Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New parameter purge_unmanaged_rules to reload nftables if configuration does not match reality #253

Merged
merged 12 commits into from
Aug 4, 2024
Merged

New parameter purge_unmanaged_rules to reload nftables if configuration does not match reality #253

merged 12 commits into from
Aug 4, 2024

Conversation

canihavethisone
Copy link
Contributor

@canihavethisone canihavethisone commented Aug 3, 2024
edited
Loading

This is a variation on #115, where I use:

  • 2 execs
  • no script file on disk
  • no service file modifications.

Effect:

First install:

  • after nftables is installed and configured and service started, a hash of memory state (without counters) is written to disk in the same puppet run

Subsequent runs:
Hash file not present (eg deleted):

  1. nftables service is notified to reload
  2. hash file is regenerated

Hash of memory state does not match hash on disk (eg rule manually added in memory):

  1. nftables service is notified to reload
  2. hash file is regenerated

Changes invoked by Puppet to rules:

  1. hash file is regenerated (as this module already notifies the service)

Exec time hit
Everyone tries not to use execs, but they work well in this case and over a number of tests I barely saw a 0.1 sec difference, and that wasn't consistent so I think its a good solution.

Thanks for your consideration of this PR!

bastelfreak
bastelfreak reviewed Aug 3, 2024
View reviewed changes
manifests/init.pp Outdated Show resolved Hide resolved
bastelfreak
bastelfreak reviewed Aug 3, 2024
View reviewed changes
manifests/init.pp Outdated Show resolved Hide resolved
@bastelfreak bastelfreak added the enhancement New feature or request label Aug 3, 2024
@bastelfreak
Copy link
Member

Please run bundle exec rake strings:generate:reference to update the REFERENCE.md

@canihavethisone
Copy link
Contributor Author

canihavethisone commented Aug 4, 2024
edited
Loading

@bastelfreak
one question I have relates to the choice of location for the hash by the previous PR, which I have copied. Writing it to /run means that upon a reboot the file is missing and will be regenerated, notifying the nftables service to reload unneccesarily. Should this default to a location where the hash file survives a reboot, such as /var/tmp?

Edit: I have pushed this change as it seems logical to avoid a bogus reload of nftables just because the has file doesn't survive reboot.

@bastelfreak bastelfreak merged commit 4e62ca0 into voxpupuli:master Aug 4, 2024
28 checks passed
This was referenced Aug 4, 2024
Draft
Closed
@bastelfreak bastelfreak changed the title Reload nftables service if hash at last service load does not match New parameter purge_unmanaged_rules to reload nftables if configuration does not match reality. Aug 5, 2024
@bastelfreak bastelfreak changed the title New parameter purge_unmanaged_rules to reload nftables if configuration does not match reality. New parameter purge_unmanaged_rules to reload nftables if configuration does not match reality Aug 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak bastelfreak left review comments

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@canihavethisone @bastelfreak