Projet

Général

Profil

Révision 30462da1

ID30462da12b2eca072bdd9c13b1970958ff962745
Parent 92461926
Enfant bd549474

Ajouté par Steve Traylen il y a plus de 4 ans

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```

As things stood on config modication `systemctl stop nftables ; systemctl start nftables` was being
called resulting in:

```
nft flush ruleset
nft -f /etc/sysconfig/nftables.conf
```

as distinct commands so a non-atomic flush and load of ruleset.

With this change it is now.

```
/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
```

There is subsequently a redundant extra 'flush ruleset' in there to be followed
up in a seperate patch as I have desire to make that tunable.

To verify what happens when broken rules have been applied, e.g

```puppet
nftables::rule{'default_in-junk':
content => 'junk',
}
```

This results in puppet run of

```
Error: /Stage[main]/Nftables/Service[nftables]: Failed to call refresh: Systemd restart for nftables failed!
journalctl log for nftables:
```

and the existing rules are left live, previously the flush from the stop was occuring.

The reload attempt would only happen once however leaving a time bomb at reboot.
To resvole this the configuration is modified to force a reconfig and reload every puppet run.

Voir les différences:

manifests/init.pp
84 84 
      owner => 'root',
85 85 
      group => 'root',
86 86 
      mode  => '0640';
87 
    '/etc/nftables/puppet-preflight':
88 
      ensure  => directory,
89 
      mode    => '0750',
90 
      purge   => true,
91 
      force   => true,
92 
      recurse => true;
93 
    '/etc/nftables/puppet-preflight.nft':
94 
      ensure => file,
95 
      source => 'puppet:///modules/nftables/config/puppet.nft';
96 
  } ~> exec{
97 
    'nft validate':
98 
      refreshonly => true,
99 
      command     => '/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( /usr/bin/echo "#CONFIG BROKEN" >> /etc/nftables/puppet-preflight.nft && /bin/false)';
100 
  } -> file{
101 
    default:
102 
      owner => 'root',
103 
      group => 'root',
104 
      mode  => '0640';
87 105 
    '/etc/nftables/puppet.nft':
88 106 
      ensure => file,
89 107 
      source => 'puppet:///modules/nftables/config/puppet.nft';
......
94 112 
      force   => true,
95 113 
      recurse => true;
96 114 
  } ~> service{'nftables':
97 
    ensure => running,
98 
    enable => true,
115 
    ensure     => running,
116 
    enable     => true,
117 
    hasrestart => true,
118 
    restart    => '/usr/bin/systemctl reload nftables',
119 
  }
120 

  		




  
  121
  
    
  systemd::dropin_file{'puppet_nft.conf':


  		




  
  122
  
    
    ensure => present,


  		




  
  123
  
    
    unit   => 'nftables.service',


  		




  
  124
  
    
    source => 'puppet:///modules/nftables/systemd/puppet_nft.conf',


  		




  
  125
  
    
    notify => Service['nftables'],


  		




  99
  126
  
    
  }


  		




  100
  127
  
    

  		




  101
  128
  
    
  service{'firewalld':


  		












Formats disponibles :  Unified diff