github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #2722 from thockin/iptables 

strip quotes in back-compat iptables
pull/6/head
Tim Hockin 2014-12-03 16:10:00 -08:00
parent 6cb26e17a4 b1470b6672
commit c31b3f04de
1 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
pkg/util/iptables/iptables.go
View File

@ -187,7 +187,8 @@ func (runner *runner) checkRule(table Table, chain Chain, args ...string) (bool,
} }
// Executes the rule check without using the "-C" flag, instead parsing iptables-save. // Executes the rule check without using the "-C" flag, instead parsing iptables-save.
// Present for compatibility with <1.4.11 versions of iptables. // Present for compatibility with <1.4.11 versions of iptables. This is full
// of hack and half-measures. We should nix this ASAP.
func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...string) (bool, error) { func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...string) (bool, error) {
glog.V(1).Infof("running iptables-save -t %s", string(table)) glog.V(1).Infof("running iptables-save -t %s", string(table))
out, err := runner.exec.Command("iptables-save", "-t", string(table)).CombinedOutput() out, err := runner.exec.Command("iptables-save", "-t", string(table)).CombinedOutput()
@ -195,25 +196,46 @@ func (runner *runner) checkRuleWithoutCheck(table Table, chain Chain, args ...st
return false, fmt.Errorf("error checking rule: %v", err) return false, fmt.Errorf("error checking rule: %v", err)
} }
argset := util.NewStringSet(args...) // Sadly, iptables has inconsistent quoting rules for comments.
// Just unquote any arg that is wrapped in quotes.
argsCopy := make([]string, len(args))
copy(argsCopy, args)
for i := range argsCopy {
unquote(&argsCopy[i])
}
argset := util.NewStringSet(argsCopy...)
for _, line := range strings.Split(string(out), "\n") { for _, line := range strings.Split(string(out), "\n") {
var fields = strings.Fields(line) var fields = strings.Fields(line)
// Check that this is a rule for the correct chain, and that it has // Check that this is a rule for the correct chain, and that it has
// the correct number of argument (+2 for "-A <chain name>") // the correct number of argument (+2 for "-A <chain name>")
if strings.HasPrefix(line, fmt.Sprintf("-A %s", string(chain))) && len(fields) == len(args)+2 { if !strings.HasPrefix(line, fmt.Sprintf("-A %s", string(chain))) || len(fields) != len(args)+2 {
// TODO: This misses reorderings e.g. "-x foo ! -y bar" will match "! -x foo -y bar" continue
if util.NewStringSet(fields...).IsSuperset(argset) {
return true, nil
}
glog.V(5).Infof("DBG: fields is not a superset of args: fields=%v args=%v", fields, args)
} }
// Sadly, iptables has inconsistent quoting rules for comments.
// Just unquote any arg that is wrapped in quotes.
for i := range fields {
unquote(&fields[i])
}
// TODO: This misses reorderings e.g. "-x foo ! -y bar" will match "! -x foo -y bar"
if util.NewStringSet(fields...).IsSuperset(argset) {
return true, nil
}
glog.V(5).Infof("DBG: fields is not a superset of args: fields=%v args=%v", fields, args)
} }
return false, nil return false, nil
} }
func unquote(strp *string) {
if len(*strp) >= 2 && (*strp)[0] == '"' && (*strp)[len(*strp)-1] == '"' {
*strp = strings.TrimPrefix(strings.TrimSuffix(*strp, `"`), `"`)
}
}
// Executes the rule check using the "-C" flag // Executes the rule check using the "-C" flag
func (runner *runner) checkRuleUsingCheck(args []string) (bool, error) { func (runner *runner) checkRuleUsingCheck(args []string) (bool, error) {
out, err := runner.run(opCheckRule, args) out, err := runner.run(opCheckRule, args)