Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/master/add support for iprange #219

Merged

Conversation

hunner
Copy link
Contributor

@hunner hunner commented Jul 9, 2013

Closes #215
Closes #216

lei and others added 3 commits July 5, 2013 14:27
Add support for filtering by source and destination IP range, equivalent to '-m iprange --src-range|--dst-range',
which is only allowing a specified IP range. Excluding an IP range, '! --src-range or ! --dst-range', is not supported.

Add ':src_range' and ':dst_range' to firewall.rb
Add support for filtering by source and destination IP range, equivalent to '-m iprange --src-range|--dst-range',
which is only allowing a specified IP range. Excluding an IP range, '! --src-range or ! --dst-range', is not supported.

Add ':src_range' and ':dst_range' to iptables.rb
@kbarber-jenkins-bot
Copy link

Merged build triggered. (Status: PENDING, Details: null)

@kbarber-jenkins-bot
Copy link

Merged build started. (Status: PENDING, Details: http://box.bob.sh:8080/job/puppetlabs-firewall/318/)

@kbarber-jenkins-bot
Copy link

Merged build finished. (Status: FAILURE, Details: http://box.bob.sh:8080/job/puppetlabs-firewall/318/)

@hunner
Copy link
Contributor Author

hunner commented Jul 9, 2013

@hurulu
Copy link
Contributor

hurulu commented Jul 9, 2013

Hi hunner, Thank you for your feedback. I've had a quick look at this.

It seems like iptables 1.3.5 doesn't support this format:
'-m iprange --src-range 10.0.0.1-10.0.0.2 -m iprange --dst-range 10.0.0.2-10.0.0.3' with two '-m iprange ' written separately, while the newer version (1.4.x) does. Although I didn't go through every version of iptables to find the exact >=version that support this new feature, I am 95% sure that it is due to some incapability of parameters format between iptables' versions.

If this is the case, any advice?

@hurulu
Copy link
Contributor

hurulu commented Jul 9, 2013

@hunner , Hi, I've just gone through iptables 1.3.4 - 1.4.0. It turns out that >=1.3.6 will work well. Unfortunately, version 1.3.5, which is the default on CentOS5.9, does not support multiple '-m iprange' format. And all the versions<1.3.5 will fail to pass the test.

@kbarber-jenkins-bot
Copy link

Merged build triggered. (Status: PENDING, Details: null)

@kbarber-jenkins-bot
Copy link

Merged build started. (Status: PENDING, Details: http://box.bob.sh:8080/job/puppetlabs-firewall/322/)

@hunner
Copy link
Contributor Author

hunner commented Jul 9, 2013

I played around in centos 5.9 and patching the parser to know to only include -m iprange a single time seemed like a less-than-useful improvement, so I split the tests into two separate rules, since that is a more real-world use case anyway.

@kbarber-jenkins-bot
Copy link

Merged build finished. (Status: SUCCESS, Details: http://box.bob.sh:8080/job/puppetlabs-firewall/322/)

hunner added a commit that referenced this pull request Jul 9, 2013
…range

Feature/master/add support for iprange
@hunner hunner merged commit 8d14c7a into puppetlabs:master Jul 9, 2013
@hurulu
Copy link
Contributor

hurulu commented Jul 10, 2013

Thank you, hunner

cegeka-jenkins pushed a commit to cegeka/puppet-firewall that referenced this pull request Oct 23, 2017
…ort-for-iprange

Feature/master/add support for iprange
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants