New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support proto for IPSec policy extension in iptables state #47113

Merged
merged 1 commit into from Apr 25, 2018

Conversation

Projects
None yet
3 participants
@jfindlay
Contributor

jfindlay commented Apr 17, 2018

What does this PR do?

Support --proto for iptables IPSec policy extension in iptables state.

What issues does this PR fix or reference?

I found no issues (open or closed) referencing this problem.

Previous Behavior

Consider the following state:

ipt-test:
  iptables.append:
    - name: ipt-test
    - table: filter
    - chain: INPUT
    - source: 10.20.0.0/24
    - destination: 10.10.0.0/24
    - in-interface: eth0
    - match: policy
    - proto: esp
    - dir: in
    - pol: ipsec
    - reqid: 1
    - jump: ACCEPT

Prior to this fix, applying ipt-test would produce this incorrect iptables rule:

# iptables -vL
...
 pkts bytes target     prot opt in     out     source               destination
...
    0     0 ACCEPT     esp  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1
...
# iptables-save
...
-A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -p esp -m policy --dir in --pol ipsec --reqid 1 -j ACCEPT
...

New Behavior

The state ipt-test now produces the correct iptables rule:

# iptables -vL
...
 pkts bytes target     prot opt in     out     source               destination
...
    0     0 ACCEPT     all  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1 proto esp
...
# iptables-save
...
-A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
...

Notice how the proto is now interpreted as a parameter of the IPSec policy extension of iptables.

Tests written?

Automating tests for this would require iptables to be installed and working on the test system. If requested, I will attempt to make the necessary changes to SaltTesting. The full test case I used is copied below. The details of the state failure are shown in the Previous Behavior section. I compared the rules generated by the execution and state modules before and after the change against the rules generated with the raw iptables commands.

Raw commands

iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --protocol esp --dir in --pol ipsec --reqid 1 -j ACCEPT
iptables -A INPUT --proto esp -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --proto esp --dir in --pol ipsec --reqid 1 -j ACCEPT
iptables -A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --proto esp --dir in --pol ipsec --reqid 1 -j ACCEPT

salt iptables.append command line

salt-call --local iptables.append filter INPUT rule='-s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --protocol esp --dir in --pol ipsec --reqid 1 -j ACCEPT'
salt-call --local iptables.append filter INPUT rule='--proto esp -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --proto esp --dir in --pol ipsec --reqid 1 -j ACCEPT'
salt-call --local iptables.append filter INPUT rule='-s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --proto esp --dir in --pol ipsec --reqid 1 -j ACCEPT'

salt state.single iptables.append command line

salt-call --local state.single iptables.append name=ipt-test table=filter chain=INPUT source=10.20.0.0/24 destination=10.10.0.0/24 in-interface=eth0 match=policy protocol=esp dir=in pol=ipsec reqid=1 jump=ACCEPT
salt-call --local state.single iptables.append name=ipt-test table=filter chain=INPUT protocol=esp source=10.20.0.0/24 destination=10.10.0.0/24 in-interface=eth0 match=policy proto=esp dir=in pol=ipsec reqid=1 jump=ACCEPT
salt-call --local state.single iptables.append name=ipt-test table=filter chain=INPUT source=10.20.0.0/24 destination=10.10.0.0/24 in-interface=eth0 match=policy proto=esp dir=in pol=ipsec reqid=1 jump=ACCEPT

iptables-save output

-A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -p esp -m policy --dir in --pol ipsec --reqid 1 -j ACCEPT
-A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -p esp -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A INPUT -s 10.20.0.0/24 -d 10.10.0.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT

iptables -vL output

    0     0 ACCEPT     esp  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1
    0     0 ACCEPT     esp  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1 proto esp
    0     0 ACCEPT     all  --  eth0   any     10.20.0.0/24         10.10.0.0/24         policy match dir in pol ipsec reqid 1 proto esp

Results

Mode Before After
exec module pass pass
state module fail pass

Commits signed with GPG?

Yes

@jfindlay jfindlay changed the title from modules,states.iptables support proto for policy ext to Support proto for IPSec policy extension in iptables state Apr 17, 2018

@cachedout cachedout requested a review from gtmanfred Apr 18, 2018

@gtmanfred

Looks good other than the one small change.

@@ -289,6 +299,9 @@ def maybe_add_negation(arg):
if 'name_' in kwargs and match.strip() in ('pknock', 'quota2', 'recent'):
rule.append('--name {0}'.format(kwargs['name_']))
del kwargs['name_']
if 'proto' in kwargs and kwargs['match'] == 'policy':

This comment has been minimized.

@gtmanfred

gtmanfred Apr 18, 2018

Contributor

This should probably also be kwargs.get('match')

@rallytime rallytime requested a review from gtmanfred Apr 25, 2018

@rallytime rallytime merged commit 44f19b2 into saltstack:2017.7 Apr 25, 2018

6 of 9 checks passed

default Build finished.
Details
jenkins/PR/salt-pr-linode-ubuntu16-py3 Pull Requests » Salt PR - Linode Ubuntu16.04 - PY3 #9151 — FAILURE
Details
jenkins/PR/salt-pr-rs-cent7-n Pull Requests » Salt PR - RS CentOS 7 #18342 — FAILURE
Details
WIP ready for review
Details
jenkins/PR/salt-pr-clone Pull Requests » Salt PR - Clone #24460 — SUCCESS
Details
jenkins/PR/salt-pr-docs-n Pull Requests » Salt PR - Docs #16601 — SUCCESS
Details
jenkins/PR/salt-pr-linode-cent7-py3 Pull Requests » Salt PR - Linode CentOS 7 - PY3 #4290 — SUCCESS
Details
jenkins/PR/salt-pr-linode-ubuntu14-n Pull Requests » Salt PR - Linode Ubuntu14.04 #22094 — SUCCESS
Details
jenkins/PR/salt-pr-lint-n Pull Requests » Salt PR - Code Lint #21220 — SUCCESS
Details

@jfindlay jfindlay deleted the jfindlay:iptables_state branch Apr 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment