-
Epic
-
Resolution: Done
-
Major
-
rhos-18.0 Beta
-
None
-
nftables iteration of dport and port breaks rule application
-
False
-
-
False
-
?
-
No Docs Impact
-
?
-
?
-
0% To Do, 0% In Progress, 100% Done
-
Release Note Not Required
-
Automated
-
-
-
2023Q3
-
Important
If a user provides a rule like:
'999 blah rule':
action: insert
dport: 61152-61215
jump: ACCEPT
proto: tcp
source: 1.1.1.1/8
This results in the `dport` value being iterated over since it's a string because of the hyphen. So we get an error validating the rule, which shows that it's trying to join the string like `6,1,1,5,2,-,6,1,2,1,5`
199 blah rule {'action': 'insert', 'dport': '61152-61215', 'jump': 'ACCEPT', 'proto': 'tcp', 'source': '192.168.60.0/24'} add rule inet filter TRIPLEO_INPUT ip saddr 1.1.1.1/24 tcp dport { 6,1,1,5,2,-,6,1,2,1,5 } ct state new counter accept comment "999 blah rule"
To fix this, we need a more string check of the type before we try iterating over it.
- clones
-
OSPRH-7633 nftables iteration of dport and port breaks rule application
- Closed