Sort ports and ipaddresses before applying

author: Valerij Fredriksen <valerijf@oath.com> 2018-04-30 17:17:04 +0200
committer: Valerij Fredriksen <valerij92@gmail.com> 2018-04-30 21:37:54 +0200
commit: b58b6ed088d68f4b3c5a781d0e96de62e1603156 (patch)
tree: e4b8be7df34fc5008d1e49370e4f58392446c952 /node-admin
parent: 2e6c591d502e203d01b597cbff6eda9a7acef72f (diff)
3 files changed, 15 insertions, 4 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
index 03c4466a3b1..3b47f99ba77 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
@@ -51,7 +51,7 @@ public class Acl {
         rules.add("-A INPUT -p " + ipVersion.icmpProtocol() + " -j ACCEPT");
 
         // Allow trusted ports if any
-        String commaSeparatedPorts = trustedPorts.stream().map(i -> Integer.toString(i)).collect(Collectors.joining(","));
+        String commaSeparatedPorts = trustedPorts.stream().map(i -> Integer.toString(i)).sorted().collect(Collectors.joining(","));
         if (!commaSeparatedPorts.isEmpty())
             rules.add("-A INPUT -p tcp -m multiport --dports " + commaSeparatedPorts + " -j ACCEPT");
 
@@ -59,6 +59,7 @@ public class Acl {
         trustedNodes.stream()
                 .filter(ipVersion::match)
                 .map(ipAddress -> "-A INPUT -s " + InetAddresses.toAddrString(ipAddress) + ipVersion.singleHostCidr() + " -j ACCEPT")
+                .sorted()
                 .forEach(rules::add);
 
         // We reject instead of dropping to give us an easier time to figure out potential network issues
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java
index 8bbbd076b49..77bc49ca596 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java
@@ -69,6 +69,16 @@ public class AclTest {
                         "-A INPUT -j REJECT --reject-with icmp6-port-unreachable", listRulesIpv6);
     }
 
+    @Test
+    public void ipv6_rules_stable() {
+        Acl aclCommonDifferentOrder = new Acl(
+                createPortList(453, 1234),
+                createTrustedNodes("fe80::2", "192.1.2.2", "fb00::1", "fe80::3"));
+
+        for (IPVersion ipVersion: IPVersion.values()) {
+            Assert.assertEquals(aclCommon.toRules(ipVersion), aclCommonDifferentOrder.toRules(ipVersion));
+        }
+    }
 
     private List<Integer> createPortList(Integer... ports) {
         return Arrays.asList(ports);
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
index 0efc84727fc..28e21494c01 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
@@ -131,7 +131,7 @@ public class AclMaintainerTest {
                 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" +
                 "-A INPUT -i lo -j ACCEPT\n" +
                 "-A INPUT -p ipv6-icmp -j ACCEPT\n" +
-                "-A INPUT -p tcp -m multiport --dports 4321,2345,22 -j ACCEPT\n" +
+                "-A INPUT -p tcp -m multiport --dports 22,2345,4321 -j ACCEPT\n" +
                 "-A INPUT -s 2001::1/128 -j ACCEPT\n" +
                 "-A INPUT -s fd01:1234::4321/128 -j ACCEPT\n" +
                 "-A INPUT -j REJECT --reject-with icmp6-port-unreachable";
@@ -165,7 +165,7 @@ public class AclMaintainerTest {
                 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" +
                 "-A INPUT -i lo -j ACCEPT\n" +
                 "-A INPUT -p icmp -j ACCEPT\n" +
-                "-A INPUT -p tcp -m multiport --dports 22,4443,2222 -j ACCEPT\n" +
+                "-A INPUT -p tcp -m multiport --dports 22,2222,4443 -j ACCEPT\n" +
                 "-A INPUT -s 192.64.13.2/32 -j ACCEPT\n" +
                 "-A INPUT -j REJECT --reject-with icmp-port-unreachable";
 
@@ -175,7 +175,7 @@ public class AclMaintainerTest {
                 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" +
                 "-A INPUT -i lo -j ACCEPT\n" +
                 "-A INPUT -p ipv6-icmp -j ACCEPT\n" +
-                "-A INPUT -p tcp -m multiport --dports 22,4443,2222 -j ACCEPT\n" +
+                "-A INPUT -p tcp -m multiport --dports 22,2222,4443 -j ACCEPT\n" +
                 "-A INPUT -s 2001::1/128 -j ACCEPT\n" +
                 "-A INPUT -j REJECT --reject-with icmp6-port-unreachable";
author	Valerij Fredriksen <valerijf@oath.com>	2018-04-30 17:17:04 +0200
committer	Valerij Fredriksen <valerij92@gmail.com>	2018-04-30 21:37:54 +0200
commit	b58b6ed088d68f4b3c5a781d0e96de62e1603156 (patch)
tree	e4b8be7df34fc5008d1e49370e4f58392446c952 /node-admin
parent	2e6c591d502e203d01b597cbff6eda9a7acef72f (diff)