(MODULES-8736) IPtables support on RHEL8

[EmilienM]

In order to persist the nftables rules on RHEL8, we need the init scripts:
"Warning: Firewall998 log all ipv4: Unable to persist firewall rules:
Execution of '/usr/libexec/iptables/iptables.init save' returned 1:
Error: Could not execute posix command: No such file or directory - /usr/libexec/iptables/iptables.init",

Those are contained in the iptables-services package, so this patch aims
to add it into package_name for RHEL8.

Also, to make the IPtables-managed rules persistent at reboot, we need
to enable iptables (and ip6tables) service(s) like we did in previous
versions of RHEL ecosystem.

[eimlav]

Hi @EmilienM . I've tested out your PR and it seems to run through our adhoc fine. However when I tried it out locally, I found that warnings would appear whenever a rule was created:

Warning: Firewall[000 accept all icmp requests](provider=ip[WARNING]Unable to persist firewall rules: Execution of '/usr/libexec/iptables/iptables.init save' returned 6: iptables: Nothing to save.

When the machine was rebooted, none of the firewall rules were saved. The same warning was returned when manually triggering /usr/libexec/iptables/iptables.init save and also service iptables save. Did you encounter this while testing out your changes?

[EmilienM]

Hi @EmilienM . I've tested out your PR and it seems to run through our adhoc fine. However when I tried it out locally, I found that warnings would appear whenever a rule was created:

Warning: Firewall[000 accept all icmp requests](provider=ip[WARNING]Unable to persist firewall rules: Execution of '/usr/libexec/iptables/iptables.init save' returned 6: iptables: Nothing to save.

Could you please share the manifest you used for testing, so I can reproduce on my side. Also on which platform did you try?

Thanks

[eimlav]

@EmilienM I tested the following manifest on both RedHat 8.0 and RedHat 7.2 both running Puppet 6.4.0 and only received the warning on RedHat 8.0:

include firewall

firewall { '000 accept all icmp requests':
  proto  => 'icmp',
  action => 'accept',
}

When I reboot each machine, only the rules for the RedHat 7 machine persist.

Might be worth mentioning that iptables-save does show the rule as opposed to the Nothing to savemessage from the other two commands as well.

[eimlav]

Running the full acceptance suite against RedHat 8 Puppet 6 there are also some test failures that weren't caught in the adhoc (as we have not enabled Redhat 8 yet):

Failures:

  1) firewall time time tests ipv4 when set all time parameters applies
     Failure/Error: apply_manifest(pp1, catch_failures: true)
     Beaker::Host::CommandFailure:
       Host 'k7a1jscmgdfos3i.delivery.puppetlabs.net' exited with 4 running:
        puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.NPsMkT
       Last 10 lines of output were:
        Warning: Scope(Class[Firewall::Linux::Redhat]): No v6 service available, $ensure_v6 and $enable_v6 are ignored
        Notice: Compiled catalog for k7a1jscmgdfos3i.delivery.puppetlabs.net in environment production in 0.17 seconds
        Info: Applying configuration version '1554121291'
        Error: Execution of '/usr/sbin/iptables -I OUTPUT 1 --wait -t filter -p tcp -m multiport --dports 8080 -j ACCEPT -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment 805 - test' returned 2: iptables v1.8.0 (nf_tables): Couldn't load match `time':No such file or directory
       
        Try `iptables -h' or 'iptables --help' for more information.
        Error: /Stage[main]/Main/Firewall[805 - test]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/sbin/iptables -I OUTPUT 1 --wait -t filter -p tcp -m multiport --dports 8080 -j ACCEPT -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment 805 - test' returned 2: iptables v1.8.0 (nf_tables): Couldn't load match `time':No such file or directory
       
        Try `iptables -h' or 'iptables --help' for more information.
        Notice: Applied catalog in 0.22 seconds
       
