Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Iptables - negation operator #58911

Open
wants to merge 2 commits into
base: devel
Choose a base branch
from
Open

Iptables - negation operator #58911

wants to merge 2 commits into from

Conversation

@europ
Copy link

@europ europ commented Jul 10, 2019

iptables - not operator

The documentation does not include an example how to use the not operator and also, does not describe the use of this operator in details.

A ! argument before the protocol inverts the test.

There are some cases (see below) that this will lead to a failure.

Modifications:

  • added docs-example with ! operator
  • added string.strim() to avoid 3rd case

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME

iptables

ADDITIONAL INFORMATION

Version

ansible 2.8.2

1. Case

RULE:

- chain: INPUT
  protocol: !icmp
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

ERROR! Syntax Error while loading YAML.
  could not determine a constructor for the tag '!icmp'

The error appears to be in '/home/adrian/Documents/playbook.yml': line 35, column 21, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

        - chain: INPUT
          protocol: !icmp
                    ^ here

RESULT:
Error.

2. Case

RULE:

- chain: INPUT
  protocol: ! icmp
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

changed: [localhost] => (item={u'jump': u'REJECT', u'protocol': u'icmp', u'chain': u'INPUT', u'reject_with': u'icmp-port-unreachable'})

RESULT:

-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable

NOTE:
The NOT operator is missing. Failure.

3. Case

RULE:

- chain: INPUT
  protocol: "! icmp"
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

failed: [localhost] (item={u'jump': u'REJECT', u'protocol': u'! icmp', u'chain': u'INPUT', u'reject_with': u'icmp-port-unreachable'}) => {"ansible_loop_var": "item", "changed": false, "cmd": "/sbin/iptables -t filter -A INPUT '!' -p ' icmp' -j REJECT --reject-with icmp-port-unreachable", "item": {"chain": "INPUT", "jump": "REJECT", "protocol": "! icmp", "reject_with": "icmp-port-unreachable"}, "msg": "iptables v1.6.1: unknown protocol \" icmp\" specified\nTry `iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.6.1: unknown protocol \" icmp\" specified\nTry `iptables -h' or 'iptables --help' for more information.\n", "stderr_lines": ["iptables v1.6.1: unknown protocol \" icmp\" specified", "Try `iptables -h' or 'iptables --help' for more information."], "stdout": "", "stdout_lines": []}

RESULT:
Error.

4. Case

RULE:

- chain: INPUT
  protocol: "!icmp"
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

changed: [localhost] => (item={u'jump': u'REJECT', u'protocol': u'!icmp', u'chain': u'INPUT', u'reject_with': u'icmp-port-unreachable'})

RESULT:

-A INPUT ! -p icmp -j REJECT --reject-with icmp-port-unreachable

NOTE:
Success.

@ansibot
Copy link
Contributor

@ansibot ansibot commented Jul 10, 2019

Loading

@@ -474,7 +480,7 @@ def append_param(rule, param, flag, is_list):
else:
if param is not None:
if param[0] == '!':
rule.extend(['!', flag, param[1:]])
rule.extend(['!', flag, param[1:].strip()])
Copy link
Member

@bcoca bcoca Jul 11, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you might want a list comprehension here

Loading

Copy link
Author

@europ europ Jul 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I might not because the type of param variable is string <type 'str'>. I fixed it by using .replace(" ", "") (the .strip() was not the right solution for that) and test it, it works.

Loading

@europ europ force-pushed the iptables_negation branch from d6c24b9 to f64f7af Jul 20, 2019
@ansibot ansibot removed the stale_ci label Jul 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants