commit 602f1dacdfcfce08e2bf8326d3ba77c89680026e Author: Michele Baldessari Date: Wed Oct 7 17:25:50 2020 +0200 Set a proper ordering when calling iptables Currently we append to the INPUT/OUTPUT tables in order to simulate network problems. This is problematic because existing iptables rules are not taken into account. So today what happens is the following: 1) Fresh system could have rules like: Chain INPUT (policy ACCEPT 569 packets, 22986 bytes) pkts bytes target prot opt in out source destination 560K 129M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 001 accept all icmp ipv4 */ 8673 520K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW /* 002 accept all to lo interface ipv4 */ 4 240 ACCEPT tcp -- * * 192.168.24.0/24 0.0.0.0/0 multiport dports 22 state NEW /* 003 accept ssh from ctlplane subnet 192.168.24.0/24 ipv4 */ 1234 74040 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8776 state NEW /* 100 cinder_haproxy ipv4 */ ... 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 8778,13778 state NEW /* 138 placement ipv4 */ 56 17982 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4 56 17982 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 999 drop all ipv4 */ 2) The current code will append the blocking rules which will go after the already existing DROP making them useless: ... 56 17982 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 20/min burst 15 /* 998 log all ipv4 */ LOG flags 0 level 4 56 17982 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW /* 999 drop all ipv4 */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 00 REJECT all -- !lo * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Let's make sure we insert them at the top of the chain so that we do not need to worry about the ordering at all. Change-Id: Ib86d1b0e26d146e145ed235d10c360f346e75dfa diff --git a/tobiko/tests/faults/ha/cloud_disruptions.py b/tobiko/tests/faults/ha/cloud_disruptions.py index dae579a..90d4f04 100644 --- a/tobiko/tests/faults/ha/cloud_disruptions.py +++ b/tobiko/tests/faults/ha/cloud_disruptions.py @@ -28,12 +28,12 @@ soft_reset_method = 'sudo reboot' network_disruption = """ sudo iptables-save -f /root/working.iptables.rules && - sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT && - sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j \ + sudo iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT && + sudo iptables -I INPUT 2 -p tcp -m state --state NEW -m tcp --dport 22 -j \ ACCEPT && - sudo iptables -A INPUT ! -i lo -j REJECT --reject-with icmp-host-prohibited && - sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT && - sudo iptables -A OUTPUT ! -o lo -j REJECT --reject-with icmp-host-prohibited + sudo iptables -I INPUT 3 ! -i lo -j REJECT --reject-with icmp-host-prohibited\ + && sudo iptables -I OUTPUT 1 -p tcp --sport 22 -j ACCEPT && + sudo iptables -I OUTPUT 2 ! -o lo -j REJECT --reject-with icmp-host-prohibited """ undisrupt_network = """