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/host.rb:375:in `exec'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:83:in `block in on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/shared/host_manager.rb:130:in `run_block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/patterns.rb:37:in `block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:63:in `on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-puppet-1.16.0/lib/beaker-puppet/helpers/puppet_helpers.rb:529:in `block in apply_manifest_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/shared/host_manager.rb:130:in `run_block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/patterns.rb:37:in `block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-puppet-1.16.0/lib/beaker-puppet/helpers/puppet_helpers.rb:457:in `apply_manifest_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-puppet-1.16.0/lib/beaker-puppet/helpers/puppet_helpers.rb:536:in `apply_manifest'
     # ./spec/acceptance/firewall_time_spec.rb:28:in `block (4 levels) in <top (required)>'

  2) firewall time time tests ipv4 when set all time parameters contains the rule
     Failure/Error:
       expect(r.stdout).to match(
         %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}, # rubocop:disable Metrics/LineLength
       )
       expected "# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:32 2019\n*filter\n:INPUT ACCEPT [0:0]\n:FORWA...\n:PREROUTING ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\nCOMMIT\n# Completed on Mon Apr  1 12:21:32 2019\n" to match /-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/
       Diff:
       @@ -1,2 +1,32 @@
       -/-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/
       +# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:32 2019
       +*filter
       +:INPUT ACCEPT [0:0]
       +:FORWARD ACCEPT [0:0]
       +:OUTPUT ACCEPT [0:0]
       +:TEST - [0:0]
       +COMMIT
       +# Completed on Mon Apr  1 12:21:32 2019
       +# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:32 2019
       +*nat
       +:PREROUTING ACCEPT [0:0]
       +:INPUT ACCEPT [0:0]
       +:POSTROUTING ACCEPT [0:0]
       +:OUTPUT ACCEPT [0:0]
       +COMMIT
       +# Completed on Mon Apr  1 12:21:32 2019
       +# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:32 2019
       +*mangle
       +:PREROUTING ACCEPT [0:0]
       +:INPUT ACCEPT [0:0]
       +:FORWARD ACCEPT [0:0]
       +:OUTPUT ACCEPT [0:0]
       +:POSTROUTING ACCEPT [0:0]
       +COMMIT
       +# Completed on Mon Apr  1 12:21:32 2019
       +# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:32 2019
       +*raw
       +:PREROUTING ACCEPT [0:0]
       +:OUTPUT ACCEPT [0:0]
       +COMMIT
       +# Completed on Mon Apr  1 12:21:32 2019
       
       
     # ./spec/acceptance/firewall_time_spec.rb:34:in `block (5 levels) in <top (required)>'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:93:in `block in on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/shared/host_manager.rb:130:in `run_block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/patterns.rb:37:in `block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:63:in `on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:125:in `shell'
     # ./spec/acceptance/firewall_time_spec.rb:33:in `block (4 levels) in <top (required)>'

  3) firewall time time tests ipv6 when when set all time parameters applies
     Failure/Error: apply_manifest(pp2, catch_failures: true)
     Beaker::Host::CommandFailure:
       Host 'k7a1jscmgdfos3i.delivery.puppetlabs.net' exited with 4 running:
        puppet apply --verbose --detailed-exitcodes /tmp/apply_manifest.pp.FwCuwV
       Last 10 lines of output were:
        Warning: Scope(Class[Firewall::Linux::Redhat]): No v6 service available, $ensure_v6 and $enable_v6 are ignored
        Notice: Compiled catalog for k7a1jscmgdfos3i.delivery.puppetlabs.net in environment production in 0.14 seconds
        Info: Applying configuration version '1554121296'
        Error: Execution of '/usr/sbin/ip6tables -I OUTPUT 1 --wait -t filter -p tcp -m multiport --dports 8080 -j ACCEPT -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment 805 - test' returned 2: ip6tables v1.8.0 (nf_tables): Couldn't load match `time':No such file or directory
       
        Try `ip6tables -h' or 'ip6tables --help' for more information.
        Error: /Stage[main]/Main/Firewall[805 - test]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/sbin/ip6tables -I OUTPUT 1 --wait -t filter -p tcp -m multiport --dports 8080 -j ACCEPT -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment 805 - test' returned 2: ip6tables v1.8.0 (nf_tables): Couldn't load match `time':No such file or directory
       
        Try `ip6tables -h' or 'ip6tables --help' for more information.
        Notice: Applied catalog in 0.22 seconds
       
