Hi Martin,
Can you be a bit more specific about the issue? What output do you get, what do you expect? What do you mean it stops when it encounters the first error but lets the empty variable pass
This is the output that I get when I run the policy.
R: check_ip: match_10.68.71.5* R: check_ip: match_10.68.171.5* R: check_ip: match_192.168.123.123* R: ip_list ip's: *10.68.71.5* R: ip_list ip's: *10.68.171.5* R: ip_list ip's: *192.168.123.123* R: check_ip: match_$(nic.nic_admin)* R: empty_var ip's: *10.68.71.5* R: empty_var ip's: *10.68.171.5* R: empty_var ip's: *$(nic.nic_admin)* R: stop_the_show: We stop the show! R: bell: Yell Bell! bogus R: bell: bad_ip R: check_ip: match_bogus* R: check_ip iprange: bogus* R: bogus ip's: *10.68.71.5* R: bogus ip's: *10.68.171.5* R: bogus ip's: *bogus* R: bell: Yell Bell! R: check_ip: match_* R: check_ip iprange: * R: empty_string ip's: *10.68.71.5* R: empty_string ip's: *10.68.171.5* R: empty_string ip's: **
One thing that does jump out at me is this glass guard you are trying to use inside bundle agent check_ip().
"!match_$(ips)"::
$(ips)
does not expand to a valid class string. That is going to expand to
something like !match_10.68.71.5::
which is probably not what you are actually
trying to test.
You can either canonify $(ips) and use that, or you can move your condition to the promise itself and canonify on the fly.
Perhaps something like this:
"Bell!!" usebundle => bell( $(ips) ), if => not( canonify( "match_$(ips)" ) );
– Nick Anderson| Doer of Things | (+1) 785-550-1767 | https://northern.tech
One thing that does jump out at me is this glass guard you are trying to use inside bundle agent check_ip().
"!match_$(ips)"::
$(ips)
does not expand to a valid class string. That is going to expand to something like!match_10.68.71.5::
which is probably not what you are actually trying to test.You can either canonify $(ips) and use that, or you can move your condition to the promise itself and canonify on the fly.
Perhaps something like this:
"Bell!!" usebundle => bell( $(ips) ), if => not( canonify( "match_$(ips)" ) );
Martin Simons writes:
It does not catch an empty variable, but it catches bogus content.
OK, so you have a list of things that should be IPv4 addresses and you want to iterate over them if they are actually ipv4 addresses.
The regular expression from your example seems to be effective distilled down to a more simple example.
bundle agent example_filter_ipv4 { vars: "variable_value_from_varible" string => "$(nosuch.variable)"; "candidates" slist => { "10.68.71.5", "10.168.171.5", "not-an-ip-address", "", "$(missing.variable)", $(another_missing.variable), "$(variable_value_from_varible)" }; reports: "'$(candidates)' is a valid IPv4 address" if => regcmp( #"^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})", "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", $(candidates) ); "'$(candidates)' is *NOT* a valid IPv4 address" if => not( regcmp( #"^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})[.](25[0-5]|2[0-4][0-9]|[0-1]?[0-9]{1,2})", "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", $(candidates) )); } bundle agent __main__ { methods: "example_filter_ipv4"; reports: "CFEngine: $(sys.cf_version)"; }
R: '10.68.71.5' is a valid IPv4 address R: '10.168.171.5' is a valid IPv4 address R: 'not-an-ip-address' is *NOT* a valid IPv4 address R: '' is *NOT* a valid IPv4 address R: CFEngine: 3.14.0a.4e12fcf75
What is the specific output that you expected to see from the policy?
To unsubscribe from this group and stop receiving emails from it, send an email to help-c...@googlegroups.com.
Hi Martin,
Can you be a bit more specific about the issue? What output do you get, what do you expect? What do you mean it stops when it encounters the first error but lets the empty variable pass
On Mon, 2024-08-26 at 03:20 -0700, Martin Simons wrote:
> Dear CFEngineer,
>
> Issue CFE-3446 seems to be solved, so in preparation of the move to 3.24 I am fixing some policies dealing with variables.
> One of thos is IP checking.
>
> Good old Neil has this solution:
> https://watson-wilson.ca/blog/2015/08/20/build-better-regular-expressions-in-cfengine/
>
> It allows an address starting with '0.', however.
> So I tweaked it a bit:
> classes:
>
> "valid_hosts_ip" expression => regcmp("(1[0-9]{0,2}|[3-9][0-9]{0,1}|2[0-4][0-9]|25[0-5])[\.]([0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[\.]([0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[\.]([0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])",
> "$(ip)");
>
> It now checks IP addresses starting with a '1[0-9]{0,2}' first, that's how all private address ranges start anyway. I have a test bundle available, if needed.
👍️
I was just wondering if `isipinsubnet()` [1] could be an answer here. If not,
what is the reason? Maybe we could extend it?
[1] https://docs.cfengine.com/docs/master/reference-functions-isipinsubnet.html
Thanks!
--
Vratislav
> --
> You received this message because you are subscribed to the Google Groups "help-cfengine" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to help-cfengin...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/help-cfengine/4021c7ba-e455-47b0-b2f6-62c4d10542ccn%40googlegroups.com.