`
+``pillars/firewall/ssh.sls``
+
+.. code-block:: yaml
 
-```yaml
-firewall:
-  services:
-    ssh:
-      block_nomatch: False
-      ips_allow:
-        - 192.168.0.0/24
-        - 10.0.2.2/32
-```
+   firewall:
+     services:
+       ssh:
+         block_nomatch: False
+         ips_allow:
+           - 192.168.0.0/24
+           - 10.0.2.2/32
 
 Apply rules to specific interface:
 
-```yaml
-firewall:
-  services:
-    ssh:
-      interfaces:
-        - eth0
-        - eth1
-```
+.. code-block:: yaml
+
+   firewall:
+     services:
+       ssh:
+         interfaces:
+           - eth0
+           - eth1
 
 Apply rules for multiple protocols:
 
 
-```yaml
-firewall:
-  services:
-    ssh:
-      protos:
-        - udp
-        - tcp
-```
+.. code-block:: yaml
+
+   firewall:
+     services:
+       ssh:
+         protos:
+           - udp
+           - tcp
 
 Allow an entire class such as your internal network:
 
-```yaml
-  whitelist:
-    networks:
-      ips_allow:
-        - 10.0.0.0/8
-```
+.. code-block:: yaml
+
+   whitelist:
+     networks:
+       ips_allow:
+         - 10.0.0.0/8
 
 Salt combines both and effectively enables your firewall and applies the rules.
 
 Notes:
 
- * Setting install to True will install `iptables` and `iptables-persistent` for you
+ * Setting install to True will install ``iptables`` and ``iptables-persistent`` for you
  * Strict mode means: Deny **everything** except explicitly allowed (use with care!)
  * block_nomatch: With non-strict mode adds in a "REJECT" rule below the accept rules, otherwise other traffic to that service is still allowed. Can be defined per-service or globally, defaults to False.
- * Service names can be either port numbers or service names (e.g. ssh, zabbix-agent, http) and are available for viewing/configuring in `/etc/services`
- * If no `ips_allow` stanza is provided for any particular ruleset instead of not adding the rule the addition itself is scoped globally (0.0.0.0/0)
+ * Service names can be either port numbers or service names (e.g. ssh, zabbix-agent, http) and are available for viewing/configuring in ``/etc/services``
+ * If no ``ips_allow`` stanza is provided for any particular ruleset instead of not adding the rule the addition itself is scoped globally (0.0.0.0/0)
 
 Using iptables.service
 ^^^^^^^^^^^^^^^^^^^^^^
 
-Salt can't merge pillars, so you can only define `firewall:services` in once place. With the firewall.service state and stateconf, you can define pillars for different services and include and extend the iptables.service state with the `parent` parameter to enable a default firewall configuration with special rules for different services.
+Salt can't merge pillars, so you can only define ``firewall:services`` in once place. With the firewall.service state and stateconf, you can define pillars for different services and include and extend the iptables.service state with the ``parent`` parameter to enable a default firewall configuration with special rules for different services.
 
-`pillars/otherservice.sls`
+``pillars/otherservice.sls``
 
-```yaml
-otherservice:
-  firewall:
-    services:
-      http:
-        block_nomatch: False
-        ips_allow:
-          - 0.0.0.0/0
-```
+.. code-block:: yaml
 
-`states/otherservice.sls`
+   otherservice:
+     firewall:
+       services:
+         http:
+           block_nomatch: False
+           ips_allow:
+             - 0.0.0.0/0
 
-```yaml
-#!stateconf yaml . jinja
+``states/otherservice.sls``
 
-include:
-  - iptables.service
+.. code-block:: yaml
 
-extend:
-  iptables.service::sls_params:
-    stateconf.set:
-      - parent: otherservice
-```
+   #!stateconf yaml . jinja
+   
+   include:
+     - iptables.service
+   
+   extend:
+     iptables.service::sls_params:
+       stateconf.set:
+         - parent: otherservice
 
 Using iptables.nat
 ^^^^^^^^^^^^^^^^^^
 
 You can use nat for interface. This is supported for IPv4 alone. IPv6 deployments should not use NAT.
 
-```yaml
-  #Support nat
-  # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.18.0/24 -d 10.20.0.2 -j MASQUERADE
+.. code-block:: yaml
+
+   # Support nat
+   # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.18.0/24 -d 10.20.0.2 -j MASQUERADE
+
+   nat:
+     eth0:
+       rules:
+         '192.168.18.0/24':
+           - 10.20.0.2
+
+Configure the firewall using ``tables``
+---------------------------------------
 
-  nat:
-    eth0:
-      rules:
-        '192.168.18.0/24':
-          - 10.20.0.2
-```
+The state ``iptables.tables`` let's you configure your firewall iterating over pillars
+defining rules and policies to add to the different tables (filter, mangle, nat) instead of using services.
+This way, you can configure iptables the *classic way*. Note that you still need to include the ``iptables`` state.
+
+To enable the 'tables' mode, set:
+
+.. code-block:: yaml
+
+   firewall:
+     use_tables: True
+
+and then add rules to configure iptables. Check the ``pillar.example``'s *table* section to see some examples.
 
 IPv6 Support
 ------------
 
 This formula supports IPv6 as long as it is activated with the option:
 
-```
-firewall:
-  ipv6: True
-```
-
-Services and whitelists are supported under the sections `services_ipv6` and `whitelist_ipv6`, as below:
-
-```
-  services_ipv6:
-    ssh:
-      block_nomatch: False
-      ips_allow:
-        - 2a02:2028:773:d01:10a5:f34f:e7ff:f55b/64
-        - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
-  whitelist_ipv6:
-    networks:
-      ips_allow:
-        - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
-```
+.. code-block:: yaml
+
+   firewall:
+     ipv6: True
+
+Services and whitelists are supported under the sections ``services_ipv6`` and ``whitelist_ipv6``, as below:
+
+.. code-block:: yaml
+
+   services_ipv6:
+     ssh:
+       block_nomatch: False
+       ips_allow:
+         - 2a02:2028:773:d01:10a5:f34f:e7ff:f55b/64
+         - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
+   whitelist_ipv6:
+     networks:
+       ips_allow:
+         - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64
 
 These sections are only processed if the ipv6 support is activated.
 
 
@@ -4,6 +4,47 @@ firewall:
   enabled: false
   install: false
   strict: false
+  use_tables: false
   block_nomatch: false
   pkgs:
     - iptables
+
+  filter:
+    INPUT:
+      policy: ACCEPT
+      rules: {}
+    FORWARD:
+      policy: ACCEPT
+      rules: {}
+    OUTPUT:
+      policy: ACCEPT
+      rules: {}
+
+  nat:
+    PREROUTING:
+      policy: ACCEPT
+      rules: {}
+    INPUT:
+      policy: ACCEPT
+      rules: {}
+    OUTPUT:
+      policy: ACCEPT
+      rules: {}
+    POSTROUTING:
+      policy: ACCEPT
+      rules: {}
+
+  mangle:
+    PREROUTING:
+      policy: ACCEPT
+      rules: {}
+    INPUT:
+      policy: ACCEPT
+      rules: {}
+    OUTPUT:
+      policy: ACCEPT
+      rules: {}
+    POSTROUTING:
+      policy: ACCEPT
+      rules: {}
+