Projet

Général

Profil

Révision 30462da1

ID30462da12b2eca072bdd9c13b1970958ff962745
Parent 92461926
Enfant bd549474

Ajouté par Steve Traylen il y a plus de 4 ans

Reload rules atomically

Background: The unit file for nftables on CentOS 8 contains:

```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```

As things stood on config modication `systemctl stop nftables ; systemctl start nftables` was being
called resulting in:

```
nft flush ruleset
nft -f /etc/sysconfig/nftables.conf
```

as distinct commands so a non-atomic flush and load of ruleset.

With this change it is now.

```
/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
```

There is subsequently a redundant extra 'flush ruleset' in there to be followed
up in a seperate patch as I have desire to make that tunable.

To verify what happens when broken rules have been applied, e.g

```puppet
nftables::rule{'default_in-junk':
content => 'junk',
}
```

This results in puppet run of

```
Error: /Stage[main]/Nftables/Service[nftables]: Failed to call refresh: Systemd restart for nftables failed!
journalctl log for nftables:
```

and the existing rules are left live, previously the flush from the stop was occuring.

The reload attempt would only happen once however leaving a time bomb at reboot.
To resvole this the configuration is modified to force a reconfig and reload every puppet run.

Voir les différences:

spec/classes/router_spec.rb
32 32 

  		




  33
  33
  
    
        it {


  		




  34
  34
  
    
          is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(


  		




  35
  
  
    
            path:           '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft',


  		




  
  35
  
    
            path:           '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',


  		




  36
  36
  
    
            owner:          'root',


  		




  37
  37
  
    
            group:          'root',


  		




  38
  38
  
    
            mode:           '0640',


  		




  ......




  70
  70
  
    

  		




  71
  71
  
    
        it {


  		




  72
  72
  
    
          is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(


  		




  73
  
  
    
            path:           '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',


  		




  
  73
  
    
            path:           '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',


  		




  74
  74
  
    
            owner:          'root',


  		




  75
  75
  
    
            group:          'root',


  		




  76
  76
  
    
            mode:           '0640',


  		




  ......




  108
  108
  
    

  		




  109
  109
  
    
        it {


  		




  110
  110
  
    
          is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(


  		




  111
  
  
    
            path:           '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft',


  		




  
  111
  
    
            path:           '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',


  		




  112
  112
  
    
            owner:          'root',


  		




  113
  113
  
    
            group:          'root',


  		




  114
  114
  
    
            mode:           '0640',


  		












Formats disponibles :  Unified diff