You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "Andy Kurth (JIRA)" <ji...@apache.org> on 2015/06/30 17:00:05 UTC

[jira] [Created] (VCL-880) Issues with clean_iptables in Linux.pm

Andy Kurth created VCL-880:
------------------------------

             Summary: Issues with clean_iptables in Linux.pm
                 Key: VCL-880
                 URL: https://issues.apache.org/jira/browse/VCL-880
             Project: VCL
          Issue Type: Bug
          Components: vcld (backend)
    Affects Versions: 2.4.2
            Reporter: Andy Kurth
            Priority: Minor


The _clean_iptables_ subroutine in {{Linux.pm}} is indiscriminately deleting all firewall rules which have an unrestricted source IP address scope.  This logic is poor.  Custom rules added by an image creator are deleted if the rule contains a specific source IP address scope.

The subroutine is also failing to delete the all of the (_poorly_) intended rules and possibly deleting unintended rules when the computer contains 10 or more rules.   The iptables rule numbers returned from the following command are used for the _iptables -D_ deletion commands:
iptables --line-number -n -L

The subroutine attempts to sort the rules from highest to lowest rule number and assemble _iptables -D_ commands in this order.  This is the correct logic, however, the code is sorting the rule numbers alphabetically rather than numerically.  As a result, the following occurs:

{noformat}
|Linux.pm:clean_iptables|4521|attempting to execute commands to sanitize iptables rules on vclv99-196:
|Linux.pm:clean_iptables|4521| iptables -D INPUT 5
|Linux.pm:clean_iptables|4521| iptables -D INPUT 14
|Linux.pm:clean_iptables|4521| iptables -D INPUT 10
|Linux.pm:clean_iptables|4521| iptables -D INPUT 1
|Linux.pm:clean_iptables|4532| ---- WARNING ----
|Linux.pm:clean_iptables|4532| 2015-06-28 20:29:06|Linux.pm:clean_iptables|4532|failed to sanitized iptables rules on vclv99-196, exit status: 1, output:
|Linux.pm:clean_iptables|4532| iptables: Index of deletion too big.
|Linux.pm:clean_iptables|4532| ( 0) Linux.pm, clean_iptables (line: 4532)
|Linux.pm:clean_iptables|4532| (-1) Linux.pm, pre_capture (line: 369)
|Linux.pm:clean_iptables|4532| (-2) VMware.pm, capture (line: 755)
|Linux.pm:clean_iptables|4532| (-3) image.pm, process (line: 179)
|Linux.pm:clean_iptables|4532| (-4) vcld, make_new_child (line: 587)
|Linux.pm:clean_iptables|4532| (-5) vcld, main (line: 348)
{noformat}

The error occurs because there may no longer be a rule 14 after rule 5 is deleted.  Rule 14 would become rule 13.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)