Page MenuHomePhabricator
Create Task
Maniphest T313825

Add requestctl support to ferm
Closed, ResolvedPublic
Actions

Description

Currently hosts with an external IP addresses use the data block stored in the old private repo abuse_nets key. we should update the logic so that they can generate there list of definitions directly from etcd with a plan to completely drop the abuse_nets block from hiera/private repo

Details

Show related patches Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 OpenNoneT305580 requestctl v1 improvements
 ResolvedjbondT313825 Add requestctl support to ferm
 ResolvedjbondT315305 Ferm unloads all iptables rules when it hits a parsing error

Event Timeline

jbond created this task.Jul 26 2022, 4:23 PM
gerritbot added a comment.Jul 26 2022, 4:28 PM

Change 817307 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] P:base::firewall: Add requestctl definitions to ferm

https://gerrit.wikimedia.org/r/817307

gerritbot added a project: Patch-For-Review.Jul 26 2022, 4:28 PM
jbond triaged this task as Medium priority.Jul 26 2022, 4:50 PM
gerritbot added a comment.Aug 10 2022, 10:30 AM

Change 817307 merged by Jbond:

[operations/puppet@production] P:base::firewall: Add requestctl definitions to ferm

https://gerrit.wikimedia.org/r/817307

Maintenance_bot removed a project: Patch-For-Review.Aug 10 2022, 11:30 AM
gerritbot added a comment.Aug 10 2022, 2:32 PM

Change 822091 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] P:firewall: fix template errors

https://gerrit.wikimedia.org/r/822091

gerritbot added a project: Patch-For-Review.Aug 10 2022, 2:32 PM
gerritbot added a comment.Aug 10 2022, 2:38 PM

Change 822091 merged by Jbond:

[operations/puppet@production] P:firewall: fix template errors

https://gerrit.wikimedia.org/r/822091

Maintenance_bot removed a project: Patch-For-Review.Aug 10 2022, 3:30 PM
gerritbot added a comment.Aug 10 2022, 3:38 PM

Change 822106 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] P:sretest: test behaviour of empty define

https://gerrit.wikimedia.org/r/822106

gerritbot added a project: Patch-For-Review.Aug 10 2022, 3:38 PM
gerritbot added a comment.Aug 10 2022, 4:12 PM

Change 822106 merged by Jbond:

[operations/puppet@production] P:sretest: test behaviour of empty define

https://gerrit.wikimedia.org/r/822106

Maintenance_bot removed a project: Patch-For-Review.Aug 10 2022, 4:31 PM
gerritbot added a comment.Aug 10 2022, 5:59 PM

Change 822125 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] P:base::firewall: use either etc or abuse_nets

https://gerrit.wikimedia.org/r/822125

gerritbot added a project: Patch-For-Review.Aug 10 2022, 5:59 PM
gerritbot added a comment.Aug 11 2022, 9:56 AM

Change 822125 merged by Jbond:

[operations/puppet@production] P:base::firewall: use either etc or abuse_nets

https://gerrit.wikimedia.org/r/822125

Maintenance_bot removed a project: Patch-For-Review.Aug 11 2022, 10:30 AM
gerritbot added a comment.Aug 11 2022, 10:37 AM

Change 822340 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] O:sretest: enable confd based abuse filter on sretest

https://gerrit.wikimedia.org/r/822340

gerritbot added a project: Patch-For-Review.Aug 11 2022, 10:37 AM
gerritbot added a comment.Aug 11 2022, 10:50 AM

Change 822340 merged by Jbond:

[operations/puppet@production] O:sretest: enable confd based abuse filter on sretest

https://gerrit.wikimedia.org/r/822340

gerritbot added a comment.Aug 11 2022, 11:20 AM

Change 822361 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] C:ferm: allow useres to read config files, needed for nrpe

https://gerrit.wikimedia.org/r/822361

gerritbot added a comment.Aug 11 2022, 2:08 PM

Change 822361 merged by Jbond:

[operations/puppet@production] C:ferm: allow useres to read config files, needed for nrpe

https://gerrit.wikimedia.org/r/822361

jhathaway added a subscriber: jhathaway.Aug 15 2022, 6:27 PM

In my brief testing it appears that ferm is happy to accept bogus IPs and try to load them in with iptables, leaving the box with no rules at all. @jbond how confident are we that etcd will never have bogus data?

gerritbot added a comment.Aug 16 2022, 10:43 AM

Change 823608 had a related patch set uploaded (by Jbond; author: jbond):

[operations/software/conftool@master] reqconfig: add ip validation for ipblocks

https://gerrit.wikimedia.org/r/823608

jbond added a comment.Aug 16 2022, 12:05 PM

In my brief testing it appears that ferm is happy to accept bogus IPs

indeed and this also affects the ferm::rule resource. i.e. a typo in a ferm::rule could cause the entire firewall rule to de dropped. We do at least get an icinga alert for this as it puts the ferm status in a bad state.

