[jira] [Updated] (VCL-880) Issues with clean_iptables in Linux.pm

[Andy Kurth (JIRA)]

     [ 
https://issues.apache.org/jira/browse/VCL-880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andy Kurth updated VCL-880:
---------------------------
    Fix Version/s: 2.5

> Issues with clean_iptables in Linux.pm
> --------------------------------------
>
>                 Key: VCL-880
>                 URL: https://issues.apache.org/jira/browse/VCL-880
>             Project: VCL
>          Issue Type: Bug
>          Components: vcld (backend)
>    Affects Versions: 2.4.2
>            Reporter: Andy Kurth
>            Priority: Minor
>             Fix For: 2.5
>
>
> The _clean_iptables_ subroutine in {{Linux.pm}} is indiscriminately deleting 
> all firewall rules which have an unrestricted source IP address scope.  This 
> logic is poor.  Custom rules added by an image creator are deleted if the 
> rule contains a specific source IP address scope.
> The subroutine is also failing to delete the all of the (_poorly_) intended 
> rules and possibly deleting unintended rules when the computer contains 10 or 
> more rules.   The iptables rule numbers returned from the following command 
> are used for the _iptables -D_ deletion commands:
> iptables --line-number -n -L
> The subroutine attempts to sort the rules from highest to lowest rule number 
> and assemble _iptables -D_ commands in this order.  This is the correct 
> logic, however, the code is sorting the rule numbers alphabetically rather 
> than numerically.  As a result, the following occurs:
> {noformat}
> |Linux.pm:clean_iptables|4521|attempting to execute commands to sanitize 
> iptables rules on vclv99-196:
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 5
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 14
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 10
> |Linux.pm:clean_iptables|4521| iptables -D INPUT 1
> |Linux.pm:clean_iptables|4532| ---- WARNING ----
> |Linux.pm:clean_iptables|4532| 2015-06-28 
> 20:29:06|Linux.pm:clean_iptables|4532|failed to sanitized iptables rules on 
> vclv99-196, exit status: 1, output:
> |Linux.pm:clean_iptables|4532| iptables: Index of deletion too big.
> |Linux.pm:clean_iptables|4532| ( 0) Linux.pm, clean_iptables (line: 4532)
> |Linux.pm:clean_iptables|4532| (-1) Linux.pm, pre_capture (line: 369)
> |Linux.pm:clean_iptables|4532| (-2) VMware.pm, capture (line: 755)
> |Linux.pm:clean_iptables|4532| (-3) image.pm, process (line: 179)
> |Linux.pm:clean_iptables|4532| (-4) vcld, make_new_child (line: 587)
> |Linux.pm:clean_iptables|4532| (-5) vcld, main (line: 348)
> {noformat}
> The error occurs because there may no longer be a rule 14 after rule 5 is 
> deleted.  Rule 14 would become rule 13.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)