New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #5776 adds iptables-persistent dependency on Focal #5780
Conversation
CI failure in https://app.circleci.com/pipelines/github/freedomofpress/securedrop/1827/workflows/afc450be-1937-4dae-b6ed-e5b174ef0379/jobs/49991, OSSEC service was not listening. Kicked CI to see if it's a flake. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some in-line comments about reducing duplication, similar in spirit to what's discussed for dual distro support in #5772 (comment).
At present I'm not comfortable merging these changes until we understand completely what the divergence is between the two distros. I'll keep investigating on root causes and report findings in #5776
- name: reload iptables rules for focal | ||
shell: iptables-restore < /etc/iptables/rules.v4 | ||
when: | ||
- ansible_distribution_release == 'focal' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the only change here appears to be the filepath for the rules, let's make that a var and import it based on distro. See
- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml" |
else | ||
echo "Iptables rules file does not exist" | ||
exit 1 | ||
fi | ||
|
||
if [ -f /etc/network/iptables/rules_v6 ]; then | ||
ip6tables-restore < /etc/network/iptables/rules_v6 | ||
elif [ -f /etc/iptables/rules.v6 ]; then | ||
ip6tables-restore < /etc/iptables/rules.v6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As above, these paths can be interpolated from a var if we use a template. However, I see Focal-only paths in here, whereas the relevant task only copies this file on Xenial hosts. So these elif
s appear to be unreachable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed now.
@@ -35,6 +47,8 @@ | |||
owner: root | |||
group: root | |||
dest: /etc/network/iptables | |||
when: | |||
- ansible_distribution_release == 'xenial' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the load_iptables
script is only copied under Xenial, then its content shouldn't change to address Focal support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
I think the divergence is explained by the fact that on Focal server, network configuration is handled by a combination of netplan and systemd-networkd (search for "hook scripts"; the document lacks anchors). I tried simply moving our I have not changed the Ansible config and rebuilt staging, or tried it on hardware. There are also other hook scripts installed into /etc/network/if-up.d by other packages ( |
That's a great suggestion, and matches with the use-a-path-based-on-vars comments above. We're bumping up against reimplementing iptables-persistent functionality, so let's not rule that out yet. As mentioned in #5776 (comment), tying the restore logic to the ifup event should be the strictest of all possible options. That's based on my assumption that iptables-persistent will always restore whatever rules are present on system shutdown—I'll read up on that now. |
Not so. Performed some interactive testing, and it appears that iptables-persistent is behaving the way we'd want: ad-hoc rules added on the command-line are wiped after reboot, and the original ruleset is enforced on subsequent boot. With that concern out of the way, I'm comfortable switching to iptables-persistent for Focal only (cc @emkll for visibility). @kushaldas Right now, CI is still running on #5712, but I've approved it. Please merge it and rebase these changes on top, then take a look at the in-line comments here and try to refactor. Also, please update the test plan to include verification that ad-hoc rules are removed. In my testing, I tried setting the input policy to ACCEPT, as well as adding a global allow on TCP 443 inbound. |
0db6ebc
to
d4522ee
Compare
d4522ee
to
27ccd22
Compare
Rebased on top of latest develop, to include changes from #5712 |
Still seeing the same CI failure: failing test output
Will dig into it more today. |
This could be a red herring, but |
The fact that CI is reliably failing here, yet passing on #5783, indicates we clearly have a regression in the firewall logic. I'm optimistic that the changes proposed in #5783 will resolve here, too. Pushed a separate branch now to evaluate behavior in CI: https://github.com/freedomofpress/securedrop/tree/5776-iptables-persistent-for-focal-with-reconnect |
Sure enough, tests are passing: https://app.circleci.com/pipelines/github/freedomofpress/securedrop/1844/workflows/835e3251-afb0-412d-95b3-b25373c5dbc3/jobs/50137 So let's get #5783 reviewed and in, then rebase this one. |
27ccd22
to
d1b178d
Compare
And magic, all tests are passing!!! |
Thanks, @kushaldas! Taking another look now. |
Changes are solid. To test, I set
to run only the iptables tests, and confirmed failing:
After rebooting the host, all tests are passing again:
In addition to changing the policy items, I added additional rules such as all TCP 443 allowed in, and confirmed that a reboot removed the customizations. There are a few changes I'd like to make to clean up the formatting, which I'll append now. Very pleased with the results of testing, these changes are solid and Focal-only, as we want. |
@@ -59,14 +75,14 @@ | |||
- name: Copy IPv4 iptables rules. | |||
template: | |||
src: rules_v4 | |||
dest: /etc/network/iptables/rules_v4 | |||
dest: "{{ '/etc/iptables/rules.v4' if ansible_distribution_release == 'focal' else '/etc/network/iptables/rules_v4' }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Path should use the var created above
owner: root | ||
mode: "0644" | ||
notify: drop flag for reboot | ||
|
||
- name: Copy IPv6 iptables rules. | ||
copy: | ||
src: iptables_rules_v6 | ||
dest: /etc/network/iptables/rules_v6 | ||
dest: "{{ '/etc/iptables/rules.v6' if ansible_distribution_release == 'focal' else '/etc/network/iptables/rules_v6' }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Path should use the var created above
pkg: iptables-persistent | ||
state: latest | ||
update_cache: yes | ||
cache_valid_time: 3600 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can avoid another apt run by placing the package requirement in the common role, in the focal vars.
- name: reload iptables rules | ||
shell: iptables-restore < /etc/network/iptables/rules_v4 | ||
- name: reload iptables rules for xenial | ||
shell: iptables-restore < "{{ iptables_v4_path }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This handler isn't actually used anywhere, neither in this PR nor in develop. OK to remove
On Ubuntu Focal, we can use iptables-persistent package, and also uses updated rules filepath based on distribution version.
Focal uses iptables-persistent package for the same.
Based on PR review feedback, we are now using paths defined in the variable vars files (based on the Ubuntu distribution value).
d1b178d
to
da2ae7c
Compare
Works as advertised! |
da2ae7c
to
8e10aec
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re-approving post-rebase, CI is green, merging!
Status
Ready for review.
Description of Changes
Fixes #5776
On Ubuntu Focal, we can use iptables-persistent package, and also
uses updated rules filepath based on distribution version.
Testing
Focal
on Hardware, and testiptables -L
in both the serversINPUT
chain.ipables -L
again. Everything should go back to default.Xenial
on Hardware, and testiptables -L
in both the serversipables -L
again.Deployment
Any special considerations for deployment? Consider both:
Checklist
If you made changes to the server application code:
make lint
) and tests (make test
) pass in the development containerIf you made changes to
securedrop-admin
:make -C admin test
) pass in the admin development containerIf you made changes to the system configuration:
If you added or removed a file deployed with the application:
If you made non-trivial code changes:
Choose one of the following:
If you added or updated a code dependency:
Choose one of the following: