Uploaded image for project: 'VCL'
  1. VCL
  2. VCL-880

Issues with clean_iptables in Linux.pm



    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 2.4.2
    • 2.5
    • vcld (backend)
    • None


      The clean_iptables subroutine in Linux.pm is indiscriminately deleting all firewall rules which have an unrestricted source IP address scope. This logic is poor. Custom rules added by an image creator are deleted if the rule contains a specific source IP address scope.

      The subroutine is also failing to delete the all of the (poorly) intended rules and possibly deleting unintended rules when the computer contains 10 or more rules. The iptables rule numbers returned from the following command are used for the iptables -D deletion commands:
      iptables --line-number -n -L

      The subroutine attempts to sort the rules from highest to lowest rule number and assemble iptables -D commands in this order. This is the correct logic, however, the code is sorting the rule numbers alphabetically rather than numerically. As a result, the following occurs:

      |Linux.pm:clean_iptables|4521|attempting to execute commands to sanitize iptables rules on vclv99-196:
      |Linux.pm:clean_iptables|4521| iptables -D INPUT 5
      |Linux.pm:clean_iptables|4521| iptables -D INPUT 14
      |Linux.pm:clean_iptables|4521| iptables -D INPUT 10
      |Linux.pm:clean_iptables|4521| iptables -D INPUT 1
      |Linux.pm:clean_iptables|4532| ---- WARNING ----
      |Linux.pm:clean_iptables|4532| 2015-06-28 20:29:06|Linux.pm:clean_iptables|4532|failed to sanitized iptables rules on vclv99-196, exit status: 1, output:
      |Linux.pm:clean_iptables|4532| iptables: Index of deletion too big.
      |Linux.pm:clean_iptables|4532| ( 0) Linux.pm, clean_iptables (line: 4532)
      |Linux.pm:clean_iptables|4532| (-1) Linux.pm, pre_capture (line: 369)
      |Linux.pm:clean_iptables|4532| (-2) VMware.pm, capture (line: 755)
      |Linux.pm:clean_iptables|4532| (-3) image.pm, process (line: 179)
      |Linux.pm:clean_iptables|4532| (-4) vcld, make_new_child (line: 587)
      |Linux.pm:clean_iptables|4532| (-5) vcld, main (line: 348)

      The error occurs because there may no longer be a rule 14 after rule 5 is deleted. Rule 14 would become rule 13.




            arkurth Andrew Kurth
            arkurth Andrew Kurth
            0 Vote for this issue
            1 Start watching this issue