-
Notifications
You must be signed in to change notification settings - Fork 63
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix handling of
weight
attribute in simple_iptables_rule resource
Typically, the order of the rules in an iptables chain is determined by the order of simple_iptables_rules resources in a recipe. However, if a non-standard `weight` attribute value was used in *any* simple_iptables_rule, the relative order of the rules that had the same weight became arbitrary. This is because the code repeatedly calls `sort!` on the array of rules after adding every rule, using the weights as the sort key, which potentially causes rules with the same weight to be sorted in a different order with respect to each other on each invocation of the `sort!` method, since they're viewed as equivalent. Store rules in a hash where keys are weights and values are arrays of rules having that weight. As new rules are added, they're appended to the relevant list. When the final iptables rule file is generated, we output all the rules in decreasing weight order. Also take this opportunity to store rule in default-precedence attributes rather than "normal" (persistent) attributes. As we reset all the attributes at the beginning of the Chef run, there is no point to persisting the attributes. This also resolves deprecation warnings for node.set in newer versions of Chef. Resolves #81
- Loading branch information
1 parent
56b127c
commit fd33346
Showing
13 changed files
with
186 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
require "chefspec" | ||
|
||
RSpec.configure do |config| | ||
config.cookbook_path = ["..", | ||
"spec/support/cookbooks"] | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
maintainer "Arctic Wolf Networks" | ||
maintainer_email "[email protected]" | ||
license "BSD" | ||
description "Support cookbook for ChefSpec tests for simple_iptables" | ||
version "1.0.0" | ||
name "test_simple_iptables" | ||
|
||
supports "debian", ">= 6.0" | ||
supports "centos", ">= 5.8" | ||
supports "redhat", ">= 5.8" | ||
supports "ubuntu", ">= 10.04" | ||
|
||
depends "simple_iptables" |
39 changes: 39 additions & 0 deletions
39
spec/support/cookbooks/test_simple_iptables/recipes/weight.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
include_recipe "simple_iptables" | ||
|
||
simple_iptables_rule "rule1" do | ||
direction "INPUT" | ||
rule "rule1 content" | ||
jump "ACCEPT" | ||
end | ||
|
||
simple_iptables_rule "rule2" do | ||
direction "INPUT" | ||
rule "rule2 content" | ||
jump "ACCEPT" | ||
end | ||
|
||
simple_iptables_rule "rule3" do | ||
direction "INPUT" | ||
rule "rule3 content" | ||
jump "REJECT" | ||
weight 95 | ||
end | ||
|
||
simple_iptables_rule "rule4" do | ||
direction "INPUT" | ||
rule ["rule4.1 content", "rule4.2 content"] | ||
jump "ACCEPT" | ||
end | ||
|
||
simple_iptables_rule "rule5" do | ||
direction "INPUT" | ||
rule "rule5 content" | ||
jump "ACCEPT" | ||
end | ||
|
||
simple_iptables_rule "rule6" do | ||
direction "INPUT" | ||
rule "rule6 content" | ||
jump "REJECT" | ||
weight 95 | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
require "spec_helper" | ||
|
||
describe "test_simple_iptables::weight" do | ||
let(:chef_run) do | ||
ChefSpec::SoloRunner.new(platform: "ubuntu", version: "14.04", | ||
step_into: ["ruby_block", "simple_iptables_rule"]) | ||
end | ||
|
||
it "generates rules in resource appearance order for every weight" do | ||
expected_rules = | ||
%{# This file generated by Chef. Changes will be overwritten. | ||
*nat | ||
:PREROUTING ACCEPT [0:0] | ||
:INPUT ACCEPT [0:0] | ||
:OUTPUT ACCEPT [0:0] | ||
:POSTROUTING ACCEPT [0:0] | ||
COMMIT | ||
# Completed | ||
# This file generated by Chef. Changes will be overwritten. | ||
*mangle | ||
:PREROUTING ACCEPT [0:0] | ||
:INPUT ACCEPT [0:0] | ||
:FORWARD ACCEPT [0:0] | ||
:OUTPUT ACCEPT [0:0] | ||
:POSTROUTING ACCEPT [0:0] | ||
COMMIT | ||
# Completed | ||
# This file generated by Chef. Changes will be overwritten. | ||
*filter | ||
:INPUT ACCEPT [0:0] | ||
:FORWARD ACCEPT [0:0] | ||
:OUTPUT ACCEPT [0:0] | ||
:rule1 - [0:0] | ||
:rule2 - [0:0] | ||
:rule3 - [0:0] | ||
:rule4 - [0:0] | ||
:rule5 - [0:0] | ||
:rule6 - [0:0] | ||
-A INPUT --jump rule1 | ||
-A rule1 --jump ACCEPT rule1 content -m comment --comment "rule1" | ||
-A INPUT --jump rule2 | ||
-A rule2 --jump ACCEPT rule2 content -m comment --comment "rule2" | ||
-A INPUT --jump rule4 | ||
-A rule4 --jump ACCEPT rule4.1 content -m comment --comment "rule4" | ||
-A rule4 --jump ACCEPT rule4.2 content -m comment --comment "rule4" | ||
-A INPUT --jump rule5 | ||
-A rule5 --jump ACCEPT rule5 content -m comment --comment "rule5" | ||
-A INPUT --jump rule3 | ||
-A rule3 --jump REJECT rule3 content -m comment --comment "rule3" | ||
-A INPUT --jump rule6 | ||
-A rule6 --jump REJECT rule6 content -m comment --comment "rule6" | ||
COMMIT | ||
# Completed | ||
# This file generated by Chef. Changes will be overwritten. | ||
*raw | ||
:PREROUTING ACCEPT [0:0] | ||
:OUTPUT ACCEPT [0:0] | ||
COMMIT | ||
# Completed | ||
} | ||
chef_run.converge(described_recipe) | ||
t = chef_run.template("/etc/iptables-rules") | ||
actual_content = ChefSpec::Renderer.new(chef_run, t).content | ||
File.open("/tmp/foo", "w") { |file| file.write(actual_content) } | ||
File.open("/tmp/foo1", "w") { |file| file.write(expected_rules) } | ||
expect(chef_run).to render_file("/etc/iptables-rules") | ||
.with_content(expected_rules) | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters