starlingx/integ
Code Issues Proposed changes
7471413e24
integ/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/0001-Add-support-for-random-fully-flag.patch
Steven Webster 5d51ff6dd7 Enable puppet-firewall parsing of --random-fully rules 
A problem may occur if puppet attempts to inject a firewall rule
while the underlying iptables/ip6tables has existing rules which
use the --random-fully flag in the NAT table.

The issue occurs because puppet-firewall first makes a call to
iptables-save/ip6tables-save to parse the existing rules
(to determine if the rule already exists).  If it finds a rule
with --random-fully, it will immediately bail out.

The current version(s) of puppet-firewall in StarlingX are old
enough that they don't have parsing logic for the --random-fully
flag that was initially supported in iptables version 1.6.2+.

Now that StarlingX uses iptables 1.8.4, we must account for the
possibility that various components (ie. kubernetes) will make
use of --random-fully rules.

This feature has been implemented upstream in the following commits:

https://github.com/puppetlabs/puppetlabs-firewall/commits/

9a4bc6a81cf0cd4a56ba458fadac830a2c4df529
0ea2b74c0b4a451a37bae8c2ff105b72481ab485

The above commits have been ported back to:

CentOS: puppet-firewall-1.8.2
Debian: puppetlabs-firewall-1.12.0

Since StarlingX does not currently build it's own version
of puppet-firewall in either CentOS or Debian, this commit
also contains the infrastructure to do so.

Testing:

Note: Since the issue is intermittent on unlock, the functional
tests were performed with a custom runtime manifest that installed
a dummy iptables/ip6tables rule when an interface was modified.
At this time, it was guaranteed that there were rules with
the --random-fully flag present.

CentOS:

Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS

Debian:

Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS

Closes-Bug: #1971900

Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: I7dbb9e1b99d95df0aa5a7db7aa22c3c314253788
2022-05-10 11:17:08 -04:00

