Page MenuHomePhabricator

Ferm unloads all iptables rules when it hits a parsing error
Closed, ResolvedPublic

Description

while investigating a different issue it was noticed that firm will unload the entire iptables rule base if there is some error in the ferm rules. To reproduce this we can add the following file under /etc/ferm/conf.d

10_syntax_error
domain (ip ip6) {
        table filter {
                chain INPUT {
                        saddr (foobar) ACCEPT;
                }
        }
}

restart ferm sudo systemctl restart ferm and we see the following output in systemd

Aug 16 12:11:14 sretest1001 systemd[1]: Stopping ferm firewall configuration...
Aug 16 12:11:14 sretest1001 ferm[26769]: Stopping Firewall: ferm.
Aug 16 12:11:14 sretest1001 systemd[1]: ferm.service: Succeeded.
Aug 16 12:11:14 sretest1001 systemd[1]: Stopped ferm firewall configuration.
Aug 16 12:11:14 sretest1001 systemd[1]: Starting ferm firewall configuration...
Aug 16 12:11:15 sretest1001 ferm[26779]: Starting Firewall: fermiptables-restore v1.8.2 (nf_tables): host/network `foobar' not found
Aug 16 12:11:15 sretest1001 ferm[26779]: Error occurred at line: 34
Aug 16 12:11:15 sretest1001 ferm[26779]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Aug 16 12:11:15 sretest1001 ferm[26779]: Failed to run /sbin/iptables-restore
Aug 16 12:11:15 sretest1001 ferm[26779]: ip6tables-restore v1.8.2 (nf_tables): host/network `foobar' not found
Aug 16 12:11:15 sretest1001 ferm[26779]: Error occurred at line: 28
Aug 16 12:11:15 sretest1001 ferm[26779]: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Aug 16 12:11:15 sretest1001 ferm[26779]: Failed to run /sbin/ip6tables-restore
Aug 16 12:11:15 sretest1001 ferm[26779]: Firewall rules rolled back.
Aug 16 12:11:15 sretest1001 ferm[26779]:  failed!
Aug 16 12:11:15 sretest1001 systemd[1]: ferm.service: Main process exited, code=exited, status=1/FAILURE
Aug 16 12:11:15 sretest1001 systemd[1]: ferm.service: Failed with result 'exit-code'.
Aug 16 12:11:15 sretest1001 systemd[1]: Failed to start ferm firewall configuration.

further checking iptables -nL shows an empty rule base

$ sudo iptables -nL                                                             
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (0 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (0 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target     prot opt source               destination         

Chain DOCKER-USER (0 references)
target     prot opt source               destination       

Related Objects

StatusSubtypeAssignedTask
OpenNone
Resolvedjbond
Resolvedjbond

Event Timeline

Change 823621 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] C:ferm: update ferm to use restart-or-reload instead of restart

https://gerrit.wikimedia.org/r/823621

jbond triaged this task as Medium priority.Aug 16 2022, 2:01 PM

Change 823621 merged by Jbond:

[operations/puppet@production] C:ferm: update ferm to use restart-or-reload instead of restart

https://gerrit.wikimedia.org/r/823621

i think with the merged of 823621 this can be closed please re-open if you still see issues

jbond claimed this task.