puppetlabs-firewall
puppetlabs-firewall copied to clipboard
puppetlabs
Firewall chains can't have "-A" in their names or the firewall rule regex gets confused
Describe the Bug
When debugging the upgrade to the v7 of puppetlabs-firewall our rules stopped working. We were getting
Creating: Failed after 0.012428 seconds: undefined method `[]' for nil:NilClass
Error: /Stage[main]/Coldfront::Firewall/Firewall_multi[006 Blocked IPs (tcp)]/Firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Could not evaluate: Execution encountered an error
After a lot of debugging, I found that the regex in def self.rule_to_name was getting confused with the -A in our firewall chain named COLDFRONT-ACCESS.
See the debug output I had added here:
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: List command execute result "# Generated by iptables-save v1.8.8 (nf_tables) on Tue Oct 24 18:06:03 2023\n*filter\n:INPUT ACCEPT [40051:14954037]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [270851:177330168]\n:COLDFRONT-ACCESS - [0:0]\n:DROPFORT-ACCESS - [0:0]\n:DROPFORT-DENY - [0:0]\n:DROPFORT-SMURF-PROTECTION - [0:0]\n:DROPFORT-SYN-FLOOD - [0:0]\n:DROPFORT-TCP-DDOS - [0:0]\n:DROPFORT-UNMANAGED - [0:0]\n:ZABBIX-AGENT - [0:0]\n-A INPUT -p icmp -j ACCEPT\nCOMMIT\n# Completed on Tue Oct 24 18:06:03 2023\n"
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Listing for table *filter
:INPUT ACCEPT [40051:14954037]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270851:177330168]
:COLDFRONT-ACCESS - [0:0]
:DROPFORT-ACCESS - [0:0]
:DROPFORT-DENY - [0:0]
:DROPFORT-SMURF-PROTECTION - [0:0]
:DROPFORT-SYN-FLOOD - [0:0]
:DROPFORT-TCP-DDOS - [0:0]
:DROPFORT-UNMANAGED - [0:0]
:ZABBIX-AGENT - [0:0]
-A INPUT -p icmp -j ACCEPT
COMMIT
# Completed on Tue Oct 24 18:06:03 2023
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: This is a Rule ["-ACCESS - [0:0]"]
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: is a name
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: past resource map
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Name Value is
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Rule hash is {:ensure=>"present", :table=>"filter", :protocol=>"IPv4"}
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Resource map is -A
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Chain regex (?-mix:-A\s(\S+))
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: this is the rule -ACCESS - [0:0]
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Chain scan layers []
Error: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Failed after 0.012428 seconds: undefined method `[]' for nil:NilClass
Error: /Stage[main]/Coldfront::Firewall/Firewall_multi[006 Blocked IPs (tcp)]/Firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Could not evaluate: Execution encountered an error
You can see it thought the name of the chain was a firewall rule.
Expected Behavior
Allow any valid string to be used as a firewall chain name.
Steps to Reproduce
- Create a firewall chain named
SOMETHING-ACCESS - Try to add a firewall rule that jumps to that chain
Environment
- Version 7.0.2
- Platform Rocky 9
Additional Context
It also matches on the ":ZABBIX-AGENT - [0:0]" string too.
These firewall chain names worked in earlier versions just fine as well.
And I guess one last note, this bug is present event with non-puppet generated chains. So if someone is manually maintaining part of a firewall and they have a chain with a -A in the name they can't run puppet firewall. Doesn't matter if you reference it or not, the fact that it is in the firewall causes the bug.
Can confirm this is affecting my environment as well. I am using puppet to manage nodes for a kubernetes cluster and the cluster generates chains such as KUBE-SEP-A3JRT2JPMZOSOL3K by default, resulting in this same issue. This is still an issue on v8.0.2, on Ubuntu 22.04.
https://github.com/puppetlabs/puppetlabs-firewall/pull/1210 works in our environment on Ubuntu 22.04 & 20.04 k8s nodes.
