puppetlabs-firewall icon indicating copy to clipboard operation
puppetlabs-firewall copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

nfmask, ctmask, restore_mark support + firewallchain loop fix

Open hb0nes opened this issue 1 year ago • 1 comments
trafficstars

Summary

We have been using our custom version of puppetlabs-firewall for some time because we need the nfmask, ctmask and restore_mark flags for policy based routing.

While upgrading to the latest puppetlabs-firewall, I ran into an infinite loop, creating chains all of a sudden. As per the docs, I've written this Puppet code:

  # Purge all chains not defined below
  resources { 'firewallchain':
    purge  => true,
  }

  # Purge all unmanaged rules from these (internal) chains
  # These have default policy DROP
  firewallchain {
    [
      'INPUT:filter:IPv4',
      'INPUT:filter:IPv6',
      'OUTPUT:filter:IPv4',
      'OUTPUT:filter:IPv6',
      'FORWARD:filter:IPv4',
      'FORWARD:filter:IPv6']:
        ensure => present,
        policy => drop,
        purge  => true,
  }

  # The internal chains need to be defined or Puppet will try to remove them.
  # We can also purge their contents by defining them here with purge => true.
  firewallchain {
    [
      # IPv4 mangle
      'PREROUTING:mangle:IPv4',
      'INPUT:mangle:IPv4',
      'FORWARD:mangle:IPv4',
      'OUTPUT:mangle:IPv4',
      'POSTROUTING:mangle:IPv4',
      # IPv6 mangle
      'PREROUTING:mangle:IPv6',
      'INPUT:mangle:IPv6',
...and so forth

Because iptables-save doesn't always show chains like *nat or *mangle if they haven't been interacted with, the get function will not return those and puppetlabs-firewall will try to create the chains. However, this won't do anything and the infinite loop starts.

I have 'solved' it by creating those chains manually for now and only adding them if the already existing code didn't find them.

I have verified that these changes solve my issue and that nfmask, ctmask and restore_mark work.

Because this actually is an issue that I imagine others will run into, I decided to create the PR, regardless of code quality, lack of context and knowledge.

Checklist

  • [ ] 🟢 Spec tests.
  • [ ] 🟢 Acceptance tests.
  • [X] Manually verified. (For example puppet apply)

hb0nes avatar Oct 04 '24 20:10 hb0nes

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Herman Bonnes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Oct 04 '24 20:10 CLAassistant