Projet

Général

Profil

Révision 30462da1

ID30462da12b2eca072bdd9c13b1970958ff962745
Parent 92461926
Enfant bd549474

Ajouté par Steve Traylen il y a plus de 4 ans

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```

As things stood on config modication `systemctl stop nftables ; systemctl start nftables` was being
called resulting in:

```
nft flush ruleset
nft -f /etc/sysconfig/nftables.conf
```

as distinct commands so a non-atomic flush and load of ruleset.

With this change it is now.

```
/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
```

There is subsequently a redundant extra 'flush ruleset' in there to be followed
up in a seperate patch as I have desire to make that tunable.

To verify what happens when broken rules have been applied, e.g

```puppet
nftables::rule{'default_in-junk':
content => 'junk',
}
```

This results in puppet run of

```
Error: /Stage[main]/Nftables/Service[nftables]: Failed to call refresh: Systemd restart for nftables failed!
journalctl log for nftables:
```

and the existing rules are left live, previously the flush from the stop was occuring.

The reload attempt would only happen once however leaving a time bomb at reboot.
To resvole this the configuration is modified to force a reconfig and reload every puppet run.

Voir les différences:

files/config/puppet.nft
1 
# puppet-preflight.nft is only used by puppet for validating new configs
2 
# puppet.nft is real configuration that the nftables services uses.
3 
# To process either the -I flag must be specified.
4 
# nft -c -I /etc/nftables/puppet -f /etc/nftables/puppet.nft
5 
# nft -c -I /etc/nftables/puppet-preflight -f /etc/nftables/puppet-preflight.nft
6 

  		




  1
  7
  
    
# drop any existing nftables ruleset


  		




  2
  8
  
    
flush ruleset


  		




  3
  9
  
    

  		




  4
  
  
    
include "/etc/nftables/puppet/custom-*.nft"


  		




  5
  
  
    
include "/etc/nftables/puppet/inet-filter.nft"


  		




  6
  
  
    
include "/etc/nftables/puppet/ip-nat.nft"


  		




  7
  
  
    
include "/etc/nftables/puppet/ip6-nat.nft"


  		




  
  10
  
    
include "custom-*.nft"


  		




  
  11
  
    
include "inet-filter.nft"


  		




  
  12
  
    
include "ip-nat.nft"


  		




  
  13
  
    
include "ip6-nat.nft"


  		












Formats disponibles :  Unified diff