Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(MODULES-451) Match extension protocol for multiport #300

Merged
merged 1 commit into from
Feb 6, 2014
Merged

(MODULES-451) Match extension protocol for multiport #300

merged 1 commit into from
Feb 6, 2014

Conversation

hunner
Copy link
Contributor

@hunner hunner commented Feb 6, 2014

The -m (tcp|udp) match extension flag before multiport --sport and --dport flags is considered optional, but may be present on some rules. This patches the provides recognition of those rules.

@hunner
(MODULES-451) Match extension protocol for multiport
11ed558 
The `-m (tcp|udp)` match extension flag before multiport `--sport` and
`--dport` flags is considered optional, but may be present on some
rules. This patches the provides recognition of those rules.
@mrwacky42
Copy link

Nice!

apenney pushed a commit that referenced this pull request Feb 6, 2014
Merge pull request #300 from hunner/fix_multiport
8ddf4b8 
(MODULES-451) Match extension protocol for multiport
@apenney apenney merged commit 8ddf4b8 into puppetlabs:master Feb 6, 2014
@hunner hunner deleted the fix_multiport branch February 6, 2014 00:22
@hunner
Copy link
Contributor Author

hunner commented Feb 6, 2014

Mmm, actually this breaks stuff. Being the first option in the @resource_map value array means it's used to find the longest match first, but also used to build args when creating new rules. And -m (udp|tcp) isn't a valid argument :/

@apenney
Copy link
Contributor

apenney commented Feb 6, 2014

image

hunner added a commit to hunner/puppetlabs-firewall that referenced this pull request Feb 6, 2014
@hunner
Fix puppetlabs#300 for match extension protocol
fb5f57a 
So... puppetlabs#300 fixed matching `-m (tcp|udp)` at the beginning of `-m
multiport` or `--dport` or `--sport` rules, but broke actual *creation*
of those rules because `-m (tcp|udp)` was used as an iptables argument,
which it is not.

This change removes the problematic argument from `@resource_map` and
instead just substitutes `-m (tcp|udp)` out of any existing rules before
matching. The `-m tcp` match extension arguments are optional anyway,
and not needed for iptables functionality and don't change the semantics
at all.
@hunner hunner mentioned this pull request Feb 6, 2014
Merged
hunner added a commit to hunner/puppetlabs-firewall that referenced this pull request Feb 6, 2014
@hunner
Fix puppetlabs#300 for match extension protocol
7fd2a26 
So... puppetlabs#300 fixed matching `-m (tcp|udp)` at the beginning of `-m
multiport` or `--dport` or `--sport` rules, but broke actual *creation*
of those rules because `-m (tcp|udp)` was used as an iptables argument,
which it is not.

This change removes the problematic argument from `@resource_map` and
instead just substitutes `-m (tcp|udp)` out of any existing rules before
matching. The `-m tcp` match extension arguments are optional anyway,
and not needed for iptables functionality and don't change the semantics
at all.
hunner added a commit to hunner/puppetlabs-firewall that referenced this pull request Feb 6, 2014
@hunner
Fix puppetlabs#300 for match extension protocol
d74c286 
So... puppetlabs#300 fixed matching `-m (tcp|udp)` at the beginning of `-m
multiport` or `--dport` or `--sport` rules, but broke actual *creation*
of those rules because `-m (tcp|udp)` was used as an iptables argument,
which it is not.

This change removes the problematic argument from `@resource_map` and
instead just substitutes `-m (tcp|udp)` out of any existing rules before
matching. The `-m tcp` match extension arguments are optional anyway,
and not needed for iptables functionality and don't change the semantics
at all.
apenney pushed a commit that referenced this pull request Feb 6, 2014
Merge pull request #302 from hunner/fix_match_extension
f3a7b49 
Fix #300 for match extension protocol
cegeka-jenkins pushed a commit to cegeka/puppet-firewall that referenced this pull request Oct 23, 2017
@hunner
Fix puppetlabs#300 for match extension protocol
a314ca9 
So... puppetlabs#300 fixed matching `-m (tcp|udp)` at the beginning of `-m
multiport` or `--dport` or `--sport` rules, but broke actual *creation*
of those rules because `-m (tcp|udp)` was used as an iptables argument,
which it is not.

This change removes the problematic argument from `@resource_map` and
instead just substitutes `-m (tcp|udp)` out of any existing rules before
matching. The `-m tcp` match extension arguments are optional anyway,
and not needed for iptables functionality and don't change the semantics
at all.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hunner @mrwacky42 @apenney @david22swan