Révision 30462da1
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```
As things stood on config modication `systemctl stop nftables ; systemctl start nftables` was being
called resulting in:
```
nft flush ruleset
nft -f /etc/sysconfig/nftables.conf
```
as distinct commands so a non-atomic flush and load of ruleset.
With this change it is now.
```
/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
```
There is subsequently a redundant extra 'flush ruleset' in there to be followed
up in a seperate patch as I have desire to make that tunable.
To verify what happens when broken rules have been applied, e.g
```puppet
nftables::rule{'default_in-junk':
content => 'junk',
}
```
This results in puppet run of
```
Error: /Stage[main]/Nftables/Service[nftables]: Failed to call refresh: Systemd restart for nftables failed!
journalctl log for nftables:
```
and the existing rules are left live, previously the flush from the stop was occuring.
The reload attempt would only happen once however leaving a time bomb at reboot.
To resvole this the configuration is modified to force a reconfig and reload every puppet run.
| spec/classes/ip_nat_spec.rb | ||
|---|---|---|
| 11 | 11 |
|
| 12 | 12 |
it {
|
| 13 | 13 |
is_expected.to contain_concat('nftables-ip-nat').with(
|
| 14 |
path: '/etc/nftables/puppet/ip-nat.nft', |
|
| 14 |
path: '/etc/nftables/puppet-preflight/ip-nat.nft',
|
|
| 15 | 15 |
ensure: 'present', |
| 16 | 16 |
owner: 'root', |
| 17 | 17 |
group: 'root', |
| ... | ... | |
| 44 | 44 |
|
| 45 | 45 |
it {
|
| 46 | 46 |
is_expected.to contain_concat('nftables-ip6-nat').with(
|
| 47 |
path: '/etc/nftables/puppet/ip6-nat.nft', |
|
| 47 |
path: '/etc/nftables/puppet-preflight/ip6-nat.nft',
|
|
| 48 | 48 |
ensure: 'present', |
| 49 | 49 |
owner: 'root', |
| 50 | 50 |
group: 'root', |
| ... | ... | |
| 78 | 78 |
context 'table ip nat chain prerouting' do |
| 79 | 79 |
it {
|
| 80 | 80 |
is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
|
| 81 |
path: '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft', |
|
| 81 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
|
|
| 82 | 82 |
owner: 'root', |
| 83 | 83 |
group: 'root', |
| 84 | 84 |
mode: '0640', |
| ... | ... | |
| 118 | 118 |
context 'table ip nat chain postrouting' do |
| 119 | 119 |
it {
|
| 120 | 120 |
is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
|
| 121 |
path: '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft', |
|
| 121 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
|
|
| 122 | 122 |
owner: 'root', |
| 123 | 123 |
group: 'root', |
| 124 | 124 |
mode: '0640', |
| ... | ... | |
| 158 | 158 |
context 'table ip6 nat chain prerouting' do |
| 159 | 159 |
it {
|
| 160 | 160 |
is_expected.to contain_concat('nftables-ip6-nat-chain-PREROUTING6').with(
|
| 161 |
path: '/etc/nftables/puppet/ip6-nat-chain-PREROUTING6.nft', |
|
| 161 |
path: '/etc/nftables/puppet-preflight/ip6-nat-chain-PREROUTING6.nft',
|
|
| 162 | 162 |
owner: 'root', |
| 163 | 163 |
group: 'root', |
| 164 | 164 |
mode: '0640', |
| ... | ... | |
| 198 | 198 |
context 'table ip nat chain postrouting' do |
| 199 | 199 |
it {
|
| 200 | 200 |
is_expected.to contain_concat('nftables-ip6-nat-chain-POSTROUTING6').with(
|
| 201 |
path: '/etc/nftables/puppet/ip6-nat-chain-POSTROUTING6.nft', |
|
| 201 |
path: '/etc/nftables/puppet-preflight/ip6-nat-chain-POSTROUTING6.nft',
|
|
| 202 | 202 |
owner: 'root', |
| 203 | 203 |
group: 'root', |
| 204 | 204 |
mode: '0640', |
Formats disponibles : Unified diff