Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.4.2
-
None
Description
The enable_firewall_port and disable_firewall_port subroutines in Linux.pm retrieve the existing iptables rules. The proper scope is then calculated. They then construct a long command that deletes existing rules with iptables -D then add rules back with iptables -I. All of the individual iptables commands are chained by &&. Example:
iptables -D INPUT 4 && iptables -D INPUT 3 && iptables -D INPUT 2 && iptables -v -I INPUT 1 -p tcp...
Existing rules are deleted by rule ID. It is critical to delete them in order from highest to lowest otherwise the ID of subsequent rules will change. For example, suppose you want to delete rules B, C and D which currently have IDs 2, 3 and 4:
- A
- B
- C
- D
- E
- F
If the rules are deleted in ascending order (2,3,4), after the first deletion (B, ID=2) the IDs immediately become:
- A
- C
- D
- E
- F
Then rule 3 (currently D) is deleted, the IDs immediately become:
- A
- C
- E
- F
When the command finally deletes rule 4 it is deleting an unintended rule (F).
The code in Linux.pm is constructing the command with the IDs reverse sorted (good). However, it's using Perl's default lexical sort instead of numeric (bad). Because of this, rules are deleted in an order such as:
3
2
11
10
1
This causes various problems, including the possibility of locking the management node out.