From 6816bbb5787c5aa959dda4df6ce612ea3abdfd35 Mon Sep 17 00:00:00 2001 From: Martin Polden Date: Wed, 24 Aug 2022 11:34:10 +0200 Subject: Re-order options to avoid diff when comparing with existing rules --- .../hosted/node/admin/configserver/noderepository/Acl.java | 4 ++-- .../node/admin/configserver/noderepository/AclTest.java | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) (limited to 'node-admin') diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index dd78e08aaa6..2908cf39fc8 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -76,8 +76,8 @@ public class Acl { .sorted() .toList(); for (var ipAddress : clusterAddresses) { - rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + " -s " + - ipAddress + ipVersion.singleHostCidr() + " -j ACCEPT"); + rules.add("-A INPUT -s " + ipAddress + ipVersion.singleHostCidr() + " -p tcp -m multiport --dports " + + joinPorts(zooKeeperPorts) + " -j ACCEPT"); } // Reject any other connections to ZooKeeper rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java index e1a481ea4ff..c4bee8bb1dc 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java @@ -126,9 +126,9 @@ public class AclTest { -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.41/32 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.42/32 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.43/32 -j ACCEPT + -A INPUT -s 172.17.0.41/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 172.17.0.42/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 172.17.0.43/32 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.17.0.41/32 -j ACCEPT -A INPUT -s 172.17.0.42/32 -j ACCEPT @@ -145,9 +145,9 @@ public class AclTest { -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::41/128 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::42/128 -j ACCEPT - -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::43/128 -j ACCEPT + -A INPUT -s 2001:db8::41/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 2001:db8::42/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT + -A INPUT -s 2001:db8::43/128 -p tcp -m multiport --dports 2181,2182,2183 -j ACCEPT -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp6-port-unreachable -A INPUT -s 2001:db8::41/128 -j ACCEPT -A INPUT -s 2001:db8::42/128 -j ACCEPT -- cgit v1.2.3