You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2015/06/30 17:15:05 UTC

[jira] [Commented] (VCL-880) Issues with clean_iptables in Linux.pm

    [ https://issues.apache.org/jira/browse/VCL-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14608448#comment-14608448 ] 

ASF subversion and git services commented on VCL-880:
-----------------------------------------------------

Commit 1688471 from [~arkurth] in branch 'vcl/trunk'
[ https://svn.apache.org/r1688471 ]

VCL-880
Updated Linux.pm::clean_iptables to sort rule numbers numerically.

> Issues with clean_iptables in Linux.pm
> --------------------------------------
>
>                 Key: VCL-880
>                 URL: https://issues.apache.org/jira/browse/VCL-880
>             Project: VCL
>          Issue Type: Bug
>          Components: vcld (backend)
>    Affects Versions: 2.4.2
>            Reporter: Andy Kurth
>            Priority: Minor
>
> The _clean_iptables_ subroutine in {{Linux.pm}} is indiscriminately deleting all firewall rules which have an unrestricted source IP address scope.  This logic is poor.  Custom rules added by an image creator are deleted if the rule contains a specific source IP address scope.
> The subroutine is also failing to delete the all of the (_poorly_) intended rules and possibly deleting unintended rules when the computer contains 10 or more rules.   The iptables rule numbers returned from the following command are used for the _iptables -D_ deletion commands:
> iptables --line-number -n -L
> The subroutine attempts to sort the rules from highest to lowest rule number and assemble _iptables -D_ commands in this order.  This is the correct logic, however, the code is sorting the rule numbers alphabetically rather than numerically.  As a result, the following occurs:
> {noformat}
> |Linux.pm:clean_iptables|4521|attempting to execute commands to sanitize iptables rules on vclv99-196:
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 5
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 14
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 10
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 1
> |Linux.pm:clean_iptables|4532| ---- WARNING ----
> |Linux.pm:clean_iptables|4532| 2015-06-28 20:29:06|Linux.pm:clean_iptables|4532|failed to sanitized iptables rules on vclv99-196, exit status: 1, output:
> |Linux.pm:clean_iptables|4532| iptables: Index of deletion too big.
> |Linux.pm:clean_iptables|4532| ( 0) Linux.pm, clean_iptables (line: 4532)
> |Linux.pm:clean_iptables|4532| (-1) Linux.pm, pre_capture (line: 369)
> |Linux.pm:clean_iptables|4532| (-2) VMware.pm, capture (line: 755)
> |Linux.pm:clean_iptables|4532| (-3) image.pm, process (line: 179)
> |Linux.pm:clean_iptables|4532| (-4) vcld, make_new_child (line: 587)
> |Linux.pm:clean_iptables|4532| (-5) vcld, main (line: 348)
> {noformat}
> The error occurs because there may no longer be a rule 14 after rule 5 is deleted.  Rule 14 would become rule 13.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)