Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-4234

iptables parser fails with "Invalid address from IPAddr.new: -m"

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • None
    • firewall
    • Red Hat Enterprise Linux Server release 7.3 (Maipo)
      Puppet 3.8.7

    • Modules
    • Modules - Engineering Backlog
    • Needs Assessment

    Description

      Puppet fails to parse the following rule:

      -A KUBE-SERVICES -d 172.1.2.3/32 -p tcp -m comment --comment "project/app:50000-tcp external IP" -m tcp --dport 31236 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-123ABCDEFGHI456J

      The resulting hash looks ~ like this:

      {
        :jump=>"KUBE-SVC-123ABCDEFGHI456J",
        :dport=>["! LOCAL"],
        :name=>"--src-type",
        :proto=>"addrtype",
        :destination=>"! -m",
        :chain=>"--physdev-is-in"
      }

      Failing test case:

      diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb
      index 39845fb..0dfeb99 100644
      --- a/spec/acceptance/resource_cmd_spec.rb
      +++ b/spec/acceptance/resource_cmd_spec.rb
      @@ -165,6 +165,21 @@ describe 'puppet resource firewall command' do
           end
         end
       
      +  context '???', focus: true do
      +    before :all do
      +      iptables_flush_all_tables
      +      shell('-A KUBE-SERVICES -d 172.1.2.3/32 -p tcp -m comment --comment "project/app:50000-tcp external IP" -m tcp --dport 31236 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-123ABCDEFGHI456J')
      +    end
      +
      +    it do
      +      shell('puppet resource firewall') do |r|
      +        r.exit_code.should be_zero
      +        # don't check stdout, testing preexisting rules, output is normal
      +        r.stderr.should be_empty
      +      end
      +    end
      +  end
      +
         # version of iptables that ships with el5 doesn't work with the
         # ip6tables provider
         if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              mhutter Manuel H
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support