search

salt-formulas / salt-formula-iptables

Other
7 stars 18 forks source link

Declarations of multiple chains and meta file #17

Open slaws opened 6 years ago

slaws commented 6 years ago

Hello,

I noticed a strange behavior when declaring multiple chains and using meta file.

What is the problem ?

Here is a small example :

/srv/pillar/test.sls

iptables:
  service:
    enabled: True
    chain:
      OUTPUT: 
        rules: []
      INPUT:
        rules:
          - destination_port: 9100
            protocol: tcp
            jump: ACCEPT
            comment: 'node-exporter (pillar)'

grafana:
  _support:
    iptables:
      enabled: yes

/srv/salt/grafana/meta/iptables.yml

iptables:
  rules:
    - destination_port: 3000
      protocol: tcp
      jump: ACCEPT    
      comment: 'grafana (with meta)'

Results to :

# salt node1 state.apply iptables test=true
node1:
  Name: iptables - Function: pkg.installed - Result: Clean Started: - 10:10:56.349170 Duration: 362.273 ms
  Name: iptables-persistent - Function: pkg.installed - Result: Clean Started: - 10:10:56.711719 Duration: 7.202 ms
  Name: OUTPUT - Function: iptables.chain_present - Result: Clean Started: - 10:10:56.719254 Duration: 13.56 ms
  Name: iptables_OUTPUT_grafana_1 - Function: iptables.append - Result: Clean Started: - 10:10:56.733486 Duration: 75.048 ms
  Name: INPUT - Function: iptables.chain_present - Result: Clean Started: - 10:10:56.809077 Duration: 10.868 ms
  Name: iptables_INPUT_grafana_1 - Function: iptables.append - Result: Clean Started: - 10:10:56.820566 Duration: 74.02 ms
  Name: iptables_INPUT_1 - Function: iptables.append - Result: Clean Started: - 10:10:56.895104 Duration: 77.362 ms
  Name: netfilter-persistent - Function: service.running - Result: Clean Started: - 10:10:56.974084 Duration: 44.72 ms

Summary for node1
------------
Succeeded: 8
Failed:    0
------------
Total states run:     8
Total run time: 665.053 ms

Notice the iptables_OUTPUT_grafana_1 rule.

What was expected ?

Only one rule to accept input traffic for grafana in the INPUT chain instead of 2 rules generated (one for each chain declared).

Workaround

Patching rules.sls with this code seems to enable "per chain" rule declaration.

# diff rules.sls rules-patched.sls 
59,60c59,60
< {%-   if grains_yaml.get('iptables',{}).rules is defined %}
< {%-     for rule in grains_yaml.iptables.rules %}
---
> {%-   if grains_yaml.get('iptables',{}).get(chain_name,{}).rules is defined %}
> {%-     for rule in grains_yaml.iptables.get(chain_name,{}).rules %}

/srv/salt/grafana/meta/iptables.yml would become 

iptables:
  INPUT:
    rules:
      - destination_port: 3000
        protocol: tcp
        jump: ACCEPT    
        comment: 'grafana (with meta)'

Results 

# salt node1 state.apply iptables test=true
node1:
  Name: iptables - Function: pkg.installed - Result: Clean Started: - 10:29:55.844792 Duration: 350.878 ms
  Name: iptables-persistent - Function: pkg.installed - Result: Clean Started: - 10:29:56.196009 Duration: 5.796 ms
  Name: OUTPUT - Function: iptables.chain_present - Result: Clean Started: - 10:29:56.202099 Duration: 12.601 ms
  Name: INPUT - Function: iptables.chain_present - Result: Clean Started: - 10:29:56.215313 Duration: 11.549 ms
  Name: iptables_INPUT_grafana_1 - Function: iptables.append - Result: Clean Started: - 10:29:56.227526 Duration: 77.731 ms
  Name: iptables_INPUT_1 - Function: iptables.append - Result: Clean Started: - 10:29:56.305717 Duration: 72.927 ms
  Name: netfilter-persistent - Function: service.running - Result: Clean Started: - 10:29:56.380496 Duration: 53.673 ms

Summary for node1
------------
Succeeded: 7
Failed:    0
------------
Total states run:     7
Total run time: 585.155 ms

However this would break the current behavior.

Is there a way to achieve this without modifying this module ?