Merge pull request #2092 from abutcher/issue2084

Insert iptables rules before DROP or REJECT
author: Scott Dodson <sdodson@redhat.com> 2016-06-29 09:38:39 -0400
committer: GitHub <noreply@github.com> 2016-06-29 09:38:39 -0400
commit: df9b208c3eb993d0d1f7c0e715fa4ef49261aa47 (patch)
tree: 8ad0fa14ab2d97842fd3e98d6ba4be62097555a1 /roles
parent: ff52fb0029449a081eb932996c44ed83fe65ff0a (diff)
parent: e88c4dc7765ae94e31c0050fabe64c213d08204c (diff)
download: openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.tar.gz
openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.tar.bz2
openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.tar.xz
openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py
index 1cb539a8c..190016c14 100755
--- a/roles/os_firewall/library/os_firewall_manage_iptables.py
+++ b/roles/os_firewall/library/os_firewall_manage_iptables.py
@@ -37,14 +37,14 @@ class IpTablesSaveError(IpTablesError):
 
 
 class IpTablesCreateChainError(IpTablesError):
-    def __init__(self, chain, msg, cmd, exit_code, output): # pylint: disable=too-many-arguments, line-too-long
+    def __init__(self, chain, msg, cmd, exit_code, output): # pylint: disable=too-many-arguments, line-too-long, redefined-outer-name
         super(IpTablesCreateChainError, self).__init__(msg, cmd, exit_code,
                                                        output)
         self.chain = chain
 
 
 class IpTablesCreateJumpRuleError(IpTablesError):
-    def __init__(self, chain, msg, cmd, exit_code, output): # pylint: disable=too-many-arguments, line-too-long
+    def __init__(self, chain, msg, cmd, exit_code, output): # pylint: disable=too-many-arguments, line-too-long, redefined-outer-name
         super(IpTablesCreateJumpRuleError, self).__init__(msg, cmd, exit_code,
                                                           output)
         self.chain = chain
@@ -152,11 +152,11 @@ class IpTablesManager(object): # pylint: disable=too-many-instance-attributes
                             continue
                         last_rule_target = rule[1]
 
-                # Naively assume that if the last row is a REJECT rule, then
-                # we can add insert our rule right before it, otherwise we
+                # Naively assume that if the last row is a REJECT or DROP rule,
+                # then we can insert our rule right before it, otherwise we
                 # assume that we can just append the rule.
                 if (last_rule_num and last_rule_target
-                        and last_rule_target == 'REJECT'):
+                        and last_rule_target in ['REJECT', 'DROP']):
                     # insert rule
                     cmd = self.cmd + ['-I', self.jump_rule_chain,
                                       str(last_rule_num)]
author	Scott Dodson <sdodson@redhat.com>	2016-06-29 09:38:39 -0400
committer	GitHub <noreply@github.com>	2016-06-29 09:38:39 -0400
commit	df9b208c3eb993d0d1f7c0e715fa4ef49261aa47 (patch)
tree	8ad0fa14ab2d97842fd3e98d6ba4be62097555a1 /roles
parent	ff52fb0029449a081eb932996c44ed83fe65ff0a (diff)
parent	e88c4dc7765ae94e31c0050fabe64c213d08204c (diff)
download	openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.tar.gz openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.tar.bz2 openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.tar.xz openshift-df9b208c3eb993d0d1f7c0e715fa4ef49261aa47.zip