Page MenuHomePhabricator
Create Task
Maniphest T336497

Add support for nftables in profile::firewall
Closed, ResolvedPublic
Actions

Description

Currently the vast majority of our servers operate per-host packet filter rules which are managed via Ferm which uses the iptables support in the Linux kernel.

This task covers adding support for nftables by

  • providing the equivalent rules of what is currently shipped by the base::firewall base classes (default policies, access to monitoring/bastions etc)
  • if a role uses nftables ferm::service equivalent nft definitions (only roles using ferm::rules would need to provide equivalent rules)

This allows for a pilot setup with a few rules (and eventually migrate roles piece by piece as applicable).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
firewall: move conntrack logic to firewall moduleoperations/puppetproduction+26 -28
cloudgw: Don't override conntrack settings from firewall profileoperations/puppetproduction+2 -1
firewall: Also move the sysctl under the manage_nf_conntrack conditionaloperations/puppetproduction+5 -6
cloudgw: Remove profile::openstack::base::cloudgw::firewall_profileoperations/puppetproduction+5 -29
Switch main cloudgw hosts to profile::firewalloperations/puppetproduction+3 -2
clouwgw: Update ordering for the variant using profile::firewalloperations/puppetproduction+12 -2
Switch cloudgw/codfw1dev to profile::firewalloperations/puppetproduction+4 -2
firewall: Add explicit check for provider == 'none'operations/puppetproduction+10 -8
firewall: Also support Stdlib::Port::Unprivileged in Ferm::Portoperations/puppetproduction+3 -0
firewall: Default provider to noneoperations/puppetproduction+1 -1
Add profile::firewall::provider: none for roles where P:firewall is not appliedoperations/puppetproduction+16 -0
firewall::service: Handle the use of the define on systems w/o P:firewalloperations/puppetproduction+42 -36
conntrackd: Add explicit checkoperations/puppetproduction+6 -1
conntrackd: Switch to ensure_packages()operations/puppetproduction+1 -8
Add initial support to move cloudgw to profile::firewall using the nft provideroperations/puppetproduction+14 -4
firewall::service: Fix logic error in passing srange/drange to nftablesoperations/puppetproduction+2 -2
nftables sets: Fix the template to properly wrap the element blockoperations/puppetproduction+1 -1
nftables::sets: Don't add elements if no addresses are passedoperations/puppetproduction+2 -0
nftables::set: Align names with the resource title and nftables::inputoperations/puppetproduction+6 -6
ferm: Move more files under the service check conditionaloperations/puppetproduction+46 -44
Pass down the ensure to the requestctl settingsoperations/puppetproduction+2 -2
Use a single ensure for managing the nftables stateoperations/puppetproduction+7 -9
Adapt transition code for ferm -> nftablesoperations/puppetproduction+8 -2
firewall::service Check for presence of srange/drange in the nftables pathoperations/puppetproduction+2 -16
nft base sets: Read additional host groups from Hieraoperations/puppetproduction+26 -14
ferm: add ensure support to the ferm classoperations/puppetproduction+26 -16
Add some ferm->nft migration steps to the firewall classoperations/puppetproduction+40 -1
Fix use of more than one src/dst setsoperations/puppetproduction+6 -4
ferm: add ensure support to the ferm classoperations/puppetproduction+40 -32
firewall: add conntrack require on the active firewalloperations/puppetproduction+19 -13
firewall::service: Replace whitespace in resource title with underscoresoperations/puppetproduction+4 -1
Adapt monitoring/metrics rules for nft and ferm providersoperations/puppetproduction+27 -13
firewall::service: Create an nftables::service when using the nft provideroperations/puppetproduction+20 -0
Make nftables::service types more compatibleoperations/puppetproduction+12 -3
Convert the monitoring/prometheus ferm rules to a firewall::serviceoperations/puppetproduction+8 -9
Make firewall logging conditional on ferm and rename the profileoperations/puppetproduction+4 -4
Add additional sets for monitoring/prometheus hostsoperations/puppetproduction+17 -1
firewall: Add SSH rules in firewall-agnostic formoperations/puppetproduction+6 -6
Add a nftables::file::service define to install a custom nftables input ruleoperations/puppetproduction+18 -0
firewall::service/firewall::client: Fix function name for dump_params()operations/puppetproduction+2 -2
firewall::service: Use correct type for port rangeoperations/puppetproduction+11 -11
Extend the firewall::service shim with checks for legacy syntaxoperations/puppetproduction+36 -9
firewall: Ship a base profile for the nftables provideroperations/puppetproduction+33 -1
firewall: Ship a base profile for the nftables provideroperations/puppetproduction+32 -0
firewall: Make more Ferm-specific setup conditional to the ferm provideroperations/puppetproduction+28 -27
Add base nftables sets which are equivalent to the main Ferm macrosoperations/puppetproduction+138 -5
graphite: Pass port without Ferm-specific syntaxoperations/puppetproduction+1 -1
ferm::service: Fix handling of multiple portsoperations/puppetproduction+3 -2
configmaster: add support to proxy the puppet sha1 filesoperations/puppetproduction+21 -16
Move Ferm::Protocol to wmflib (as generic Wmflib::Protocol)operations/puppetproduction+5 -5
Rename Ferm::Hosts type to Wmflib::Firewall::Hosts and move to wmfliboperations/puppetproduction+18 -18
nftables: spec: introduce service testsoperations/puppetproduction+585 -51
Add a type to the protocol used in a Ferm serviceoperations/puppetproduction+13 -4
Move nftables/ferm types to wmfliboperations/puppetproduction+0 -0
Add a new nftables::service defineoperations/puppetproduction+117 -0
nftables: Also write out empty sets if no ipv4 or ipv6 addresses are presentoperations/puppetproduction+24 -28
ferm: Allow passing sets to an srange or drangeoperations/puppetproduction+46 -8
Add missing types to ferm::serviceoperations/puppetproduction+3 -3
Switch all uses priority of ferm::service to numeric valuesoperations/puppetproduction+8 -8
ferm::service: Fix sprintf to pad zerosoperations/puppetproduction+1 -1
Use sprintf() to build the config fileoperations/puppetproduction+1 -1
ferm: Allow passing the port in a more structured wayoperations/puppetproduction+46 -7
Add a define to declare an nftables set in Puppetoperations/puppetproduction+148 -0
Create additional nftables directoriesoperations/puppetproduction+15 -1
Show related patches Customize query in gerrit

