martinb3
commented
8 years ago Hi there! Thank you for this :+1: :+1: :+1:. Would you mind including an example Windows-specific rule and test for the rule, to be sure we don't break it again?
Closed svanharmelen closed 8 years ago
martinb3
commented
8 years ago Hi there! Thank you for this :+1: :+1: :+1:. Would you mind including an example Windows-specific rule and test for the rule, to be sure we don't break it again?
svanharmelen
commented
8 years ago @martinb3 so it seems to break on this rule:
firewall 'default' do
action :install
endbut I'm not sure I understand why... Will need to look into that one I guess, but if you have an idea already please let me know (would save me time I don't have right now :wink:).
svanharmelen
commented
8 years ago @martinb3 fixed the error and added tests for all supported firewall types, so I think we're good to go...
martinb3
commented
8 years ago @svanharmelen Thank you! I was hoping to write some tests if I didn't hear back, but hadn't gotten to it yet. Thank you for adding those! I've been working through this one today -- it isn't passing tests on all the suites for me.
svanharmelen
commented
8 years ago @martinb3 I was able to run Test-Kitchen and have a look at the issue and I don't believe it's something related to my PR. I just added a test that uncovers a problem that was already there :wink:
The problem is with a bug/problem in ip6tables v1.3.5 which is the default version for RHEL5. See here the commit in v1.3.6 that fixes the problem and here a copy of the initial bug report.
So how to continue with this one? Again I don't believe this is related to my PR and actually this problem has always existed, so not sure what the right solution is here. Dropping support for RHEL5 could be a solution. Or another solution could be to add code to guard/check against this issue specifically for ipv6 rules on RHEL5. But either way, I believe that should be in a separate PR and not in this one...
martinb3
commented
8 years ago It looks like CentOS 5 / ipv6 doesn't like the port range being generated. Just running it by hand, I get:
[root@default-centos-511 sysconfig]# ip6tables -A INPUT -p tcp -m tcp -m multiport --dports 1000:1100 -j ACCEPT
ip6tables v1.3.5: invalid port/service `1000:1100' specified
Try `ip6tables -h' or 'ip6tables --help' for more information.@martinb3 please check out the update I placed earlier today. This is due to a bug in ip6tables v1.3.5 and not to the command itself...
martinb3
commented
8 years ago @svanharmelen D'oh! I had a browser tab open so long with the issue that I didn't see the update! Thank you for finding that. Let's merge this in and let users decide how to proceed when/if they encounter the bug :+1:
svanharmelen
commented
8 years ago :+1: :wink:
Without this fix, a range would always end up in a format that is fine for Linux (
iptables) systems, but breaks on Windows (Windows expects a range to be10-20, where Linux (iptables) expects it to be10:20).Additionally things inside an Array where not checked and converted by this function which could also lead to issues when you (for example) had an Array with a range and an additional single port.