diff options
author | Valerij Fredriksen <valerijf@oath.com> | 2018-04-30 17:17:04 +0200 |
---|---|---|
committer | Valerij Fredriksen <valerij92@gmail.com> | 2018-04-30 21:37:54 +0200 |
commit | b58b6ed088d68f4b3c5a781d0e96de62e1603156 (patch) | |
tree | e4b8be7df34fc5008d1e49370e4f58392446c952 /node-admin | |
parent | 2e6c591d502e203d01b597cbff6eda9a7acef72f (diff) |
Sort ports and ipaddresses before applying
Diffstat (limited to 'node-admin')
3 files changed, 15 insertions, 4 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index 03c4466a3b1..3b47f99ba77 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -51,7 +51,7 @@ public class Acl { rules.add("-A INPUT -p " + ipVersion.icmpProtocol() + " -j ACCEPT"); // Allow trusted ports if any - String commaSeparatedPorts = trustedPorts.stream().map(i -> Integer.toString(i)).collect(Collectors.joining(",")); + String commaSeparatedPorts = trustedPorts.stream().map(i -> Integer.toString(i)).sorted().collect(Collectors.joining(",")); if (!commaSeparatedPorts.isEmpty()) rules.add("-A INPUT -p tcp -m multiport --dports " + commaSeparatedPorts + " -j ACCEPT"); @@ -59,6 +59,7 @@ public class Acl { trustedNodes.stream() .filter(ipVersion::match) .map(ipAddress -> "-A INPUT -s " + InetAddresses.toAddrString(ipAddress) + ipVersion.singleHostCidr() + " -j ACCEPT") + .sorted() .forEach(rules::add); // We reject instead of dropping to give us an easier time to figure out potential network issues diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java index 8bbbd076b49..77bc49ca596 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java @@ -69,6 +69,16 @@ public class AclTest { "-A INPUT -j REJECT --reject-with icmp6-port-unreachable", listRulesIpv6); } + @Test + public void ipv6_rules_stable() { + Acl aclCommonDifferentOrder = new Acl( + createPortList(453, 1234), + createTrustedNodes("fe80::2", "192.1.2.2", "fb00::1", "fe80::3")); + + for (IPVersion ipVersion: IPVersion.values()) { + Assert.assertEquals(aclCommon.toRules(ipVersion), aclCommonDifferentOrder.toRules(ipVersion)); + } + } private List<Integer> createPortList(Integer... ports) { return Arrays.asList(ports); diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index 0efc84727fc..28e21494c01 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -131,7 +131,7 @@ public class AclMaintainerTest { "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + "-A INPUT -i lo -j ACCEPT\n" + "-A INPUT -p ipv6-icmp -j ACCEPT\n" + - "-A INPUT -p tcp -m multiport --dports 4321,2345,22 -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 22,2345,4321 -j ACCEPT\n" + "-A INPUT -s 2001::1/128 -j ACCEPT\n" + "-A INPUT -s fd01:1234::4321/128 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp6-port-unreachable"; @@ -165,7 +165,7 @@ public class AclMaintainerTest { "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + "-A INPUT -i lo -j ACCEPT\n" + "-A INPUT -p icmp -j ACCEPT\n" + - "-A INPUT -p tcp -m multiport --dports 22,4443,2222 -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 22,2222,4443 -j ACCEPT\n" + "-A INPUT -s 192.64.13.2/32 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp-port-unreachable"; @@ -175,7 +175,7 @@ public class AclMaintainerTest { "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n" + "-A INPUT -i lo -j ACCEPT\n" + "-A INPUT -p ipv6-icmp -j ACCEPT\n" + - "-A INPUT -p tcp -m multiport --dports 22,4443,2222 -j ACCEPT\n" + + "-A INPUT -p tcp -m multiport --dports 22,2222,4443 -j ACCEPT\n" + "-A INPUT -s 2001::1/128 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp6-port-unreachable"; |