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a project: Patch-For-Review.Aug 21 2023, 12:40 PM
gerritbot added a comment.Aug 21 2023, 1:15 PM

Change 951123 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add a nftables::file::service define to install a custom nftables input rule

https://gerrit.wikimedia.org/r/951123

gerritbot added a comment.Aug 21 2023, 2:51 PM

Change 951135 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall::service: Use correct type for port range

https://gerrit.wikimedia.org/r/951135

gerritbot added a comment.Aug 22 2023, 7:21 AM

Change 951135 merged by Muehlenhoff:

[operations/puppet@production] firewall::service: Use correct type for port range

https://gerrit.wikimedia.org/r/951135

gerritbot added a comment.Aug 22 2023, 8:43 AM

Change 951432 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall::service/firewall::client: Fix function name for dump_params()

https://gerrit.wikimedia.org/r/951432

gerritbot added a comment.Aug 22 2023, 10:20 AM

Change 951432 merged by Muehlenhoff:

[operations/puppet@production] firewall::service/firewall::client: Fix function name for dump_params()

https://gerrit.wikimedia.org/r/951432

gerritbot added a comment.Aug 22 2023, 11:43 AM

Change 951123 merged by Muehlenhoff:

[operations/puppet@production] Add a nftables::file::service define to install a custom nftables input rule

https://gerrit.wikimedia.org/r/951123

gerritbot added a comment.Aug 22 2023, 12:05 PM

Change 951459 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add additional sets for monitoring/prometheus hosts

https://gerrit.wikimedia.org/r/951459

gerritbot added a comment.Aug 22 2023, 2:12 PM

Change 951118 merged by Muehlenhoff:

[operations/puppet@production] firewall: Add SSH rules in firewall-agnostic form

https://gerrit.wikimedia.org/r/951118

gerritbot added a comment.Aug 22 2023, 2:20 PM

Change 951459 merged by Muehlenhoff:

[operations/puppet@production] Add additional sets for monitoring/prometheus hosts

https://gerrit.wikimedia.org/r/951459

Maintenance_bot removed a project: Patch-For-Review.Aug 22 2023, 2:30 PM
gerritbot added a comment.Aug 22 2023, 2:33 PM

