Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nfmask, ctmask, restore_mark support + firewallchain loop fix #1234

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

nfmask, ctmask, restore_mark support + firewallchain loop fix #1234

wants to merge 2 commits into from
+64 −3

Conversation

hb0nes
Copy link

@hb0nes hb0nes commented Oct 4, 2024

Summary

We have been using our custom version of puppetlabs-firewall for some time because we need the nfmask, ctmask and restore_mark flags for policy based routing.

While upgrading to the latest puppetlabs-firewall, I ran into an infinite loop, creating chains all of a sudden.
As per the docs, I've written this Puppet code:

  # Purge all chains not defined below
  resources { 'firewallchain':
    purge  => true,
  }

  # Purge all unmanaged rules from these (internal) chains
  # These have default policy DROP
  firewallchain {
    [
      'INPUT:filter:IPv4',
      'INPUT:filter:IPv6',
      'OUTPUT:filter:IPv4',
      'OUTPUT:filter:IPv6',
      'FORWARD:filter:IPv4',
      'FORWARD:filter:IPv6']:
        ensure => present,
        policy => drop,
        purge  => true,
  }

  # The internal chains need to be defined or Puppet will try to remove them.
  # We can also purge their contents by defining them here with purge => true.
  firewallchain {
    [
      # IPv4 mangle
      'PREROUTING:mangle:IPv4',
      'INPUT:mangle:IPv4',
      'FORWARD:mangle:IPv4',
      'OUTPUT:mangle:IPv4',
      'POSTROUTING:mangle:IPv4',
      # IPv6 mangle
      'PREROUTING:mangle:IPv6',
      'INPUT:mangle:IPv6',
...and so forth

Because iptables-save doesn't always show chains like *nat or *mangle if they haven't been interacted with, the get function will not return those and puppetlabs-firewall will try to create the chains. However, this won't do anything and the infinite loop starts.

I have 'solved' it by creating those chains manually for now and only adding them if the already existing code didn't find them.

I have verified that these changes solve my issue and that nfmask, ctmask and restore_mark work.

Because this actually is an issue that I imagine others will run into, I decided to create the PR, regardless of code quality, lack of context and knowledge.

Checklist

  • 🟢 Spec tests.
  • 🟢 Acceptance tests.
  • Manually verified. (For example puppet apply)

Herman Bonnes added 2 commits October 4, 2024 22:29
Add support for nfmask, ctmask, restore_mark for policy based routing.
dd15c32
Add built-in chains to getter because iptables-save doesn't always re…
bcd8e7a 
…turn all present chains/tables. Only if they've been manipulated. This results in an infinite loop of trying to create resources that are already there. This behaviour happens when defining built-in chains to prevent Puppet trying to delete them, as per the docs.
@hb0nes hb0nes requested a review from a team as a code owner October 4, 2024 20:37
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Herman Bonnes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@alex-harvey-z3q alex-harvey-z3q mentioned this pull request Oct 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hb0nes @CLAassistant