Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable correct service for EL9 using legacy IPv4 #1102

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

enable correct service for EL9 using legacy IPv4 #1102

wants to merge 1 commit into from

Conversation

kjetilho
Copy link
Contributor

probably not many people still using IPv4 in their systems, after all IPv6 is soon 25 years old, but... we still want to support it.

nftables.service loads nft rules from /etc/sysconfig/nftables.conf, but this module generates classic iptables rules. The service to load these on boot is simply "iptables.service".

IPv6 rules are loaded correctly by ip6tables.service.

@kjetilho kjetilho requested a review from a team as a code owner December 13, 2022 21:17
@puppet-community-rangefinder
Copy link

firewall::params is a class

that may have no external impact to Forge modules.

This module is declared in 106 of 580 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@LukasAud
Copy link
Contributor

LukasAud commented Jan 9, 2023

Hi @kjetilho, sorry for the delay in feedback. While reviewing pending PRs for the module, we have merged a different PR that also seems to be addressing this issue, thus causing a conflict. #1103

@kjetilho
Copy link
Contributor Author

kjetilho commented Jan 9, 2023

hmm. as I mentioned in my comment above, nftables.service uses files not managed by this module - so I think it is not correct to enable the service. who know what rules are left behind in /etc/sysconfig/nftables.conf. I prefer my patch, which only enables iptables.service.

@kjetilho
Copy link
Contributor Author

hmm, the "mend" tests failed due to missing api key. does this mean merge requests need to use project branches rather than external forks?

@CLAassistant
Copy link

CLAassistant commented Apr 19, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@kjetilho kjetilho force-pushed the fix/el9-service branch 2 times, most recently from af89e71 to f5c0625 Compare March 25, 2024 22:16
@kjetilho
Fixed: enable correct service for restoring IPv4 rules on EL8/EL9
2a44ef0 
nftables.service loads nft rules from /etc/sysconfig/nftables.conf,
but this module generates classic iptables rules which are stored in
/etc/sysconfig/iptables.  The service to load these on boot is simply and
only "iptables.service".  If both nftables.service and iptables.service
are enabled, left over rules from /etc/sysconfig/nftables.conf may be
inadvertently loaded.

IPv6 rules are loaded correctly by ip6tables.service.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kjetilho @LukasAud @CLAassistant @ia-content