Change 951512 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Adapt monitoring/metrics rules for nft and ferm providers

https://gerrit.wikimedia.org/r/951512

gerritbot added a project: Patch-For-Review.Aug 22 2023, 2:33 PM
gerritbot added a comment.Aug 23 2023, 7:40 AM

Change 951828 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Make firewall logging conditional on ferm and rename the profile

https://gerrit.wikimedia.org/r/951828

gerritbot added a comment.Aug 23 2023, 8:02 AM

Change 951830 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Convert the monitoring/prometheus ferm rules to a firewall::service

https://gerrit.wikimedia.org/r/951830

gerritbot added a comment.Aug 23 2023, 9:41 AM

Change 951889 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Make nftables::service types more compatible

https://gerrit.wikimedia.org/r/951889

gerritbot added a comment.Aug 23 2023, 10:41 AM

Change 951828 merged by Muehlenhoff:

[operations/puppet@production] Make firewall logging conditional on ferm and rename the profile

https://gerrit.wikimedia.org/r/951828

gerritbot added a comment.Aug 23 2023, 1:30 PM

Change 951922 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall::service: Replace whitespace in resource title with underscores

https://gerrit.wikimedia.org/r/951922

gerritbot added a comment.Aug 24 2023, 7:43 AM

Change 952051 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall::service: Create an nftables::service when using the nft provider

https://gerrit.wikimedia.org/r/952051

gerritbot added a comment.Aug 24 2023, 8:37 AM

Change 951830 merged by Muehlenhoff:

[operations/puppet@production] Convert the monitoring/prometheus ferm rules to a firewall::service

https://gerrit.wikimedia.org/r/951830

gerritbot added a comment.Aug 24 2023, 11:54 AM

Change 951889 merged by Muehlenhoff:

[operations/puppet@production] Make nftables::service types more compatible

https://gerrit.wikimedia.org/r/951889

gerritbot added a comment.Aug 24 2023, 1:39 PM

Change 952051 merged by Muehlenhoff:

[operations/puppet@production] firewall::service: Create an nftables::service when using the nft provider

https://gerrit.wikimedia.org/r/952051

gerritbot added a comment.Aug 24 2023, 1:42 PM

Change 951512 abandoned by Muehlenhoff:

[operations/puppet@production] Adapt monitoring/metrics rules for nft and ferm providers

Reason:

Different patch was merged

https://gerrit.wikimedia.org/r/951512

gerritbot added a comment.Aug 24 2023, 2:41 PM

Change 951922 merged by Muehlenhoff:

[operations/puppet@production] firewall::service: Replace whitespace in resource title with underscores

https://gerrit.wikimedia.org/r/951922

Maintenance_bot removed a project: Patch-For-Review.Aug 24 2023, 3:10 PM
gerritbot added a comment.Aug 28 2023, 1:50 PM

Change 952862 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add some ferm->nft migration steps to the firewall class

https://gerrit.wikimedia.org/r/952862

gerritbot added a project: Patch-For-Review.Aug 28 2023, 1:50 PM
gerritbot added a comment.Aug 28 2023, 4:08 PM

Change 952889 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] ferm: add ensure support to the ferm class

https://gerrit.wikimedia.org/r/952889

gerritbot added a comment.Aug 29 2023, 2:38 PM

Change 953276 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] firewall: move contrac logic to firewall module

https://gerrit.wikimedia.org/r/953276

gerritbot added a comment.Aug 30 2023, 1:02 PM

Change 953610 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] firewall: add conntrack require on the active firewall

https://gerrit.wikimedia.org/r/953610

gerritbot added a comment.Aug 31 2023, 9:25 AM

Change 953276 abandoned by Jbond:

[operations/puppet@production] firewall: move conntrack logic to firewall module

Reason:

https://gerrit.wikimedia.org/r/953276

gerritbot added a comment.Aug 31 2023, 9:25 AM

Change 953610 abandoned by Jbond:

[operations/puppet@production] firewall: add conntrack require on the active firewall

Reason:

https://gerrit.wikimedia.org/r/953610

gerritbot added a comment.Aug 31 2023, 11:49 AM

Change 952889 merged by Jbond:

[operations/puppet@production] ferm: add ensure support to the ferm class

https://gerrit.wikimedia.org/r/952889

gerritbot added a comment.Aug 31 2023, 12:51 PM

Change 953654 had a related patch set uploaded (by Jbond; author: Jbond):

