diff options
author | Martin Polden <mpolden@mpolden.no> | 2022-08-24 11:34:10 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2022-08-24 11:34:10 +0200 |
commit | 6816bbb5787c5aa959dda4df6ce612ea3abdfd35 (patch) | |
tree | bdee2099ca834a040b3d697d5c26b44cc01ac7c7 /node-admin | |
parent | 63e1792a84d3f4fbcb07e43cbc5eb79d7b77994d (diff) |
Re-order options to avoid diff when comparing with existing rules
Diffstat (limited to 'node-admin')
2 files changed, 8 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index dd78e08aaa6..2908cf39fc8 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -76,8 +76,8 @@ public class Acl { .sorted() .toList(); for (var ipAddress : clusterAddresses) { - rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + " -s " + - ipAddress + ipVersion.singleHostCidr() + " -j ACCEPT"); + rules.add("-A INPUT -s " + ipAddress + ipVersion.singleHostCidr() + " -p tcp -m multiport --dports " + + joinPorts(zooKeeperPorts) + " -j ACCEPT"); } // Reject any other connections to ZooKeeper rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java index e1a481ea4ff..c4bee8bb1dc 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java @@ -126,9 +126,9 @@ public class AclTest { -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.41/32 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.42/32 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.43/32 -j ACCEPT + -A INPUT -s 172.17.0.41/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 172.17.0.42/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 172.17.0.43/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.17.0.41/32 -j ACCEPT -A INPUT -s 172.17.0.42/32 -j ACCEPT @@ -145,9 +145,9 @@ public class AclTest { -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::41/128 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::42/128 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::43/128 -j ACCEPT + -A INPUT -s 2001:db8::41/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 2001:db8::42/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 2001:db8::43/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp6-port-unreachable -A INPUT -s 2001:db8::41/128 -j ACCEPT -A INPUT -s 2001:db8::42/128 -j ACCEPT |