Giters

chef-cookbooks / iptables

Development repository for Chef Cookbook iptables

Home Page:https://supermarket.chef.io/cookbooks/iptables

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

fix rebuild-iptables to load system-created rules

aryabov18 opened this issue · comments

commented

Cookbook version

4.5.0

Chef-client version

14.7.17

Platform Details

CentOS Linux release 7.5.1804 (Core)

Scenario:

Store existing rules to the suffix template on installation. "/etc/sysconfig/iptables" -> /etc/iptables.d/suffix
Then process them with newly added rules.
However, rebuild-iptables can't read existing rules if they have extra chains, because of a mistake in a regular expression.

Steps to Reproduce:

store content of the /etc/iptables.d/suffix file to /etc/iptables.d/suffix file
run cookbook or just /usr/sbin/rebuild-iptables

Expected Result:

newly created file /etc/sysconfig/iptables has correct syntax and successfully loaded via iptables-restore

Actual Result:

file /etc/sysconfig/iptables has two rows with ":node_exporter", and iptables-restore fails.

[root@generic-ctec-c4t aryabov]# /usr/sbin/rebuild-iptables 
iptables-restore v1.4.21: error creating chain 'node_exporter':File exists

Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Traceback (most recent call last):
/usr/sbin/rebuild-iptables:134:in `<main>': /usr/sbin/rebuild-iptables: failed to install iptables rules (RuntimeError)
[root@generic-ctec-c4t aryabov]# grep :node_exporter /etc/sysconfig/iptables
:node_exporter -
:node_exporter - [0:0]
[root@generic-ctec-c4t aryabov]# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:node_exporter -
# Generated by iptables-save v1.4.21 on Mon Nov 26 23:17:18 2018
:node_exporter - [0:0]
-A INPUT -p tcp -m tcp --dport 9500 -m comment --comment "RKS: RTTs" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9600 -m comment --comment "RKS: Ts" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9100 -j node_exporter
-A INPUT -p icmp -m icmp --icmp-type 8 -j node_exporter
-A node_exporter -s 172.22.46.69/32 -m comment --comment "NodeExporter: prom-ctec-c1t" -j ACCEPT
-A node_exporter -s 172.30.104.186/32 -m comment --comment "NodeExporter: mws02" -j ACCEPT
-A node_exporter -s 127.0.0.1/32 -j ACCEPT
-A node_exporter -p tcp -j REJECT --reject-with tcp-reset
-A node_exporter -p tcp -j DROP
# Completed on Mon Nov 26 23:17:18 2018
COMMIT
[root@generic-ctec-c4t aryabov]# cat /etc/iptables.d/suffix 
# Generated by iptables-save v1.4.21 on Mon Nov 26 23:17:18 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:node_exporter - [0:0]
-A INPUT -p tcp -m tcp --dport 9500 -m comment --comment "RKS: RTTs" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9600 -m comment --comment "RKS: Ts" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9100 -j node_exporter
-A INPUT -p icmp -m icmp --icmp-type 8 -j node_exporter
-A node_exporter -s 172.22.46.69/32 -m comment --comment "NodeExporter: prom-ctec-c1t" -j ACCEPT
-A node_exporter -s 172.30.104.186/32 -m comment --comment "NodeExporter: mws02" -j ACCEPT
-A node_exporter -s 127.0.0.1/32 -j ACCEPT
-A node_exporter -p tcp -j REJECT --reject-with tcp-reset
-A node_exporter -p tcp -j DROP
COMMIT
# Completed on Mon Nov 26 23:17:18 2018
[root@generic-ctec-c4t aryabov]# ls /etc/iptables.d/
suffix
[root@generic-ctec-c4t aryabov]#

Possible fix for the issue:

KAPAMACM00NFD58:iptables p2771530$ diff -u templates/default/rebuild-iptables.erb.old templates/default/rebuild-iptables.erb
--- templates/default/rebuild-iptables.erb.old	2018-12-17 12:10:49.000000000 -0700
+++ templates/default/rebuild-iptables.erb	2018-12-17 12:11:07.000000000 -0700
@@ -32,7 +32,7 @@
       read_iptables($1, table)
     elsif line =~ /^\s*\*([a-z]+)\s*$/
       table = $1.to_sym
-    elsif line =~ /^\s*:([-a-zA-Z0-9_]+)(?:\s+([A-Z]+(?:\s*\[.*?\])))?$/
+    elsif line =~ /^\s*:([-a-zA-Z0-9_]+)(?:\s+([A-Z-]+(?:\s*\[.*?\])))?$/
       @data[table][:chains][$1] = $2 || '-'
     elsif line !~ /^\s*COMMIT\s*$/
       #detect new chains
KAPAMACM00NFD58:iptables p2771530$
commented

Hey There
It looks like this is the first issue you've filed against the chef-cookbooks project. I'm here to offer you a bit of extra help to make sure we can quickly get back to you.
Make sure you've filled out all the fields in our issue template. Make sure you've provided us with the version of chef-client you're running, your operating system and the version of the cookbook. If you're not using the most up to date version of the cookbook then please make sure to update first. Lots of things change between versions even if you're issue isn't listed in the changelog. Finally please give us a detailed description of the issue you're having. The more we know about what you're trying to do, what actually happens, and how you can reproduce the problem, the better.

If you're looking for more immediate troubleshooting help make sure to check out #general on the Chef Community Slack. There's plenty of folks there willing to lend a helping hand. Thanks for the first issue. We hope we can get back to you soon with a solution.

commented

Hi,

I am closing this as it relates to an old version of the cookbook which has since been fundamentally changed. If you still have the issue with the latest version please could you open a new issue,

Thanks