[operations/puppet@production] ferm: add ensure support to the ferm class

https://gerrit.wikimedia.org/r/953654

gerritbot added a comment.Sep 4 2023, 10:29 AM

Change 954612 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Fix use of more than one src/dst sets

https://gerrit.wikimedia.org/r/954612

gerritbot added a comment.Sep 4 2023, 12:31 PM

Change 954612 merged by Muehlenhoff:

[operations/puppet@production] Fix use of more than one src/dst sets

https://gerrit.wikimedia.org/r/954612

gerritbot added a comment.Sep 6 2023, 5:46 AM

Change 952862 abandoned by Muehlenhoff:

[operations/puppet@production] Add some ferm->nft migration steps to the firewall class

Reason:

Obsoleted by 953654

https://gerrit.wikimedia.org/r/952862

gerritbot added a comment.Sep 6 2023, 8:59 AM

Change 953654 merged by Muehlenhoff:

[operations/puppet@production] ferm: add ensure support to the ferm class

https://gerrit.wikimedia.org/r/953654

Maintenance_bot removed a project: Patch-For-Review.Sep 6 2023, 9:10 AM
gerritbot added a comment.Sep 6 2023, 9:37 AM

Change 955297 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] nft base sets: Read additional host groups from Hiera

https://gerrit.wikimedia.org/r/955297

gerritbot added a project: Patch-For-Review.Sep 6 2023, 9:37 AM
gerritbot added a comment.Sep 6 2023, 10:37 AM

Change 955308 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall::service Check for presence of srange/drange in the nftables path

https://gerrit.wikimedia.org/r/955308

gerritbot added a comment.Sep 6 2023, 2:16 PM

Change 955297 merged by Muehlenhoff:

[operations/puppet@production] nft base sets: Read additional host groups from Hiera

https://gerrit.wikimedia.org/r/955297

gerritbot added a comment.Sep 6 2023, 2:56 PM

Change 955308 merged by Jbond:

[operations/puppet@production] firewall::service Check for presence of srange/drange in the nftables path

https://gerrit.wikimedia.org/r/955308

gerritbot added a comment.Sep 7 2023, 3:36 PM

Change 955774 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Adapt transition code for ferm -> nftables

https://gerrit.wikimedia.org/r/955774

gerritbot added a comment.Sep 7 2023, 4:07 PM

Change 955779 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Use a single ensure for managing the nftables state

https://gerrit.wikimedia.org/r/955779

gerritbot added a comment.Sep 8 2023, 6:30 AM

Change 955774 merged by Muehlenhoff:

[operations/puppet@production] Adapt transition code for ferm -> nftables

https://gerrit.wikimedia.org/r/955774

gerritbot added a comment.Sep 8 2023, 6:51 AM

Change 955865 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Pass down the ensure to the requestctl settings

https://gerrit.wikimedia.org/r/955865

gerritbot added a comment.Sep 11 2023, 6:51 AM

Change 955779 merged by Muehlenhoff:

[operations/puppet@production] Use a single ensure for managing the nftables state

https://gerrit.wikimedia.org/r/955779

gerritbot added a comment.Sep 11 2023, 6:57 AM

Change 955865 merged by Muehlenhoff:

[operations/puppet@production] Pass down the ensure to the requestctl settings

https://gerrit.wikimedia.org/r/955865

gerritbot added a comment.Sep 11 2023, 11:43 AM

Change 956410 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] ferm: Move more files under the service check conditional

https://gerrit.wikimedia.org/r/956410

gerritbot added a comment.Sep 11 2023, 3:21 PM

Change 956410 merged by Muehlenhoff:

[operations/puppet@production] ferm: Move more files under the service check conditional

https://gerrit.wikimedia.org/r/956410

gerritbot added a comment.Sep 12 2023, 9:11 AM

Change 956797 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] nftables::set: Align names with the resource title and nftables::input

https://gerrit.wikimedia.org/r/956797

gerritbot added a comment.Sep 12 2023, 11:59 AM

Change 956797 merged by Muehlenhoff:

[operations/puppet@production] nftables::set: Align names with the resource title and nftables::input

https://gerrit.wikimedia.org/r/956797

gerritbot added a comment.Sep 12 2023, 12:34 PM

Change 956869 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] nftables::sets: Don't add elements if no addresses are passed

https://gerrit.wikimedia.org/r/956869

gerritbot added a comment.Sep 13 2023, 12:47 PM

Change 956869 merged by Muehlenhoff:

