Projet

Général

Profil

Révision 30462da1

ID30462da12b2eca072bdd9c13b1970958ff962745
Parent 92461926
Enfant bd549474

Ajouté par Steve Traylen il y a plus de 4 ans

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```

As things stood on config modication `systemctl stop nftables ; systemctl start nftables` was being
called resulting in:

```
nft flush ruleset
nft -f /etc/sysconfig/nftables.conf
```

as distinct commands so a non-atomic flush and load of ruleset.

With this change it is now.

```
/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
```

There is subsequently a redundant extra 'flush ruleset' in there to be followed
up in a seperate patch as I have desire to make that tunable.

To verify what happens when broken rules have been applied, e.g

```puppet
nftables::rule{'default_in-junk':
content => 'junk',
}
```

This results in puppet run of

```
Error: /Stage[main]/Nftables/Service[nftables]: Failed to call refresh: Systemd restart for nftables failed!
journalctl log for nftables:
```

and the existing rules are left live, previously the flush from the stop was occuring.

The reload attempt would only happen once however leaving a time bomb at reboot.
To resvole this the configuration is modified to force a reconfig and reload every puppet run.

Voir les différences:

spec/classes/nftables_spec.rb
34 34 
      }
35 35 

  		




  36
  36
  
    
      it {


  		




  
  37
  
    
        is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with(


  		




  
  38
  
    
          ensure: 'file',


  		




  
  39
  
    
          owner:  'root',


  		




  
  40
  
    
          group:  'root',


  		




  
  41
  
    
          mode:   '0640',


  		




  
  42
  
    
          source: 'puppet:///modules/nftables/config/puppet.nft',


  		




  
  43
  
    
        )


  		




  
  44
  
    
      }


  		




  
  45
  
    

  		




  
  46
  
    
      it {


  		




  
  47
  
    
        is_expected.to contain_file('/etc/nftables/puppet-preflight').with(


  		




  
  48
  
    
          ensure:  'directory',


  		




  
  49
  
    
          owner:   'root',


  		




  
  50
  
    
          group:   'root',


  		




  
  51
  
    
          mode:    '0750',


  		




  
  52
  
    
          purge:   true,


  		




  
  53
  
    
          force:   true,


  		




  
  54
  
    
          recurse: true,


  		




  
  55
  
    
        )


  		




  
  56
  
    
      }


  		




  
  57
  
    

  		




  
  58
  
    
      it {


  		




  
  59
  
    
        is_expected.to contain_exec('nft validate').with(


  		




  
  60
  
    
          refreshonly: true,


  		




  
  61
  
    
          command: %r{^/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*},


  		




  
  62
  
    
        )


  		




  
  63
  
    
      }


  		




  
  64
  
    

  		




  
  65
  
    
      it {


  		




  37
  66
  
    
        is_expected.to contain_service('nftables').with(


  		




  38
  67
  
    
          ensure: 'running',


  		




  39
  68
  
    
          enable: true,


  		




  
  69
  
    
          hasrestart: true,


  		




  
  70
  
    
          restart: %r{/usr/bin/systemctl reload nft.*},


  		




  40
  71
  
    
        )


  		




  41
  72
  
    
      }


  		




  42
  73
  
    

  		












Formats disponibles :  Unified diff