Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow ip6tables to be disabled #694

Merged
merged 2 commits into from
Sep 26, 2017
Merged

allow ip6tables to be disabled #694

merged 2 commits into from
Sep 26, 2017

Conversation

knackaron
Copy link
Contributor

many hardened systems have IPv6 disabled, which
does not allow ip6tables to be running. allow
ip6tables to be selectively disabled in these cases.

errors when IPv6 is disabled:

Error: Could not start Service[ip6tables]: Execution of '/usr/bin/systemctl start ip6tables' returned 1: Job for ip6tables.service failed because the control process exited with error code. See "systemctl status ip6tables.service" and "journalctl -xe" for details.
Error: /Stage[main]/Firewall::Linux::Redhat/Service[ip6tables]/ensure: change from stopped to running failed: Could not start Service[ip6tables]: Execution of '/usr/bin/systemctl start ip6tables' returned 1: Job for ip6tables.service failed because the control process exited with error code. See "systemctl status ip6tables.service" and "journalctl -xe" for details.

● ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2017-04-07 01:36:45 UTC; 25min ago
Process: 10257 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=1/FAILURE)
Main PID: 10257 (code=exited, status=1/FAILURE)

Apr 07 01:36:45 el7-1.example.com systemd[1]: Starting IPv6 firewall with ip6tables...
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: ip6tables: Applying firewall rules: ip6tab...r'
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: Error occurred at line: 4
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: Try `ip6tables-restore -h' or 'ip6tables-r...n.
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: [FAILED]
Apr 07 01:36:45 el7-1.example.com systemd[1]: ip6tables.service: main process exited, code=exited,...URE
Apr 07 01:36:45 el7-1.example.com systemd[1]: Failed to start IPv6 firewall with ip6tables.
Apr 07 01:36:45 el7-1.example.com systemd[1]: Unit ip6tables.service entered failed state.
Apr 07 01:36:45 el7-1.example.com systemd[1]: ip6tables.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

hunner
hunner suggested changes Apr 12, 2017
View reviewed changes
manifests/linux/redhat.pp Outdated
$enable = true,
$enable_v6 = true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To remain backwards-compatible, $ensure_v6 and $enable_v6 have to default to the values of $ensure and $enable. Unfortunately this means the silly pattern of undef and then pick() to an underscore value: https://github.com/puppetlabs/puppetlabs-tomcat/blob/master/manifests/instance.pp#L49

@knackaron
allow ip6tables to be disabled
24ca3df 
many hardened systems have IPv6 disabled, which
does not allow ip6tables to be running.  allow
ip6tables to be selectively disabled in these cases.

errors when IPv6 is disabled:

Error: Could not start Service[ip6tables]: Execution of '/usr/bin/systemctl start ip6tables' returned 1: Job for ip6tables.service failed because the control process exited with error code. See "systemctl status ip6tables.service" and "journalctl -xe" for details.
Error: /Stage[main]/Firewall::Linux::Redhat/Service[ip6tables]/ensure: change from stopped to running failed: Could not start Service[ip6tables]: Execution of '/usr/bin/systemctl start ip6tables' returned 1: Job for ip6tables.service failed because the control process exited with error code. See "systemctl status ip6tables.service" and "journalctl -xe" for details.

● ip6tables.service - IPv6 firewall with ip6tables
   Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2017-04-07 01:36:45 UTC; 25min ago
  Process: 10257 ExecStart=/usr/libexec/iptables/ip6tables.init start (code=exited, status=1/FAILURE)
 Main PID: 10257 (code=exited, status=1/FAILURE)

Apr 07 01:36:45 el7-1.example.com systemd[1]: Starting IPv6 firewall with ip6tables...
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: ip6tables: Applying firewall rules: ip6tab...r'
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: Error occurred at line: 4
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: Try `ip6tables-restore -h' or 'ip6tables-r...n.
Apr 07 01:36:45 el7-1.example.com ip6tables.init[10257]: [FAILED]
Apr 07 01:36:45 el7-1.example.com systemd[1]: ip6tables.service: main process exited, code=exited,...URE
Apr 07 01:36:45 el7-1.example.com systemd[1]: Failed to start IPv6 firewall with ip6tables.
Apr 07 01:36:45 el7-1.example.com systemd[1]: Unit ip6tables.service entered failed state.
Apr 07 01:36:45 el7-1.example.com systemd[1]: ip6tables.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
@knackaron
Copy link
Contributor Author

@hunner I applied the pick() pattern to init.pp, linux.pp, and linux/redhat.pp, as I did not see any of those classes marked as private, so I want to ensure correct behavior throughout. Unit tests pass and also validated in a test environment on EL7 hosts.

@knackaron
only reload systemd on package changes
5d3c59f 
it has been observed on systems that
the "systemctl is-active" check can
return non-zero status when checking
the status of iptables and ip6tables
at the same time.  this causes idempotent
issues when ip6tables is disabled.

systemd should not be blindly reloaded if
there are units not active.  it should only
be reloaded if the unit files on disk change.
this only occurs at package installation time,
so the Exec resource should only be refreshed
if the package changes.

there are no other resources in this module
that manipulate the unit files other than the
Package resource.
@mears148
Copy link

We definitely need this ability to disable iptablesv6 in our production environment...any timetable as to when a new build will be released with this added functionality?

@mears148
Copy link

mears148 commented Jun 8, 2017

Bump

@h0tw1r3
Copy link

h0tw1r3 commented Jun 27, 2017
edited
Loading

Is there something wrong with this? I have been periodically checking activity on this ticket for 2+ months. We're currently using a fork in our environment because of this bug.

@mears148
Copy link

mears148 commented Jun 28, 2017 via email

@knackaron
Copy link
Contributor Author

@hunner Anything holding up this getting merged? I've had this in production for a few months and it looks like some others have validated the need for it too.

@tphoney tphoney merged commit 2ddfc4a into puppetlabs:master Sep 26, 2017
@tphoney
Copy link
Contributor

tphoney commented Sep 26, 2017

Many thanks for the PR and for your patience. There is always too much going on 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hunner hunner hunner requested changes

Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@knackaron @mears148 @h0tw1r3 @tphoney @hunner @david22swan