From 7efc7fcf651772e2128a72b21305e86c27b9ecb2 Mon Sep 17 00:00:00 2001 From: Steven Webster Date: Mon, 2 May 2022 13:36:50 -0400 Subject: [PATCH] Add support for random fully flag Enable puppet-firewall parsing of --random-fully rules A problem may occur if puppet attempts to inject a firewall rule while the underlying iptables/ip6tables has existing rules which use the --random-fully flag in the NAT table. The issue occurs because puppet-firewall first makes a call to iptables-save/ip6tables-save to parse the existing rules (to determine if the rule already exists). If it finds a rule with --random-fully, it will immediately bail out. The current version(s) of puppet-firewall in StarlingX are old enough that they don't have parsing logic for the --random-fully flag that was initially supported in iptables version 1.6.2+. Now that StarlingX uses iptables 1.8.4, we must account for the possibility that various components (ie. kubernetes) will make use of --random-fully rules. This feature has been implemented upstream in the following commits: https://github.com/puppetlabs/puppetlabs-firewall/commits/ 9a4bc6a81cf0cd4a56ba458fadac830a2c4df529 0ea2b74c0b4a451a37bae8c2ff105b72481ab485 This commit ports back the above commits Signed-off-by: Steven Webster --- lib/puppet/provider/firewall/ip6tables.rb | 10 ++++++- lib/puppet/provider/firewall/iptables.rb | 12 +++++++- lib/puppet/type/firewall.rb | 12 ++++++++ spec/acceptance/firewall_spec.rb | 33 ++++++++++++++++++++++ spec/fixtures/ip6tables/conversion_hash.rb | 7 +++++ 5 files changed, 72 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index d3c1b3c..7fce8bc 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -47,6 +47,12 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 '--set-xmark' end + kernelversion = Facter.value('kernelversion') + if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && + (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0) + has_feature :random_fully + end + def initialize(*args) ip6tables_version = Facter.value('ip6tables_version') raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d}) @@ -103,6 +109,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 proto: '-p', queue_num: '--queue-num', queue_bypass: '--queue-bypass', + random_fully: '--random-fully', rdest: '--rdest', reap: '--reap', recent: '-m recent', @@ -174,6 +181,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :islastfrag, :isfirstfrag, :log_uid, + :random_fully, :rsource, :rdest, :reap, @@ -253,7 +261,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, - :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :random_fully, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 00655ea..d86a5c6 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -56,6 +56,12 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa '--set-xmark' end + kernelversion = Facter.value('kernelversion') + if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && + (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0) + has_feature :random_fully + end + @protocol = 'IPv4' @resource_map = { @@ -100,6 +106,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa proto: '-p', queue_num: '--queue-num', queue_bypass: '--queue-bypass', + random_fully: '--random-fully', random: '--random', rdest: '--rdest', reap: '--reap', @@ -176,6 +183,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :clamp_mss_to_pmtu, :isfragment, :log_uid, + :random_fully, :random, :rdest, :reap, @@ -295,7 +303,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, - :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, + :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix, :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, @@ -428,6 +436,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa # only replace those -f that are not followed by an l to # distinguish between -f and the '-f' inside of --tcp-flags. values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true') + elsif bool == :random + values.sub(%r{#{resource_map[bool]}(\s|$)(?!"!")}, "#{resource_map[bool]} true") else # append `true` to booleans that are not already negated (followed by "!") values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true") diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index a859f28..fce2fba 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -68,6 +68,7 @@ Puppet::Type.newtype(:firewall) do feature :queue_num, 'Which NFQUEUE to send packets to' feature :queue_bypass, 'If nothing is listening on queue_num, allow packets to bypass the queue' feature :hashlimit, 'Hashlimit features' + feature :random_fully, 'The ability to use --random-fully flag' # provider specific features feature :iptables, 'The provider provides iptables features.' @@ -581,6 +582,17 @@ Puppet::Type.newtype(:firewall) do PUPPETCODE end + newproperty(:random_fully, required_features: :random_fully) do + desc <<-PUPPETCODE + When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" + this boolean will enable fully randomized port mapping. + + **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2 + PUPPETCODE + + newvalues(:true, :false) + end + newproperty(:random, required_features: :dnat) do desc <<-PUPPETCODE When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index f4c3d67..3198ba5 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -2317,4 +2317,37 @@ describe 'firewall basics', docker: true do end end end + + describe 'random-fully' do + supports_random_fully = if os[:family] == 'redhat' && os[:release].start_with?('8') + true + elsif os[:family] == 'debian' && os[:release].start_with?('10') + true + else + false + end + + before(:all) do + pp = <<-PUPPETCODE + firewall { '901 - set random-fully': + table => 'nat', + chain => 'POSTROUTING', + jump => 'MASQUERADE', + random_fully => true, + } + PUPPETCODE + apply_manifest(pp, catch_failures: true) + end + + + it 'adds random-fully rule', if: supports_random_fully do + shell('iptables-save') do |r| + expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE --random-fully}) + end + end + it 'adds rule without random-fully', unless: supports_random_fully do + shell('iptables-save') do |r| + expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE}) + end + end end diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb index 748dc8d..00f1018 100644 --- a/spec/fixtures/ip6tables/conversion_hash.rb +++ b/spec/fixtures/ip6tables/conversion_hash.rb @@ -33,6 +33,13 @@ ARGS_TO_HASH6 = { sport: ['547'], dport: ['546'], }, + 'random-fully' => { + line: '-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully', + table: 'filter', + provider: 'ip6tables', + params: { + random_fully: 'true', + }, }, }.freeze -- 2.17.1