Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Large ruleset load fails #8

Closed
auxesis opened this Issue · 0 comments

1 participant

@auxesis
Owner

Running ript rules apply sometimes fails to load rules:

$ ript rules generate /etc/firewall/ | wc -c
280508
$ ript rules diff /etc/firewall/ | wc -c
280508
$ ript rules apply /etc/firewall/ | wc -c
280508
$ ript rules diff /etc/firewall/ | wc -c
280508
# ^ should be 0

:bomb:

The offending code is here:

https://github.com/bulletproofnetworks/ript/blob/08913b752f5a54e0e49874c281504357e35ce8bd/bin/ript#L121-L127

To explain what's going on:

  • L122 is calling ript diff with the same arguments as passed to ript apply which generates the iptables commands to be run to bring the machine to the desired state.
  • L123 outputs the captured output from ript diff to the console, for user feedback.
  • L124 constructs a shell command to execute the captured ript diff output, and executes it

The problem is the length of the output that is being passed to the command:

# ript rules generate /etc/firewall/ | wc -c
280508

That's a whole lotta characters, and Ruby's system() method doesn't seem to like it at all. If I print the result of the system() method call, I receive a nil.

The Ruby stdlib docs; say:

system returns true if the command gives zero exit status, false for non zero exit status. Returns nil if command execution fails. An error status is available in $?.

This seems to be a problem if you're doing a large initial import of rules on a new machine.

@auxesis auxesis was assigned
@auxesis auxesis closed this in 7a24f66
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.