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/host.rb:375:in `exec'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:83:in `block in on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/shared/host_manager.rb:130:in `run_block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/patterns.rb:37:in `block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:63:in `on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-puppet-1.16.0/lib/beaker-puppet/helpers/puppet_helpers.rb:529:in `block in apply_manifest_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/shared/host_manager.rb:130:in `run_block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/patterns.rb:37:in `block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-puppet-1.16.0/lib/beaker-puppet/helpers/puppet_helpers.rb:457:in `apply_manifest_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-puppet-1.16.0/lib/beaker-puppet/helpers/puppet_helpers.rb:536:in `apply_manifest'
     # ./spec/acceptance/firewall_time_spec.rb:62:in `block (4 levels) in <top (required)>'

  4) firewall time time tests ipv6 when when set all time parameters contains the rule
     Failure/Error:
       expect(r.stdout).to match(
         %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}, # rubocop:disable Metrics/LineLength
       )
       expected "# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:37 2019\n*filter\n:INPUT ACCEPT [0:0]\n:FORWA...n:OUTPUT ACCEPT [0:0]\n:POSTROUTING ACCEPT [0:0]\nCOMMIT\n# Completed on Mon Apr  1 12:21:37 2019\n" to match /-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/
       Diff:
       @@ -1,2 +1,17 @@
       -/-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/
       +# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:37 2019
       +*filter
       +:INPUT ACCEPT [0:0]
       +:FORWARD ACCEPT [0:0]
       +:OUTPUT ACCEPT [0:0]
       +COMMIT
       +# Completed on Mon Apr  1 12:21:37 2019
       +# Generated by xtables-save v1.8.0 on Mon Apr  1 12:21:37 2019
       +*mangle
       +:PREROUTING ACCEPT [0:0]
       +:INPUT ACCEPT [0:0]
       +:FORWARD ACCEPT [0:0]
       +:OUTPUT ACCEPT [0:0]
       +:POSTROUTING ACCEPT [0:0]
       +COMMIT
       +# Completed on Mon Apr  1 12:21:37 2019
       
       
     # ./spec/acceptance/firewall_time_spec.rb:68:in `block (5 levels) in <top (required)>'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:93:in `block in on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/shared/host_manager.rb:130:in `run_block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/patterns.rb:37:in `block_on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:63:in `on'
     # ./.bundle/gems/ruby/2.4.0/gems/beaker-4.6.0/lib/beaker/dsl/helpers/host_helpers.rb:125:in `shell'
     # ./spec/acceptance/firewall_time_spec.rb:67:in `block (4 levels) in <top (required)>'

[EmilienM]

I reproduced the bug as well. Let me investigate.

[EmilienM]

I hard to run: service iptables start to re-apply the IPtables rules after a reboot.
Can you confirm that too? @eimlav

[EmilienM]

Pull-request updated, HEAD is now 879838d

[EmilienM]

@eimlav PR updated, let me know how it works for you now. Thanks

[EmilienM]

Note: I let nftables here on purpose, because it's the new tool pushed into RHEL8 and recent Fedora - I guess it doesn't hurt. Let me know if it's blocking.

[eimlav]

@EmilienM I am still getting the same warning and rules are not saving. I would suggest maybe tinkering with this locally until you are able to get a solution that solves all of the issues. As we do not currently support RedHat 8 for this module, the assistance I can provide for this PR is limited.

When you are able to get it to work please feel free to ping me and I'll take another took. :)

[EmilienM]

@eimlav with my PR applied, I can't reproduced the bug anymore:

[mwhahaha]

I've tested this out on RHEL8 and haven't hit any errors. If you've hit some errors please let us know what configuration you were doing.

[eimlav]

Hey @EmilienM . We have not been able to run this without the warning so it may be an issue with our RedHat 8 image. However, as you are now using the changes in your setup I take it that it is working as intended. As such I am going to go ahead and merge this now but I just wanted to let you know that this change will add RedHat 8 compatibility to the module not official support.

Adhoc results:

Thanks for taking the time to go through your changes with me (and for showing asciinema it's really neat) :)