Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing firewall_rule from recipe does not remove ipv6 rule from kernel #180

Open
nvwls opened this issue Oct 9, 2017 · 1 comment
Open

Removing firewall_rule from recipe does not remove ipv6 rule from kernel #180

nvwls opened this issue Oct 9, 2017 · 1 comment
Labels
Priority: Medium Will bring visible benefit to the project

Comments

@nvwls
Copy link

nvwls commented Oct 9, 2017

Cookbook version

2.6.2

Chef-client version

12.21.4

Platform Details

centos-7

Scenario:

Removing firewall_rule does removes the rules from /etc/sysconfig/firewalld-chef.rules but the ipv6 rule still exists in the kernel.

Steps to Reproduce:

Given the following recipe:

firewall 'default'

firewall_rule 'ssh' do
  port     22
  command  :allow
end

firewall_rule 'http' do
  port     80
  protocol :tcp
  position 1
  command   :allow
end if true

Gives expected output:

[root@b1e2a0648e2f /]# cat /etc/sysconfig/firewalld-chef.rules
# position 1
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -p tcp -m tcp -m multiport --dports 80 -m comment --comment 'http' -j ACCEPT
firewall-cmd --direct --add-rule ipv6 filter INPUT 1 -p tcp -m tcp -m multiport --dports 80 -m comment --comment 'http' -j ACCEPT
# position 50
firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT
firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT
[root@b1e2a0648e2f /]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -p tcp -m tcp -m multiport --dports 80 -m comment --comment http -j ACCEPT
ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh -j ACCEPT
ipv6 filter INPUT 1 -p tcp -m tcp -m multiport --dports 80 -m comment --comment http -j ACCEPT
ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh -j ACCEPT

Now if I remove the firewall_rule 'http' resource from the recipe and run chef-client, the rules are removed from the file:

[root@b1e2a0648e2f /]# cat /etc/sysconfig/firewalld-chef.rules
# position 50
firewall-cmd --direct --add-rule ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT
firewall-cmd --direct --add-rule ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment 'ssh' -j ACCEPT

However the ipv6 rule still exists in the kernel:

[root@b1e2a0648e2f /]# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh -j ACCEPT
ipv6 filter INPUT 1 -p tcp -m tcp -m multiport --dports 80 -m comment --comment http -j ACCEPT
ipv6 filter INPUT 50 -p tcp -m tcp -m multiport --dports 22 -m comment --comment ssh -j ACCEPT
@martinb3 martinb3 added Priority: Medium Will bring visible benefit to the project Type: Feature Request labels Oct 10, 2017
@martinb3
Copy link
Contributor

Please note that we've got an issue open for IPv6 support #86. We know this isn't built out yet.

In this particular case, it looks like we're probably missing the flush for ipv6 in https://github.com/chef-cookbooks/firewall/blob/master/libraries/helpers_firewalld.rb#L37-L44.

@PaulusTM PaulusTM mentioned this issue Oct 11, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: Medium Will bring visible benefit to the project
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

flush IPv6 rules
4 participants
@martinb3 @tas50 @nvwls @xorimabot