search

puppetlabs / puppetlabs-firewall

Puppet Firewall Module
http://forge.puppetlabs.com/puppetlabs/firewall
Apache License 2.0
271 stars 455 forks source link

Permanent drift ("correction") when running "puppet agent -tv" #1231

Open sahaqaa opened 4 weeks ago

sahaqaa commented 4 weeks ago

Describe the Bug

Permanent drift ("correction") when running "puppet agent -tv"

Expected Behavior

No permanent drift ("correction") should be happening when running "puppet agent -tv"

Steps to Reproduce

Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'

Environment

$ puppetserver --version
puppetserver version: 7.9.5

// On client node:
$ puppet --version
7.32.1

mod 'puppetlabs-firewall', '8.0.3'

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:    22.04
Codename:   jammy

$ uname -a
Linux myhostname.local 6.2.0-1016-aws #16~22.04.1-Ubuntu SMP Sun Nov  5 20:08:16 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Additional Context

I have permanent drift ("corrective" actions applied) for IPtables rule. Code example:

  firewall { '999 drop all unknown tcp rsyslog':
    ensure   => 'present',
    protocol => 'iptables',
    chain    => 'INPUT',
    proto    => 'tcp',
    source   => '0.0.0.0/0',
    dport    => ['20514:20516'],
    jump     => 'drop',
  }

When i run "iptables-save" i see next:

# Generated by iptables-save v1.8.7 on Tue Aug 20 11:21:17 2024
*filter
:INPUT ACCEPT [2163984655:124490745956]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11519292341:11241169407864]
........................
-A INPUT -p tcp -m multiport --dports 20514:20516 -m comment --comment "999 drop all unknown tcp rsyslog" -j DROP
COMMIT
# Completed on Tue Aug 20 11:21:17 2024

Then i run "puppet agent -tv":

$ puppet agent -tv
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from puppet7.local:8140 (10.7.155.5)
Info: Caching catalog for myhostname.local
Info: Applying configuration version '1724152921'
Notice: /Stage[main]/Sink_forward/Firewall[999 drop all unknown tcp rsyslog]/source: source changed  to '0.0.0.0/0' (corrective)
Notice: firewall[999 drop all unknown tcp rsyslog]: Updating: Updating Rule '999 drop all unknown tcp rsyslog' with {:name=>"999 drop all unknown tcp rsyslog", :ensure=>"present", :protocol=>"iptables", :chain=>"INPUT", :source=>nil, :proto=>"tcp", :dport=>["20514:20516"], :jump=>"DROP", :table=>"filter"}
Notice: firewall[999 drop all unknown tcp rsyslog]: Updating: Ensuring changes to '999 drop all unknown tcp rsyslog' persist
Notice: firewall[999 drop all unknown tcp rsyslog]: Updating: Finished in 0.076291 seconds
Notice: Applied catalog in 49.85 seconds

But after this "corrective" action IPtable rule is still the same:

-A INPUT -p tcp -m multiport --dports 20514:20516 -m comment --comment "999 drop all unknown tcp rsyslog" -j DROP

I tried to delete it via:

iptables -L INPUT --line-numbers
.......
242  DROP       tcp  --  anywhere             anywhere             multiport dports 20514:20516 /* 999 drop all unknown tcp rsyslog */

iptables -D INPUT 242

Then i run again "puppet agent -tv":

$ puppet agent -tv
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from puppet7.local:8140 (10.7.155.5)
Info: Caching catalog for myhostname.local
Info: Applying configuration version '1724153234'
Notice: /Stage[main]/Sink_forward/Firewall[999 drop all unknown tcp rsyslog]/ensure: defined 'ensure' as 'present' (corrective)
Notice: firewall[999 drop all unknown tcp rsyslog]: Creating: Creating Rule '999 drop all unknown tcp rsyslog' with {:name=>"999 drop all unknown tcp rsyslog", :ensure=>"present", :protocol=>"iptables", :chain=>"INPUT", :source=>nil, :proto=>"tcp", :dport=>["20514:20516"], :jump=>"DROP", :table=>"filter"}
Notice: firewall[999 drop all unknown tcp rsyslog]: Creating: Ensuring changes to '999 drop all unknown tcp rsyslog' persist
Notice: firewall[999 drop all unknown tcp rsyslog]: Creating: Finished in 0.081846 seconds
Notice: Applied catalog in 48.72 seconds

But in the end IPtable rule is the same:

-A INPUT -p tcp -m multiport --dports 20514:20516 -m comment --comment "999 drop all unknown tcp rsyslog" -j DROP

And every time Puppet agent runs in PuppetBoard we see "drift".

sahaqaa commented 4 weeks ago

image

For the record: it happens on approx 20 client nodes where this same profile is applied.