puppetlabs-firewall icon indicating copy to clipboard operation
puppetlabs-firewall copied to clipboard
verified publisher icon puppetlabs

Purge rules in firewallchain before removing chain (iptables)

Open pskopnik opened this issue 3 years ago • 0 comments

Use Case

We are using firewall on hosts which may have programs installed which manage their own firewall rules on the host (fail2ban, Docker, ...). ignore on firewallchain resources is used to allow for these. Hence, we cannot use meta-resource purging (resources { 'firewall': purge => true }) for removing firewall rules and instead we rely on purge => true being set on all built-in chains to remove unmanaged and unwanted rules.

A problem arises form these circumstances: Any custom chain disappearing from the Puppet catalog which still contains rules cannot be removed by Puppet. Both meta-resource purging of chains and declaring the chain as absent fails because there are still rules contained and the iptables provider basically only runs iptables -X <chain>

Describe the Solution You Would Like

It would be great if there was still a way of removing chains containing rules by first flushing the chain (removing all its rules) and thereafter removing it. These steps should run independently, so that if the first succeeds and the second fails the effect of the first is not rolled back.

I'm not sure what should trigger this behaviour:

  • Meta-resource purging of firewallchain resources: This would constitute a nice counterpart to the meta-resource purging described in the documentation. However, one might argue that purging on firewallchain resources should only delete the chains and not interact with any rules.
  • Declaring a chain as absent: Similar reasoning to above and should probably behave exactly the same as the above.
  • Declaring a chain as absent and setting its purge => true parameter: IMO this should certainly cause the rules to be purged before the chain is attempted to be removed. At the moment the chain removal is attempted first and will fail.

Of course having rules in a chain is not the only reason why removal of that chain may fail. The other common reason is that a rule in another chain still links (via a JUMP action) to the to-be-removed chain. However, this is the same scenario also addressed by the meta-resource purging described in the docs and should be handled by several Puppet runs.

Describe Alternatives You've Considered

There really are two alternatives:

  • Declare the firewallchain explicitly but remove the rules via purge => true, so only an empty chain remains.
  • Leave it to sysadmins to manually fix the problem (by flushing the chain) in response to Puppet errors.

Additional Context

-

pskopnik avatar Aug 05 '22 07:08 pskopnik