[operations/puppet@production] nftables::sets: Don't add elements if no addresses are passed

https://gerrit.wikimedia.org/r/956869

gerritbot added a comment.Sep 13 2023, 1:51 PM

Change 957297 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] nftables sets: Fix the template to properly wrap the element block

https://gerrit.wikimedia.org/r/957297

gerritbot added a comment.Sep 13 2023, 2:23 PM

Change 957297 merged by Muehlenhoff:

[operations/puppet@production] nftables sets: Fix the template to properly wrap the element block

https://gerrit.wikimedia.org/r/957297

Maintenance_bot removed a project: Patch-For-Review.Sep 13 2023, 2:30 PM
gerritbot added a comment.Sep 13 2023, 3:25 PM

Change 957313 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall::service: Fix logic error in passing srange/drange to nftables

https://gerrit.wikimedia.org/r/957313

gerritbot added a project: Patch-For-Review.Sep 13 2023, 3:25 PM
gerritbot added a comment.Sep 14 2023, 12:25 PM

Change 957313 merged by Muehlenhoff:

[operations/puppet@production] firewall::service: Fix logic error in passing srange/drange to nftables

https://gerrit.wikimedia.org/r/957313

gerritbot added a comment.Sep 18 2023, 1:39 PM

Change 958480 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add initial support to move cloudgw to profile::firewall using the nft provider

https://gerrit.wikimedia.org/r/958480

gerritbot added a comment.Sep 19 2023, 10:40 AM

Change 958480 merged by Muehlenhoff:

[operations/puppet@production] Add initial support to move cloudgw to profile::firewall using the nft provider

https://gerrit.wikimedia.org/r/958480

gerritbot added a comment.Sep 19 2023, 10:57 AM

Change 958905 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Switch cloudgw/codfw1dev to profile::firewall

https://gerrit.wikimedia.org/r/958905

gerritbot added a comment.Sep 19 2023, 11:31 AM

Change 958913 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] conntrackd: Switch to ensure_packages()

https://gerrit.wikimedia.org/r/958913

gerritbot added a comment.Sep 19 2023, 11:38 AM

Change 958913 merged by Muehlenhoff:

[operations/puppet@production] conntrackd: Switch to ensure_packages()

https://gerrit.wikimedia.org/r/958913

gerritbot added a comment.Sep 19 2023, 12:09 PM

Change 958918 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] conntrackd: Add explicit check

https://gerrit.wikimedia.org/r/958918

gerritbot added a comment.Sep 20 2023, 10:16 AM

Change 958918 merged by Muehlenhoff:

[operations/puppet@production] conntrackd: Add explicit check

https://gerrit.wikimedia.org/r/958918

gerritbot added a comment.Sep 21 2023, 12:21 PM

Change 959730 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall::service: Handle the use of the define on systems w/o P:firewall

https://gerrit.wikimedia.org/r/959730

gerritbot added a comment.Sep 21 2023, 2:52 PM

Change 959759 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Add profile::firewall::provider: none for roles where P:firewall is not applied

https://gerrit.wikimedia.org/r/959759

gerritbot added a comment.Sep 21 2023, 3:14 PM

Change 959730 abandoned by Muehlenhoff:

[operations/puppet@production] firewall::service: Handle the use of the define on systems w/o P:firewall

Reason:

Needs different fix

https://gerrit.wikimedia.org/r/959730

gerritbot added a comment.Sep 22 2023, 8:34 AM

Change 959759 merged by Muehlenhoff:

[operations/puppet@production] Add profile::firewall::provider: none for roles where P:firewall is not applied

https://gerrit.wikimedia.org/r/959759

gerritbot added a comment.Sep 22 2023, 10:04 AM

Change 960011 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall: Default provider to none

https://gerrit.wikimedia.org/r/960011

gerritbot added a comment.Sep 22 2023, 12:08 PM

Change 960033 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall: Also support Stdlib::Port::Unprivileged in Ferm::Port

https://gerrit.wikimedia.org/r/960033

gerritbot added a comment.Sep 25 2023, 6:56 AM

Change 960011 merged by Muehlenhoff:

