Page MenuHomePhabricator
Create Task
Maniphest T351094

nftables ignores drange filter for IPv6 if drange only has IPv4 addresses
Closed, ResolvedPublic
Actions

Description

Consider the following code:

firewall::service { 'cloudlb-haproxy-wiki-replicas':
    proto    => 'tcp',
    port     => [3306],
    src_sets => ['CLOUD_NETWORKS'],
    drange   => ['192.0.2.11', '192.0.2.12', '192.0.2.13', '192.0.2.14', '192.0.2.15', '192.0.2.16', '192.0.2.17', '192.0.2.18', '192.0.2.21', '192.0.2.22', '192.0.2.23', '192.0.2.24', '192.0.2.25', '192.0.2.26', '192.0.2.27', '192.0.2.28'],
}

This seems to generate the following nftables config:

# Managed by puppet
# 
ip saddr @CLOUD_NETWORKS_ipv4 ip daddr { 192.0.2.11, 192.0.2.12, 192.0.2.13, 192.0.2.14, 192.0.2.15, 192.0.2.16, 192.0.2.17, 192.0.2.18, 192.0.2.21, 192.0.2.22, 192.0.2.23, 192.0.2.24, 192.0.2.25, 192.0.2.26, 192.0.2.27, 192.0.2.28 } tcp dport { 3306 } accept
ip6 saddr @CLOUD_NETWORKS_ipv6 tcp dport { 3306 } accept

The IPv4 rule looks correct. However, the IPv6 rule should not be there, right now it's incorrectly allowing v6 traffic to all addresses on port 3306.

Spotted via https://puppet-compiler.wmflabs.org/output/973761/434/

Details

SubjectRepoBranchLines +/-
nftables::service: Ensure we correctly check for ipv4 and ipv6 ipsoperations/puppetproduction+40 -23
Customize query in gerrit

Related Objects
Search...

Event Timeline

taavi created this task.Nov 13 2023, 3:00 PM
gerritbot added a comment.Nov 14 2023, 1:04 PM

Change 974176 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] nftables::service: Ensure we correctly check for ipv4 and ipv6 ips

https://gerrit.wikimedia.org/r/974176

gerritbot added a project: Patch-For-Review.Nov 14 2023, 1:04 PM
jbond added subscribers: MoritzMuehlenhoff, jbond.Nov 14 2023, 1:41 PM

However, the IPv6 rule should not be there, right now it's incorrectly allowing v6 traffic to all addresses on port 3306.

It seems from some of the test cases that this may have been intentional. however i agree with you that the current bahviour seems undesirable. I created a CR lets see what @MoritzMuehlenhoff says

gerritbot added a comment.Nov 14 2023, 5:59 PM

Change 974176 merged by Jbond:

[operations/puppet@production] nftables::service: Ensure we correctly check for ipv4 and ipv6 ips

https://gerrit.wikimedia.org/r/974176

Maintenance_bot removed a project: Patch-For-Review.Nov 14 2023, 6:10 PM
taavi closed this task as Resolved.Nov 15 2023, 9:53 AM
taavi assigned this task to jbond.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits