Update dns_to_ipset to not use domain name as key for set
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Dwisehaupt
	Jul 26 2021, 8:50 PM

Description

When doing T287406 we ran across an issue. ipset has a hard limit for how long a set Name can be (31 characters). When adding in Adyen domains that were longer, it would cause the script to error when creating the -temp list for comparison. In the script we currently set the set name to the hostname specified in the config.

update dns_to_ipset to use the section name in config instead of the hostname when setting the set name
document the config and code to reference this limitation
add in duplicate configs for the existing sets so that we can transition
after testing heavily, update the puppet config for the transition
update the iptables rules to reference the appropriate new sets
remove the old hostname based sets

Related Objects

Mentioned Here: T287406: Adyen Checkout: add Adyen Checkout Production API endpoint to allow-list

Event Timeline

Dwisehaupt created this task.Jul 26 2021, 8:50 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 26 2021, 8:50 PM

commit ba5840fc8873fbdf0efb7ceefa547a431fbc70d6
Author: Dallas Wisehaupt <dwisehaupt@wikimedia.org>
Date:   Tue Jul 27 09:35:04 2021 -0700

    Update dns_to_ipset to handle ruleset name limit

Dwisehaupt updated the task description. (Show Details)Jul 27 2021, 5:22 PM

[frack::puppet] fd69f847 Add new ipset rules with shorter names

Dwisehaupt updated the task description. (Show Details)Aug 2 2021, 9:00 PM

[frack::puppet::private] fbea8c3 Remove duplicate ipset rulenames civicrm, payments, payments_listener

This is complete. Closing.

Dwisehaupt updated the task description. (Show Details)Aug 16 2021, 9:09 PM

Update dns_to_ipset to not use domain name as key for setClosed, ResolvedPublicActions

Description

Related Objects

Event Timeline

Update dns_to_ipset to not use domain name as key for set
Closed, ResolvedPublic
Actions