puppet-firewalld
puppet-firewalld copied to clipboard
voxpupuli
Rich rule purging isn't idempotent, or isn't saving, or similar
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 7.24.0
- Ruby: ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [x86_64-linux]
- Distribution: Alma 9 (but probably true on other releases too)
- Module version: latest from github (5f9836e506383ac6851d7c2ab49f19c198237d4c)
How to reproduce (e.g Puppet code you use)
$zone = '99_public'
firewalld_zone { $zone:
target => '%%REJECT%%',
icmp_blocks => [
'fragmentation-needed',
'neighbour-advertisement',
'neighbour-solicitation',
'router-advertisement',
'router-solicitation',
'tos-network-redirect',
],
masquerade => false,
purge_rich_rules => $purge_rich_rules, # parameterized for testing
purge_ports => true,
purge_services => true,
}
...and then later manifests use firewalld_rich_rule(), e.g.:
firewalld_rich_rule { 'ssh_fnal_4':
zone => $zone,
action => 'accept',
source => { 'ipset' => 'fnal_4' },
port => { 'port' => $port, protocol => 'tcp' },
priority => 111
}
What are you seeing
When I turn on rich rule purging, every run I get the same general thing: all existing rules are purged (except for echo-request ping rules), then puppet re-implements the rules. See the logs below. This is only the case if purge_rich_rules is true for the puppet zone.
What behaviour did you expect instead
I'd expect that puppet would recognize its previous rules and not purge them. (This is critical! We can't go deleting firewall holes every time puppet runs, this will interfere with our work.)
Output log
Notice: /Stage[main]/P_firewall::Firewalld::Zone::Public/Firewalld_zone[99_public]/purge_rich_rules: purge_rich_rules changed 'purgable' to 'true' (corrective)
Notice: /Stage[main]/P_firewall::Ssh::Lockdown/Firewalld_rich_rule[ssh_lockdown_4]/ensure: created (corrective)
Info: /Stage[main]/P_firewall::Ssh::Lockdown/Firewalld_rich_rule[ssh_lockdown_4]: Scheduling refresh of Class[Firewalld::Reload]
Notice: /Stage[main]/P_firewall::Ssh::Lockdown/Firewalld_rich_rule[ssh_lockdown_6]/ensure: created (corrective)
Info: /Stage[main]/P_firewall::Ssh::Lockdown/Firewalld_rich_rule[ssh_lockdown_6]: Scheduling refresh of Class[Firewalld::Reload]
[...]
This repeats every run.
Any additional information you'd like to impart
I don't see the "purge rules" action in a --debug run. Instead, I'm watching the output of /usr/bin/firewall-cmd --zone 99_public --list-rich-rules on a separate terminal. The rules come back when puppet says they come back in its logs.
