Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Iptables - negation operator #58911

Open
wants to merge 2 commits into
base: devel
from

Conversation

Projects
None yet
3 participants
@europ
Copy link

commented Jul 10, 2019

iptables - not operator

The documentation does not include an example how to use the not operator and also, does not describe the use of this operator in details.

A ! argument before the protocol inverts the test.

There are some cases (see below) that this will lead to a failure.

Modifications:

  • added docs-example with ! operator
  • added string.strim() to avoid 3rd case

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME

iptables

ADDITIONAL INFORMATION

Version

ansible 2.8.2

1. Case

RULE:

- chain: INPUT
  protocol: !icmp
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

ERROR! Syntax Error while loading YAML.
  could not determine a constructor for the tag '!icmp'

The error appears to be in '/home/adrian/Documents/playbook.yml': line 35, column 21, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

        - chain: INPUT
          protocol: !icmp
                    ^ here

RESULT:
Error.

2. Case

RULE:

- chain: INPUT
  protocol: ! icmp
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

changed: [localhost] => (item={u'jump': u'REJECT', u'protocol': u'icmp', u'chain': u'INPUT', u'reject_with': u'icmp-port-unreachable'})

RESULT:

-A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable

NOTE:
The NOT operator is missing. Failure.

3. Case

RULE:

- chain: INPUT
  protocol: "! icmp"
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

failed: [localhost] (item={u'jump': u'REJECT', u'protocol': u'! icmp', u'chain': u'INPUT', u'reject_with': u'icmp-port-unreachable'}) => {"ansible_loop_var": "item", "changed": false, "cmd": "/sbin/iptables -t filter -A INPUT '!' -p ' icmp' -j REJECT --reject-with icmp-port-unreachable", "item": {"chain": "INPUT", "jump": "REJECT", "protocol": "! icmp", "reject_with": "icmp-port-unreachable"}, "msg": "iptables v1.6.1: unknown protocol \" icmp\" specified\nTry `iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.6.1: unknown protocol \" icmp\" specified\nTry `iptables -h' or 'iptables --help' for more information.\n", "stderr_lines": ["iptables v1.6.1: unknown protocol \" icmp\" specified", "Try `iptables -h' or 'iptables --help' for more information."], "stdout": "", "stdout_lines": []}

RESULT:
Error.

4. Case

RULE:

- chain: INPUT
  protocol: "!icmp"
  reject_with: icmp-port-unreachable
  jump: REJECT

OUTPUT:

changed: [localhost] => (item={u'jump': u'REJECT', u'protocol': u'!icmp', u'chain': u'INPUT', u'reject_with': u'icmp-port-unreachable'})

RESULT:

-A INPUT ! -p icmp -j REJECT --reject-with icmp-port-unreachable

NOTE:
Success.

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Jul 10, 2019

@@ -474,7 +480,7 @@ def append_param(rule, param, flag, is_list):
else:
if param is not None:
if param[0] == '!':
rule.extend(['!', flag, param[1:]])
rule.extend(['!', flag, param[1:].strip()])

This comment has been minimized.

Copy link
@bcoca

bcoca Jul 11, 2019

Member

you might want a list comprehension here

This comment has been minimized.

Copy link
@europ

europ Jul 20, 2019

Author

I think I might not because the type of param variable is string <type 'str'>. I fixed it by using .replace(" ", "") (the .strip() was not the right solution for that) and test it, it works.

@ansibot ansibot added needs_revision and removed core_review labels Jul 11, 2019

@ansibot ansibot added the stale_ci label Jul 19, 2019

@europ europ force-pushed the europ:iptables_negation branch from d6c24b9 to f64f7af Jul 20, 2019

@ansibot ansibot removed the stale_ci label Jul 20, 2019

@europ europ force-pushed the europ:iptables_negation branch from f64f7af to f0bc7b6 Jul 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.