Make chains lower case. Plays nicer with fail2ban

attributes/firewall.rb

@@ -13,11 +13,11 @@ default['sys']['firewall']['defaults']['ruleset'] = {
   'add table inet filter' => 1,
   'add table ip6 nat' => 1,
   'add table ip nat' => 1,
-  "add chain inet filter INPUT { type filter hook input priority 0 ; policy #{node['sys']['firewall']['defaults']['policy']['input']}; }" => 2,
-  "add chain inet filter OUTPUT { type filter hook output priority 0 ; policy #{node['sys']['firewall']['defaults']['policy']['output']}; }" => 2,
-  "add chain inet filter FOWARD { type filter hook forward priority 0 ; policy #{node['sys']['firewall']['defaults']['policy']['forward']}; }" => 2,
-  'add chain ip nat POSTROUTING { type nat hook postrouting priority 100 ;}' => 2,
-  'add chain ip nat PREROUTING { type nat hook prerouting priority -100 ;}' => 2,
-  'add chain ip6 nat POSTROUTING { type nat hook postrouting priority 100 ;}' => 2,
-  'add chain ip6 nat PREROUTING { type nat hook prerouting priority -100 ;}' => 2,
+  "add chain inet filter input { type filter hook input priority 0 ; policy #{node['sys']['firewall']['defaults']['policy']['input']}; }" => 2,
+  "add chain inet filter output { type filter hook output priority 0 ; policy #{node['sys']['firewall']['defaults']['policy']['output']}; }" => 2,
+  "add chain inet filter foward { type filter hook forward priority 0 ; policy #{node['sys']['firewall']['defaults']['policy']['forward']}; }" => 2,
+  'add chain ip nat postrouting { type nat hook postrouting priority 100 ;}' => 2,
+  'add chain ip nat prerouting { type nat hook prerouting priority -100 ;}' => 2,
+  'add chain ip6 nat postrouting { type nat hook postrouting priority 100 ;}' => 2,
+  'add chain ip6 nat prerouting { type nat hook prerouting priority -100 ;}' => 2,
 }

documents/firewall.md

@@ -41,7 +41,7 @@ following attributes default to `true`.  Adjust to your needs:
 This will give you the following default rules:
 
     table inet filter {
-            chain INPUT {
+            chain input {
                     type filter hook input priority 0; policy drop;
                     iif "lo" accept comment "allow loopback"
                     icmp type echo-request accept comment "allow icmp"
@@ -49,29 +49,29 @@ This will give you the following default rules:
                     ct state established,related accept comment "established"
             }
     
-            chain OUTPUT {
+            chain output {
                     type filter hook output priority 0; policy accept;
             }
     
-            chain FOWARD {
+            chain foward {
                     type filter hook forward priority 0; policy drop;
             }
     }
     table ip6 nat {
-            chain POSTROUTING {
+            chain postrouting {
                     type nat hook postrouting priority 100; policy accept;
             }
     
-            chain PREROUTING {
+            chain prerouting {
                     type nat hook prerouting priority -100; policy accept;
             }
     }
     table ip nat {
-            chain POSTROUTING {
+            chain postrouting {
                     type nat hook postrouting priority 100; policy accept;
             }
     
-            chain PREROUTING {
+            chain prerouting {
                     type nat hook prerouting priority -100; policy accept;
             }
     }

libraries/sys_helpers_firewall.rb

@@ -88,11 +88,11 @@ module Sys
 
       unless defined? CHAIN
         CHAIN = {
-          in: 'INPUT',
-          out: 'OUTPUT',
-          pre: 'PREROUTING',
-          post: 'POSTROUTING',
-          forward: 'FORWARD',
+          in: 'input',
+          out: 'output',
+          pre: 'prerouting',
+          post: 'postrouting',
+          forward: 'forward',
         }.freeze
       end
 

metadata.rb

@@ -16,4 +16,4 @@ supports         'debian'
 depends          'line', '< 1.0'
 depends          'chef-vault'
 
-version          '1.65.0'
+version          '1.65.1'