Looking at the output from the ferm systemd unit it seems like it tries to fall back to using iptables-restore if there is an error however this also fails
twork `foobar' not found
Aug 16 12:00:03 sretest1001 ferm[24432]: Error occurred at line: 27
Aug 16 12:00:03 sretest1001 ferm[24432]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Aug 16 12:00:03 sretest1001 ferm[24432]: Failed to run /sbin/iptables-restore
Aug 16 12:00:03 sretest1001 ferm[24432]: ip6tables-restore v1.8.2 (nf_tables): host/network `foobar' not found
Aug 16 12:00:03 sretest1001 ferm[24432]: Error occurred at line: 21
Aug 16 12:00:03 sretest1001 ferm[24432]: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Aug 16 12:00:03 sretest1001 ferm[24432]: Failed to run /sbin/ip6tables-restore
Aug 16 12:00:03 sretest1001 ferm[24432]: Firewall rules rolled back.
Aug 16 12:00:03 sretest1001 ferm[24432]:  failed!

Ill create a separate task to track this issue as its a bit more generic.

how confident are we that etcd will never have bogus data?

As far as i can tell we dont do any validation, i have created a PS and will speak with joe to see if we can get it added so we validate the date before adding it to confd

gerritbot added a comment.Aug 16 2022, 12:19 PM

Change 823616 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] P:base::firewall: use reload instead of restart

https://gerrit.wikimedia.org/r/823616

jbond added a comment.Aug 16 2022, 12:21 PM

In my brief testing it appears that ferm is happy to accept bogus IPs

Worth noting that if you use systemd reload ferm instead of restart then it at least leaves iptables with the last none good set of rules. if have corrected the confd::file resource to use reload instead of restart

gerritbot added a comment.Aug 16 2022, 12:24 PM

Change 823616 merged by Jbond:

[operations/puppet@production] P:base::firewall: use reload instead of restart

https://gerrit.wikimedia.org/r/823616

jhathaway added a comment.Aug 16 2022, 1:59 PM

how confident are we that etcd will never have bogus data?

As far as i can tell we dont do any validation, i have created a PS and will speak with joe to see if we can get it added so we validate the date before adding it to confd

great, thanks!

jhathaway added a comment.Aug 16 2022, 1:59 PM
In T313825#8157069, @jbond wrote:

In my brief testing it appears that ferm is happy to accept bogus IPs

Worth noting that if you use systemd reload ferm instead of restart then it at least leaves iptables with the last none good set of rules. if have corrected the confd::file resource to use reload instead of restart

very nice, that seems like much saner behavior.

jbond closed subtask T315305: Ferm unloads all iptables rules when it hits a parsing error as Resolved.Sep 29 2022, 9:50 AM
gerritbot added a comment.Oct 6 2022, 12:07 PM

Change 823608 merged by jenkins-bot:

[operations/software/conftool@master] reqconfig: add ip validation for ipblocks

https://gerrit.wikimedia.org/r/823608

jbond mentioned this in rOSCTf877ff05ff61: reqconfig: add ip validation for ipblocks.Oct 6 2022, 12:09 PM
gerritbot added a comment.Jan 26 2023, 11:48 AM

Change 883878 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/dns@master] wikimedia.org: add cond SRV records

https://gerrit.wikimedia.org/r/883878

gerritbot added a comment.Jan 26 2023, 11:54 AM

Change 883878 merged by Jbond:

[operations/dns@master] wikimedia.org: add cond SRV records

https://gerrit.wikimedia.org/r/883878

gerritbot added a comment.Jan 26 2023, 12:16 PM

Change 883888 had a related patch set uploaded (by Jbond; author: Jbond):

[operations/puppet@production] firewall: Add requestctl support to ferm globaly

https://gerrit.wikimedia.org/r/883888

gerritbot added a comment.Jan 26 2023, 2:11 PM

Change 883888 merged by Jbond:

[operations/puppet@production] firewall: Add requestctl support to ferm globaly

https://gerrit.wikimedia.org/r/883888

gerritbot added a comment.Jan 26 2023, 2:24 PM

Change 883891 had a related patch set uploaded (by Jbond; author: Jbond):

[operations/puppet@production] firewall: Add requestctl support to ferm globaly

https://gerrit.wikimedia.org/r/883891

gerritbot added a comment.Jan 26 2023, 3:15 PM

Change 883891 merged by Jbond:

[operations/puppet@production] firewall: Add requestctl support to ferm globaly

https://gerrit.wikimedia.org/r/883891

gerritbot added a comment.Jan 26 2023, 3:18 PM

Change 883893 had a related patch set uploaded (by Jbond; author: Jbond):

[operations/puppet@production] firewall: Add requestctl support to ferm globaly

https://gerrit.wikimedia.org/r/883893

gerritbot added a comment.Jan 26 2023, 3:40 PM

Change 883973 had a related patch set uploaded (by Jbond; author: John Bond):

[operations/puppet@production] confd::file: allow to specify fully qualified prefix

https://gerrit.wikimedia.org/r/883973

gerritbot added a comment.Jan 26 2023, 3:49 PM

Change 883973 merged by Jbond:

[operations/puppet@production] confd::file: allow to specify fully qualified prefix

https://gerrit.wikimedia.org/r/883973

gerritbot added a comment.Jan 26 2023, 3:51 PM

Change 883893 merged by Jbond:

[operations/puppet@production] firewall: Add requestctl support to ferm globaly

https://gerrit.wikimedia.org/r/883893

Maintenance_bot removed a project: Patch-For-Review.Jan 26 2023, 4:31 PM
jbond closed this task as Resolved.Jan 27 2023, 12:23 PM
jbond claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL