Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(MODULES-4200) Add simple sanity check for the rule to hash parser #666

Merged
merged 5 commits into from
Nov 3, 2017
Merged

(MODULES-4200) Add simple sanity check for the rule to hash parser #666

merged 5 commits into from
Nov 3, 2017

Conversation

comel
Copy link
Contributor

@comel comel commented Dec 8, 2016
edited
Loading

We have manual and puppet controlled chains, and someone manually added rule like this:

-A INPUT -s 1.2.3.4/32 -p tcp -m -tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "some comment" -j ACCEPT

and puppet started throwing errors like:

Could not evaluate: Invalid address from IPAddr.new: 80

After some digging I've found that the rule is not properly parsed because of the --dport 80 between -m tcp and --tcp-flags. Similar issues can be expected with other combined arguments from the resource_map. It's hard to cover all those cases so I've added simple sanity check for the parser.

https://tickets.puppetlabs.com/browse/MODULES-4200

comel added 5 commits December 8, 2016 23:41
@comel
Add sanity check for rule to hash parser
06cf2ee 
Parser fails in some cases with combined arguments e.g. if some other argument
is set between match name and match option, like dport in this example:

-m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN

If the parsed keys and values count is not the same, the error is raised with
the problematic rule line.
@comel
Add chain to keys list only if defined in the rule
2a59271
@comel
Manually remove table definition from the rule
d0e529a
@comel
Add raise_error matcher to the test options
3f31361
@comel
Add test for rule to hash parser check added in 06cf2ee
4b2ba88
@comel comel changed the title Add simple sanity check for the rule to hash parser (MODULES-4200) Add simple sanity check for the rule to hash parser Dec 9, 2016
@comel
Copy link
Contributor Author

comel commented May 4, 2017

Is there anything else I have to do to get this merged or to get some feedback?

@david22swan david22swan merged commit 7f8b3aa into puppetlabs:master Nov 3, 2017
@jistr
Copy link
Contributor

jistr commented Nov 23, 2017

FWIW the sanity check is the indirect cause of https://tickets.puppetlabs.com/browse/MODULES-6029

Puppet fails to parse some (fairly simple) pre-existing iptables rules. Instead of stopping the Puppet run on this, we should probably just issue a warning and skip the rule.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@comel @jistr @david22swan