ipv6_enabled attribute ignored by iptables

[salovan]

Cookbook version

2.5.2

Chef-client version

12.15.19

Platform Details

CentOS 5.11

Scenario:

Manage iptables via Firewall cookbook with IPv6 disabled on the host.

Steps to Reproduce:

1.) Create a new CentOS VM. 2.) Edit /etc/modprobe.conf and add the following lines to disable ipv6

alias ipv6 off
options ipv6 disable=1

3.) In the recipe implementing the firewall config, set the ipv6_enabled attribute to false. From attribute file: override['firewall']['ipv6_enabled'] = false 4.) Set the recipe to modify iptables. 5.) Run chef-client on the client

Expected Result:

I expect a clean run the same as I get with IPv6 enabled.

Actual Result:

The IPv6 code runs anyway causing the recipe to fail when ip6tables can't load due to missing kernel modules. Here are the errors:

yum_package[iptables-ipv6] action install (up to date) * file[create empty /etc/sysconfig/iptables] action create (skipped due to not_if) * service[iptables] action enable (up to date) * service[iptables] action start (up to date) * file[create empty /etc/sysconfig/ip6tables] action create (skipped due to not_if) * service[ip6tables] action enable (up to date) * service[ip6tables] action start

       ================================================================================
       Error executing action `start` on resource 'service[ip6tables]'
       ================================================================================

       Mixlib::ShellOut::ShellCommandFailed
       ------------------------------------
       Expected process to exit with [0], but received '1'
       ---- Begin output of /sbin/service ip6tables start ----
       STDOUT: Unloading ip6tables modules: [  OK  ]
       Applying ip6tables firewall rules: [FAILED]
       STDERR: ip6tables-restore v1.3.5: ip6tables-restore: unable to initializetable 'filter'

       Error occurred at line: 2
       Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
       ---- End output of /sbin/service ip6tables start ----
       Ran /sbin/service ip6tables start returned 1

       Resource Declaration:
       ---------------------
       # In /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb

        52:           service svc do
        53:             action [:enable, :start]
        54:           end
        55:         end

       Compiled Resource:
       ------------------
       # Declared in /tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb:52:in `block (3 levels) in <class:FirewallIptables>'

       service("ip6tables") do
         action [:enable, :start]
         supports {:restart=>nil, :reload=>nil, :status=>nil}
         retries 0
         retry_delay 2
         default_guard_interpreter :default
         service_name "ip6tables"
         enabled true
         pattern "ip6tables"
         declared_type :service
         cookbook_name "ETS_Roles"
       end

       Platform:
       ---------
       x86_64-linux

   Running handlers:
   [2016-10-20T23:59:45+00:00] ERROR: Running exception handlers
   Running handlers complete
   [2016-10-20T23:59:45+00:00] ERROR: Exception handlers complete
   Chef Client failed. 4 resources updated in 06 seconds
   [2016-10-20T23:59:45+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
   [2016-10-20T23:59:45+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
   [2016-10-20T23:59:45+00:00] FATAL: Mixlib::ShellOut::ShellCommandFailed: service[ip6tables] (/tmp/kitchen/cache/cookbooks/firewall/libraries/provider_firewall_iptables.rb line 52) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
   ---- Begin output of /sbin/service ip6tables start ----
   STDOUT: Unloading ip6tables modules: [  OK  ]
   Applying ip6tables firewall rules: [FAILED]
   STDERR: ip6tables-restore v1.3.5: ip6tables-restore: unable to initializetable 'filter'

   Error occurred at line: 2
   Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
   ---- End output of /sbin/service ip6tables start ----
   Ran /sbin/service ip6tables start returned 1

[martinb3]

Hi there -- I can't seem to reproduce this. You mention that you 'Set the recipe to modify iptables.' -- I'm not sure what you mean by that. Are you using a recipe as well somewhere, beyond firewall::default?

Specifically, I only get * yum_package[iptables] action install (up to date) -- I don't see yum_package[iptables-ipv6] action install (up to date) anywhere. If you had a recipe or something I could clone down, I'd be glad to do so.

Also, I'd note that CentOS 5.x is on the verge of being unsupported, as newer VirtualBox doesn't seem to support the kernel for it anymore. This is going to significantly hamstring me from troubleshooting this.

[salovan]

I agree with the problem of supporting the aging CentOS 5.x systems. Unfortunately, I inherited a bunch of them and need to stabilize them long enough to upgrade/replace them. I'm still hac

I just didn't include the initial output from the client run. Here's the output from above the error: Recipe: ETS_Roles::Linux_Baseline

  * firewall[default] action install
    - install iptables and enable/start services
  * yum_package[iptables] action install (up to date)
  * yum_package[iptables-ipv6] action install (up to date)
  * file[create empty /etc/sysconfig/iptables] action create (skipped due to not_if)
  * service[iptables] action enable (up to date)
  * service[iptables] action start (up to date)
  * file[create empty /etc/sysconfig/ip6tables] action create (skipped due to not_if)
  * service[ip6tables] action enable (up to date)
  * service[ip6tables] action start  

As you can see, there is the confirmation of the installation iptables-ipv6 and the service launch triggering the error.

This should help reproduce the issue:

From the cookbook's attribute file:

override['firewall']['allow_ssh'] = false
override['firewall']['ipv6_enabled'] = false
override['firewall']['firewalld']['permanent'] = true
default['ETS_Roles']['openPorts'] = []

From the recipe file:

node.default['ETS_Roles']['openPorts'].push(80)
node.default['ETS_Roles']['openPorts'].push(443)

firewall 'default' do
    enabled true
end

# Allow loopback traffic
firewall_rule "Allow loopback" do
    command :allow
    interface "lo"
    protocol :none
end

# Allow DNS traffic
firewall_rule "udp DNS" do
    command :allow
    protocol :udp
    source_port 53
end

# Allow established sessions
firewall_rule "Allow established TCP" do
    protocol :none
    command :allow
    stateful [:related, :established]
end

# Setup default firewall rules
if not node['ETS_Roles']['openPorts'].empty?
    ports = node['ETS_Roles']['openPorts']
    firewall_rule "open any ports #{ports}" do
        command :allow
        port ports
        protocol :tcp       
    end
end

[salovan]

As a followup, the behavior looks to be the same testing on CentOS 6.x (kitchen testing version 6.8). Despite setting override['firewall']['ipv6_enabled'] = false when it comes time to write the firewall rules and launch iptables, the IPv6 versions are included. If I disable IPv6 in the kernel, I get the same failure mode.

[martinb3]

Okay, so I think I see what's happening. In firewall::default, we're doing this:

firewall 'default' do
  ipv6_enabled node['firewall']['ipv6_enabled']
  action :install
end

That's the only place where node['firewall']['ipv6_enabled'] matters. If you're using the firewall resource directly, you need to set the ipv6_enabled attribute directly.

When you do the following, you're not disabling ipv6:

firewall 'default' do
    enabled true
end

Node attributes only affect the firewall::default recipe; they don't reach into the resources and providers and set values.

[salovan]

Excellent. Thanks for the clarification.