229 lines
10 KiB
Diff
Raw Blame History

From 7efc7fcf651772e2128a72b21305e86c27b9ecb2 Mon Sep 17 00:00:00 2001
From: Steven Webster <steven.webster@windriver.com>
Date: Mon, 2 May 2022 13:36:50 -0400
Subject: [PATCH] Add support for random fully flag
Enable puppet-firewall parsing of --random-fully rules
A problem may occur if puppet attempts to inject a firewall rule
while the underlying iptables/ip6tables has existing rules which
use the --random-fully flag in the NAT table.
The issue occurs because puppet-firewall first makes a call to
iptables-save/ip6tables-save to parse the existing rules
(to determine if the rule already exists). If it finds a rule
with --random-fully, it will immediately bail out.
The current version(s) of puppet-firewall in StarlingX are old
enough that they don't have parsing logic for the --random-fully
flag that was initially supported in iptables version 1.6.2+.
Now that StarlingX uses iptables 1.8.4, we must account for the
possibility that various components (ie. kubernetes) will make
use of --random-fully rules.
This feature has been implemented upstream in the following commits:
https://github.com/puppetlabs/puppetlabs-firewall/commits/
9a4bc6a81cf0cd4a56ba458fadac830a2c4df529
0ea2b74c0b4a451a37bae8c2ff105b72481ab485
This commit ports back the above commits
Signed-off-by: Steven Webster <steven.webster@windriver.com>
---
lib/puppet/provider/firewall/ip6tables.rb | 10 ++++++-
lib/puppet/provider/firewall/iptables.rb | 12 +++++++-
lib/puppet/type/firewall.rb | 12 ++++++++
spec/acceptance/firewall_spec.rb | 33 ++++++++++++++++++++++
spec/fixtures/ip6tables/conversion_hash.rb | 7 +++++
5 files changed, 72 insertions(+), 2 deletions(-)
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index d3c1b3c..7fce8bc 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -47,6 +47,12 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
'--set-xmark'
end
+ kernelversion = Facter.value('kernelversion')
+ if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
+ (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0)
+ has_feature :random_fully
+ end
+
def initialize(*args)
ip6tables_version = Facter.value('ip6tables_version')
raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d})
@@ -103,6 +109,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
proto: '-p',
queue_num: '--queue-num',
queue_bypass: '--queue-bypass',
+ random_fully: '--random-fully',
rdest: '--rdest',
reap: '--reap',
recent: '-m recent',
@@ -174,6 +181,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
:islastfrag,
:isfirstfrag,
:log_uid,
+ :random_fully,
:rsource,
:rdest,
:reap,
@@ -253,7 +261,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
:ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
:string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
- :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
+ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :random_fully, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 00655ea..d86a5c6 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -56,6 +56,12 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
'--set-xmark'
end
+ kernelversion = Facter.value('kernelversion')
+ if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
+ (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0)
+ has_feature :random_fully
+ end
+
@protocol = 'IPv4'
@resource_map = {
@@ -100,6 +106,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
proto: '-p',
queue_num: '--queue-num',
queue_bypass: '--queue-bypass',
+ random_fully: '--random-fully',
random: '--random',
rdest: '--rdest',
reap: '--reap',
@@ -176,6 +183,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
:clamp_mss_to_pmtu,
:isfragment,
:log_uid,
+ :random_fully,
:random,
:rdest,
:reap,
@@ -295,7 +303,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
:string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
:clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
:nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,
- :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
+ :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix,
:log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
@@ -428,6 +436,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
# only replace those -f that are not followed by an l to
# distinguish between -f and the '-f' inside of --tcp-flags.
values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true')
+ elsif bool == :random
+ values.sub(%r{#{resource_map[bool]}(\s|$)(?!"!")}, "#{resource_map[bool]} true")
else
# append `true` to booleans that are not already negated (followed by "!")
values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true")
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index a859f28..fce2fba 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -68,6 +68,7 @@ Puppet::Type.newtype(:firewall) do
feature :queue_num, 'Which NFQUEUE to send packets to'
feature :queue_bypass, 'If nothing is listening on queue_num, allow packets to bypass the queue'
feature :hashlimit, 'Hashlimit features'
+ feature :random_fully, 'The ability to use --random-fully flag'
# provider specific features
feature :iptables, 'The provider provides iptables features.'
@@ -581,6 +582,17 @@ Puppet::Type.newtype(:firewall) do
PUPPETCODE
end
+ newproperty(:random_fully, required_features: :random_fully) do
+ desc <<-PUPPETCODE
+ When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+ this boolean will enable fully randomized port mapping.
+
+ **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2
+ PUPPETCODE
+
+ newvalues(:true, :false)
+ end
+
newproperty(:random, required_features: :dnat) do
desc <<-PUPPETCODE
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index f4c3d67..3198ba5 100644
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -2317,4 +2317,37 @@ describe 'firewall basics', docker: true do
end
end
end
+
+ describe 'random-fully' do
+ supports_random_fully = if os[:family] == 'redhat' && os[:release].start_with?('8')
+ true
+ elsif os[:family] == 'debian' && os[:release].start_with?('10')
+ true
+ else
+ false
+ end
+
+ before(:all) do
+ pp = <<-PUPPETCODE
+ firewall { '901 - set random-fully':
+ table => 'nat',
+ chain => 'POSTROUTING',
+ jump => 'MASQUERADE',
+ random_fully => true,
+ }
+ PUPPETCODE
+ apply_manifest(pp, catch_failures: true)
+ end
+
+
+ it 'adds random-fully rule', if: supports_random_fully do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE --random-fully})
+ end
+ end
+ it 'adds rule without random-fully', unless: supports_random_fully do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE})
+ end
+ end
end
diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb
index 748dc8d..00f1018 100644
--- a/spec/fixtures/ip6tables/conversion_hash.rb
+++ b/spec/fixtures/ip6tables/conversion_hash.rb
@@ -33,6 +33,13 @@ ARGS_TO_HASH6 = {
sport: ['547'],
dport: ['546'],
},
+ 'random-fully' => {
+ line: '-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully',
+ table: 'filter',
+ provider: 'ip6tables',
+ params: {
+ random_fully: 'true',
+ },
},
}.freeze
--
2.17.1
View Git Blame Copy Permalink