logging missing firewall rules reason (Azure#3283)

* firewall logging

* ignore rule update

---------

Co-authored-by: Norberto Arrieta <[email protected]>

azurelinuxagent/ga/firewall_manager.py

@@ -186,6 +186,7 @@ def _execute_delete_command(self, command):
     def check(self):
         missing_rules = []
         existing_rules = []
+        missing_rules_reasons = []
 
         for rule, command in self._get_commands(self._get_check_command_option()):
             try:
@@ -194,14 +195,18 @@ def check(self):
             except CommandError as e:
                 if e.returncode == 1:  # rule does not exist
                     missing_rules.append(rule)
+                    # Issue: Even though the drop rule exists, the agent perceives it as missing when checking all rules.
+                    # This might occur because we mark the rule as missing due to the same error code being returned for other reasons.
+                    # So logging the error message to understand the reason for the rule being marked as missing.
+                    missing_rules_reasons.append(e.stderr)
                 else:
                     raise
 
         if len(missing_rules) == 0:  # all rules are present
             return True
 
         if len(existing_rules) > 0:  # some rules are present, but not all
-            raise FirewallStateError("The following rules are missing: {0}".format(missing_rules))
+            raise FirewallStateError("The following rules are missing: {0} due to: {1}".format(missing_rules, missing_rules_reasons))
 
         return False
 

azurelinuxagent/ga/update.py

@@ -1151,7 +1151,7 @@ def _initialize_firewall(wire_server_address):
                     firewall_manager.setup()
                     event.info(WALAEventOperation.Firewall, "Created firewall rules for Azure Fabric:\n{0}", firewall_manager.get_state())
             except FirewallStateError as e:
-                event.warn(WALAEventOperation.Firewall, "The firewall rules for Azure Fabric are not setup correctly (the environment thread will fix it): {0}", ustr(e))
+                event.warn(WALAEventOperation.Firewall, "The firewall rules for Azure Fabric are not setup correctly (the environment thread will fix it): {0}. Current state:\n{1}", ustr(e), firewall_manager.get_state())
 
             #
             # Ensure firewall rules are persisted across reboots

tests_e2e/tests/agent_persist_firewall/agent_persist_firewall.py

@@ -89,9 +89,10 @@ def get_ignore_error_rules(self) -> List[Dict[str, Any]]:
             # 2024-07-30T23:36:35.705717Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT DNS']), will reset them.
             # 2024-07-30T23:37:23.612352Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT']), will reset them.
             # 2024-07-30T23:38:11.083028Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['DROP']), will reset them.
+            # 2024-12-27T19:42:51.531056Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT'] due to: ['']), will reset them
             #
             {
-                'message': r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \[('ACCEPT DNS'|'ACCEPT'|'DROP'|, )+\]\), will reset them.",
+                'message': r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \[('ACCEPT DNS'|'ACCEPT'|'DROP'|, )+\] due to.*\), will reset them.",
                 'if': lambda r: r.level == "WARNING"
             }
         ]

tests_e2e/tests/lib/agent_log.py

@@ -330,13 +330,14 @@ def get_errors(self) -> List[AgentLogRecord]:
             # 2024-08-02T21:44:44.330727Z WARNING ExtHandler ExtHandler The firewall rules for Azure Fabric are not setup correctly (the environment thread will fix it): The following rules are missing: ['ACCEPT DNS']
             # 2024-08-08T22:05:26.561896Z WARNING EnvHandler ExtHandler The firewall is not configured correctly. The following rules are missing: ['ACCEPT DNS']. Will reset it.
             # 2024-09-16T15:50:12.473500Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT DNS']), will reset them.
-            #
+            # 2024-12-27T19:42:03.895387Z WARNING ExtHandler ExtHandler The permanent firewall rules for Azure Fabric are not setup correctly (The following rules are missing: ['ACCEPT DNS'] due to: ['']), will reset them.
+            # 2024-12-27T19:38:14.093727Z WARNING EnvHandler ExtHandler The firewall is not configured correctly. The following rules are missing: ['ACCEPT DNS'] due to: ['iptables: Bad rule (does a matching rule exist in that chain?).\n']. Will reset it.
             {
                 'message': r"(The firewall rules for Azure Fabric are not setup correctly \(the environment thread will fix it\): The following rules are missing: \['ACCEPT DNS'\])"
                            "|"
-                           r"(The firewall is not configured correctly. The following rules are missing: \['ACCEPT DNS'\]. Will reset it.)"
+                           r"(The firewall is not configured correctly. The following rules are missing: \['ACCEPT DNS'\].* Will reset it.)"
                            "|"
-                           r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \['ACCEPT DNS'\]\), will reset them.",
+                           r"The permanent firewall rules for Azure Fabric are not setup correctly \(The following rules are missing: \['ACCEPT DNS'\]\).* will reset them.",
                 'if': lambda r: r.level == "WARNING"
             },
             # TODO: The Daemon has not been updated on Azure Linux 3; remove this message when it is.