Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non idempotent logs for empty firewall chains #1217

Open
oliparcol opened this issue Apr 30, 2024 · 11 comments
Open

Non idempotent logs for empty firewall chains #1217

oliparcol opened this issue Apr 30, 2024 · 11 comments

Comments

@oliparcol
Copy link

Describe the Bug

When applying on a server without any iptables rule the following puppet code with the resource firewallchain declared without any rule:

firewallchain { "FORWARD:mangle:IPv4":
    ensure => present,
    purge  => true,
}

The following output is always emitted:

Notice: /Stage[main]/Base::Firewall/Firewallchain[FORWARD:mangle:IPv4]/ensure: defined 'ensure' as 'present'
Notice: firewallchain[FORWARD:mangle:IPv4]: Updating: Finished in 0.000061 seconds

Expected Behavior

I would expect no output to be emitted.

Environment

  • Firewall 8.0.1
  • Ubuntu 24.04

Additional Context

I believe that the issue comes from the fact that iptables-save doesn't show empty tables. The code is therefore not able to distinguish an existing empty table from a non-existing one. Specifying the table with the -t option (e.g. iptables-save -t <table> does display the empty table).

@2fa
Copy link
Contributor

2fa commented May 2, 2024

#1206 should fix that

@corporate-gadfly
Copy link
Contributor

@2fa Would you mind looking at a comment in #1188 to see if it is related? Thanks in advance, for your time and attention.

@2fa
Copy link
Contributor

2fa commented May 22, 2024

@corporate-gadfly your reproduction steps looks very similar to this problem so i would assume that it is related, yes. They've merged it an hour ago so it should be fixed in the next version.

@corporate-gadfly
Copy link
Contributor

No luck with 8.0.2.

Running:

puppet apply -e 'firewallchain {"PREROUTING:mangle:IPv4": ensure=>"present"}'

continues to give the output:

Notice: /Stage[main]/Main/Firewallchain[PREROUTING:mangle:IPv4]/ensure: defined 'ensure' as 'present'
Notice: firewallchain[PREROUTING:mangle:IPv4]: Creating: Creating Chain 'PREROUTING:mangle:IPv4' with {:name=>"PREROUTING:mangle:IPv4", :ensure=>"present", :purge=>false, :ignore_foreign=>false, :chain=>"PREROUTING", :table=>"mangle", :protocol=>"IPv4", :policy=>"accept"}
Notice: firewallchain[PREROUTING:mangle:IPv4]: Creating: Ensuring changes to 'PREROUTING:mangle:IPv4' persist
Notice: firewallchain[PREROUTING:mangle:IPv4]: Creating: Finished in 0.131559 seconds

Kindly let me know, if I can provide more details.

@2fa
Copy link
Contributor

2fa commented May 24, 2024

@corporate-gadfly do you have rules in table before that that contains * symbol anywhere?

You can check iptables-save output to be sure. And also you can check if that chains is already there.

@corporate-gadfly
Copy link
Contributor

corporate-gadfly commented May 24, 2024

@corporate-gadfly do you have rules in table before that that contains * symbol anywhere?

No.

# iptables-save | grep '*'
*filter

You can check iptables-save output to be sure. And also you can check if that chains is already there.

# iptables-save -t mangle
# Generated by iptables-save v1.8.7 on Fri May 24 13:56:37 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri May 24 13:56:37 2024

@2fa
Copy link
Contributor

2fa commented May 24, 2024

@corporate-gadfly Looks like my fix works in a non nf_tables version of iptables. iptables-save doesn't output empty tables at all in a new version. Great stuff 😃

I will reopen original issue #1206

@corporate-gadfly
Copy link
Contributor

corporate-gadfly commented May 24, 2024

TY:

Operating System: Ubuntu 22.04.4 LTS              
          Kernel: Linux 5.15.0-100-generic
    Architecture: x86-64
 Hardware Vendor: VMware, Inc.
  Hardware Model: VMware7,1

and:

# iptables -V
iptables v1.8.7 (nf_tables)

@corporate-gadfly
Copy link
Contributor

Good day, @2fa.

Coming back to this issue, which still exists in the 8.x versions on Ubuntu 22, I asked, horror of all horrors, ChatGPT if there was a way to have the rules in the default tables show up.

The helpful hint was to add placeholder rules and then remove them. E.g.:

iptables -t nat -A POSTROUTING -j ACCEPT

followed by:

iptables -t nat -D POSTROUTING 1

After this, iptables-save showed me both filter and nat tables in the output.

Now, I know zilch about the nat tables, let alone the chains and the default rules inside them. Could someone more knowledgeable comment on the above hint.

Also, for reference, there is a netfilter bugzilla which mentions the sparseness of iptables-save with respect to default tables.

@corporate-gadfly
Copy link
Contributor

I was thinking of doing the following (one-time) to flush and recreate the default nat and mangle tables and chains with a default ACCEPT policy allowing all traffic:

sudo iptables -t nat -F
sudo iptables -t nat -N PREROUTING
sudo iptables -t nat -N INPUT
sudo iptables -t nat -N OUTPUT
sudo iptables -t nat -N POSTROUTING
sudo iptables -t nat -P PREROUTING ACCEPT
sudo iptables -t nat -P INPUT ACCEPT
sudo iptables -t nat -P OUTPUT ACCEPT
sudo iptables -t nat -P POSTROUTING ACCEPT

sudo iptables -t mangle -F
sudo iptables -t mangle -N PREROUTING
sudo iptables -t mangle -N INPUT
sudo iptables -t mangle -N FORWARD
sudo iptables -t mangle -N OUTPUT
sudo iptables -t mangle -N POSTROUTING
sudo iptables -t mangle -P PREROUTING ACCEPT
sudo iptables -t mangle -P INPUT ACCEPT
sudo iptables -t mangle -P FORWARD ACCEPT
sudo iptables -t mangle -P OUTPUT ACCEPT
sudo iptables -t mangle -P POSTROUTING ACCEPT

@smoeding
Copy link

smoeding commented Nov 29, 2024

I also experienced this after updating the firewall module from 6.0.0 to 8.1.2.
While the new release worked for already running nodes, it failed to converge on a fresh installation.

It seems that setting an explicit policy for one of the chains in an table is sufficient to make iptables-save include that table in its -output. So I'm using the following workaround (this is only for the raw table):

firewallchain { [ 'PREROUTING:raw:IPv4', 'OUTPUT:raw:IPv4' ]:
  ensure => present,
  policy => 'accept',
}
~>
exec { 'iptables -t raw -P OUTPUT ACCEPT':
  user        => 'root',
  cwd         => '/',
  path        => [ '/usr/bin', '/usr/sbin', ],
  refreshonly => true,
}

Maybe the firewallchain provider should include that additional command when creating the resource?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants