Projet

Général

Profil

Révision 30462da1

ID30462da12b2eca072bdd9c13b1970958ff962745
Parent 92461926
Enfant bd549474

Ajouté par Steve Traylen il y a plus de 4 ans

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```

As things stood on config modication `systemctl stop nftables ; systemctl start nftables` was being
called resulting in:

```
nft flush ruleset
nft -f /etc/sysconfig/nftables.conf
```

as distinct commands so a non-atomic flush and load of ruleset.

With this change it is now.

```
/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
```

There is subsequently a redundant extra 'flush ruleset' in there to be followed
up in a seperate patch as I have desire to make that tunable.

To verify what happens when broken rules have been applied, e.g

```puppet
nftables::rule{'default_in-junk':
content => 'junk',
}
```

This results in puppet run of

```
Error: /Stage[main]/Nftables/Service[nftables]: Failed to call refresh: Systemd restart for nftables failed!
journalctl log for nftables:
```

and the existing rules are left live, previously the flush from the stop was occuring.

The reload attempt would only happen once however leaving a time bomb at reboot.
To resvole this the configuration is modified to force a reconfig and reload every puppet run.

Voir les différences:

manifests/chain.pp
15 15 

  		




  16
  16
  
    
  concat{


  		




  17
  17
  
    
    $concat_name:


  		




  18
  
  
    
      path           => "/etc/nftables/puppet/${table}-chain-${chain}.nft",


  		




  
  18
  
    
      path           => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",


  		




  19
  19
  
    
      owner          => root,


  		




  20
  20
  
    
      group          => root,


  		




  21
  21
  
    
      mode           => '0640',


  		




  22
  22
  
    
      ensure_newline => true,


  		




  23
  23
  
    
      require        => Package['nftables'],


  		




  24
  
  
    
      notify         => Service['nftables'],


  		




  25
  
  
    
  }


  		




  
  24
  
    
  } ~> Exec['nft validate'] -> file{


  		




  
  25
  
    
    "/etc/nftables/puppet/${table}-chain-${chain}.nft":


  		




  
  26
  
    
    ensure => file,


  		




  
  27
  
    
    source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",


  		




  
  28
  
    
    owner  => root,


  		




  
  29
  
    
    group  => root,


  		




  
  30
  
    
    mode   => '0640',


  		




  
  31
  
    
  } ~> Service['nftables']


  		




  26
  32
  
    

  		




  27
  33
  
    
  concat::fragment{


  		




  28
  34
  
    
    default:


  		












Formats disponibles :  Unified diff