Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gets confused by empty /proc/net/ip_tables_names #27

Open
grifferz opened this issue Oct 28, 2019 · 5 comments
Open

Gets confused by empty /proc/net/ip_tables_names #27

grifferz opened this issue Oct 28, 2019 · 5 comments

Comments

@grifferz
Copy link

As of Debian 10 (buster), the iptables commands by default are linked to the iptables-nft equivalents.

It seems that these commands do not cause the iptable_filter and ip6_table_filter modules to be loaded when rules are added to the filter table, and probably not the other relevant modules for the other tables. Those modules are loaded in Debian 9 and prior, as soon as any rule is modified.

What then happens is that Ansible inserts the rules the first time, but then writes an empty save file to /etc/iptables/rules.v4 because it read in an empty /proc/net/ip_tables_names file and assumed there are no tables. Then at next boot of the target host the empty rule file is restored, Ansible never spots that anything has changed and life continues with an empty active ruleset.

I do not yet know if it is a bug in iptables-nft that it doesn't populate /proc/net/ip_tables_names.

I was able to force the proc files to be populated by manually loading the iptable_filter and ip6_table_filter modules (then putting a file in /etc/modules-load.d/ to make that permanent). Possibly I could instead revert to iptables-legacy.

From other issues I suspect you will take the view that this project only supports what is now called iptables-legacy. I file this issue mainly so that others are aware, since the iptables-nft command is meant to offer backwards compatibility yet this seems to be a regression in behaviour that affects this project.
@everlanes
Copy link

I can confirm this behaviour. And it took me quite a while to figure out, why it wasn't working respectively how iptables_raw is ment to work. I was setting up a new Debian (buster) system and had no experience with this module before.

As far as I understand, debian buster has changed to nftables completely and these kernel modules are no longer needed.

As there is no ansbile nftables module yet (ansible/ansible#27229), an easy fix would be, to change the default return value in Iptables._get_list_of_active_tables:

    def _get_list_of_active_tables(self):
        if os.path.isfile(self.iptables_names_file):
            table_names = open(self.iptables_names_file, 'r').read()
            return table_names.splitlines()
        else:
            return self.TABLES

@grifferz
Copy link
Author

grifferz commented Nov 5, 2019

For now I switched back to iptables-legacy on my Debian 10 (buster) hosts.

@networkhell
Copy link

Same issue on Centos 8 with iptables v1.8.2 (nf_tables). The fix from @everlanes does only partially fix the issue. With the fix, rules are deployed correctly but the iptables rules are not saved to /etc/sysconfig/iptables. I could not yet figure out why the rules are not saved to file.

@everlanes
Copy link

I tried my solution again with a fresh installation and I have to admit, it wasn't working anymore. Previously it might have worked due to some changes I had made manually during testing.

I checked the following solution with another fresh installation of debian buster and it worked for me:

    def _get_list_of_active_tables(self):
        if os.path.isfile(self.iptables_names_file):
            table_names = open(self.iptables_names_file, 'r').read()
            if table_names:
                return table_names.splitlines()
            else:
                return self.TABLES
        else:
            return []

It also preserved the iptables while rebooting.

But: I think this is kind of hackisch. After all we are dealing with the new filtering infrastructure nftables in the kernel. Trying to squeeze this module, that was developed for iptables into this new situation feels not good to me.

I see two clean solutions:

  1. Using the iptables-legacy mode, that this module was made for as @grifferz suggested.
    There is also the ansible alternatives module for activating the legacy mode and this is working for me, too:
- name: switch to iptables-legacy mode
  alternatives:
    name: "{{ item.key }}"
    path: "{{ item.value }}"
  with_dict:
    iptables: /usr/sbin/iptables-legacy
    ip6tables: /usr/sbin/ip6tables-legacy
  1. Developing a new ansible module for nftables.
    I haven't had a closer look into nftables, yet, but I hope that it is easier to manage and to persist than iptables.

I will also stick with the first solution for now and hope for a nicer way with nftables in the future.

@networkhell
Copy link

I just created a merge request to add "kind of" nftables compatibility to this module. Of course a native nftables module would be a cleaner solution but my fix will do for most people.

On systems using nftables as firewall backend, the nftables package and the nft command should be available to work. On systems using netfilter, the nft command must not be available.

I only tested it on CentOS 7 / 8 for now.

Please take a look at #30

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grifferz @networkhell @everlanes