From 562ebc07262cd0195a5dd1f0d9c1d23404259d60 Mon Sep 17 00:00:00 2001
From: Benny Kopilov <bkopilov@redhat.com>
Date: Thu, 15 Dec 2022 10:21:46 +0200
Subject: [PATCH] Fix iptables fixture and delete action

Iptables check does not work when having a chain of sources
When we insert a rule with multiple source, iptables split the list
and adding each source with same conditions

On check action iptables wont catch case when having a mix of source
when 1 is not in the table. looks like iptables check only one.
In case check action returned wrong result add/delete rule chnaged and
may trigger failures due to unexpected results

Also deletion , iptables delete only the first match when having duplicate
rules.

Example:
iptables --insert FORWARD -p tcp -j DROP -s 192.168.128.10,192.168.128.13
results with:
-A FORWARD -s 192.168.128.13/32 -p tcp -m tcp --dport 80 -j DROP
-A FORWARD -s 192.168.128.10/32 -p tcp -m tcp --dport 80 -j DROP

We will get different result from iptables for:
iptables --check FORWARD -p tcp -j DROP -s 7.7.7.7,192.168.128.10
iptables --check FORWARD -p tcp -j DROP -s 192.168.128.10,7.7.7.7

Means that only 1 is the best approch here.
Run delete rules till all duplicate rules gone
---
 .../test_infra/controllers/iptables.py           |  5 +++--
 src/tests/base_test.py                           | 16 +++++++++++++---
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/assisted_test_infra/test_infra/controllers/iptables.py b/src/assisted_test_infra/test_infra/controllers/iptables.py
index c581bbfe424..7852d886ba2 100644
--- a/src/assisted_test_infra/test_infra/controllers/iptables.py
+++ b/src/assisted_test_infra/test_infra/controllers/iptables.py
@@ -62,7 +62,8 @@ def insert(self) -> None:
             utils.run_command(insert_rule, shell=True)
 
     def delete(self) -> None:
-        if self._does_rule_exist():
-            delete_rule = self._build_command_string(IpTableCommandOption.DELETE)
+        delete_rule = self._build_command_string(IpTableCommandOption.DELETE)
+        # delete duplicate rules - iptable deletes only first hit
+        while self._does_rule_exist():
             log.info(f"Removing iptable rule: {delete_rule}")
             utils.run_command(delete_rule, shell=True)
diff --git a/src/tests/base_test.py b/src/tests/base_test.py
index 10a52c8d3d3..1a3d0f974bc 100644
--- a/src/tests/base_test.py
+++ b/src/tests/base_test.py
@@ -648,9 +648,19 @@ def set_iptables_rules_for_nodes(
             log.info(f"Given node ips: {given_node_ips}")
 
             for _rule in iptables_rules:
-                _rule.add_sources(given_node_ips)
-                rules.append(_rule)
-                _rule.insert()
+                if not given_node_ips:
+                    # in case a rule without given_node_ips
+                    rules.append(_rule)
+                    _rule.insert()
+                    continue
+                for source in given_node_ips:
+                    # iptables check broken for list of sources
+                    # copy base rule and add a single source.
+                    copy_rule = deepcopy(_rule)
+                    copy_rule.add_sources([source])
+                    log.info(f"Adding rule with source: {copy_rule}")
+                    rules.append(copy_rule)
+                    copy_rule.insert()
 
         yield set_iptables_rules_for_nodes
         log.info("---TEARDOWN iptables ---")