[operations/puppet@production] firewall: Default provider to none

https://gerrit.wikimedia.org/r/960011

gerritbot added a comment.Sep 26 2023, 10:26 AM

Change 960033 abandoned by Muehlenhoff:

[operations/puppet@production] firewall: Also support Stdlib::Port::Unprivileged in Ferm::Port

Reason:

Not needed

https://gerrit.wikimedia.org/r/960033

gerritbot added a comment.Sep 26 2023, 11:27 AM

Change 961081 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall: Add explicit check for provider == 'none'

https://gerrit.wikimedia.org/r/961081

gerritbot added a comment.Sep 26 2023, 1:31 PM

Change 961081 merged by Muehlenhoff:

[operations/puppet@production] firewall: Add explicit check for provider == 'none'

https://gerrit.wikimedia.org/r/961081

gerritbot added a comment.Sep 27 2023, 8:47 AM

Change 958905 merged by Muehlenhoff:

[operations/puppet@production] Switch cloudgw/codfw1dev to profile::firewall

https://gerrit.wikimedia.org/r/958905

gerritbot added a comment.Sep 27 2023, 9:07 AM

Change 961340 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] clouwgw: Update ordering for the variant using profile::firewall

https://gerrit.wikimedia.org/r/961340

gerritbot added a comment.Sep 27 2023, 9:14 AM

Change 961340 merged by Muehlenhoff:

[operations/puppet@production] clouwgw: Update ordering for the variant using profile::firewall

https://gerrit.wikimedia.org/r/961340

aborrero mentioned this in T347469: cloudgw improvements.Sep 27 2023, 10:30 AM
gerritbot added a comment.Sep 27 2023, 10:48 AM

Change 961360 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] Switch main cloudgw hosts to profile::firewall

https://gerrit.wikimedia.org/r/961360

gerritbot added a comment.Sep 27 2023, 11:17 AM

Change 961365 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] cloudgw: Remove profile::openstack::base::cloudgw::firewall_profile

https://gerrit.wikimedia.org/r/961365

gerritbot added a comment.Sep 27 2023, 12:05 PM

Change 961360 merged by Muehlenhoff:

[operations/puppet@production] Switch main cloudgw hosts to profile::firewall

https://gerrit.wikimedia.org/r/961360

gerritbot added a comment.Sep 27 2023, 12:22 PM

Change 961365 merged by Muehlenhoff:

[operations/puppet@production] cloudgw: Remove profile::openstack::base::cloudgw::firewall_profile

https://gerrit.wikimedia.org/r/961365

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2023, 12:31 PM
gerritbot added a comment.Sep 27 2023, 12:57 PM

Change 961377 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] cloudgw: Don't override conntrack settings from firewall profile

https://gerrit.wikimedia.org/r/961377

gerritbot added a project: Patch-For-Review.Sep 27 2023, 12:57 PM
gerritbot added a comment.Sep 27 2023, 2:16 PM

Change 961400 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):

[operations/puppet@production] firewall: Also move the sysctl under the manage_nf_conntrack conditional

https://gerrit.wikimedia.org/r/961400

gerritbot added a comment.Sep 28 2023, 7:13 AM

Change 961400 merged by Muehlenhoff:

[operations/puppet@production] firewall: Also move the sysctl under the manage_nf_conntrack conditional

https://gerrit.wikimedia.org/r/961400

gerritbot added a comment.Sep 28 2023, 8:23 AM

Change 961377 merged by Muehlenhoff:

[operations/puppet@production] cloudgw: Don't override conntrack settings from firewall profile

https://gerrit.wikimedia.org/r/961377

ayounsi subscribed.Oct 9 2023, 7:14 AM

Small regression: iptables logs are written to disk in /var/log/ulogd/syslog.log to not flood the main syslog.log files. But nftables drop logs are back in /var/log/syslog

MoritzMuehlenhoff closed this task as Resolved.Oct 12 2023, 10:36 AM

The ganeti test cluster, cloudgw and the sretest hosts are using nftables. This completes the initial migration work, all further changes are coordinated using T348498 and sub tasks of it.

I've written a summary of the Puppet changes on wikitech: https://wikitech.wikimedia.org/wiki/Firewall

Maintenance_bot removed a project: Patch-For-Review.Oct 12 2023, 11:10 AM
ayounsi mentioned this in Blog Post: Ganeti on modern network design.Dec 14 2023, 4:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits