Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nftables service is broken after reboot #74

Closed
duritong opened this issue Mar 1, 2021 · 2 comments · Fixed by #75
Closed

nftables service is broken after reboot #74

duritong opened this issue Mar 1, 2021 · 2 comments · Fixed by #75
Labels
bug Something isn't working

Comments

@duritong
Copy link
Collaborator

duritong commented Mar 1, 2021

I am having the issue that after rebooting a node the nftables service is broken:

# systemctl status nftables.service 
● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/nftables.service.d
           └─puppet_nft.conf
   Active: failed (Result: exit-code) since Mon 2021-03-01 14:21:53 UTC; 11min ago
     Docs: man:nft(8)
  Process: 759 ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 759 (code=exited, status=1/FAILURE)

Mar 01 14:21:53 example.glei.ch nft[759]: /etc/nftables/puppet.nft:8:26-44: Error: Could not process rule: No such file or directory
Mar 01 14:21:53 example.glei.ch nft[759]: flush table inet filter; flush table ip nat; flush table ip6 nat
Mar 01 14:21:53 example.glei.ch nft[759]:                          ^^^^^^^^^^^^^^^^^^^
Mar 01 14:21:53 example.glei.ch nft[759]: In file included from /etc/sysconfig/nftables.conf:4:1-35:
Mar 01 14:21:53 example.glei.ch nft[759]: /etc/nftables/puppet.nft:8:46-65: Error: Could not process rule: No such file or directory
Mar 01 14:21:53 example.glei.ch nft[759]: flush table inet filter; flush table ip nat; flush table ip6 nat
Mar 01 14:21:53 example.glei.ch nft[759]:                                              ^^^^^^^^^^^^^^^^^^^^
Mar 01 14:21:53 example.glei.ch systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Mar 01 14:21:53 example.glei.ch systemd[1]: nftables.service: Failed with result 'exit-code'.
Mar 01 14:21:53 example.glei.ch systemd[1]: Failed to start Netfilter Tables.

It will go back in a working by running puppet twice (!).

First it will remove the flush table cmds (since the fact returns an empty list of tables) and thus the nft rule set become applicable again.
On the second run it will re-add the tables.

We should not try to flush the tables when they are not present!
duritong added a commit to duritong/puppet-nftables that referenced this issue Mar 1, 2021
@duritong
fix voxpupuli#74 - ensure table are initialized before flushing them
a4c3c76
@duritong duritong mentioned this issue Mar 1, 2021
Merged
@nbarrientos
Copy link
Collaborator

nbarrientos commented Mar 1, 2021
edited
Loading

Interesting. Indeed those tables won't be there right after the system boots so they cannot be flushed at start-up :) Just for completeness, this is happening with non-default module configuration, right? I mean, you're setting nftables::noflush_tables (otherwise there should be a flush ruleset instead in /etc/nftables/nftables.nft).

@nbarrientos nbarrientos added the bug Something isn't working label Mar 1, 2021
@duritong
Copy link
Collaborator Author

duritong commented Mar 1, 2021

Yes, I am setting it to:

hieradata/defaults.yaml:nftables::noflush_tables: ['ip-fail2ban']

since that one should not get flushed.

traylenator pushed a commit that referenced this issue Mar 2, 2021
@duritong
fix #74 - ensure table are initialized before flushing them (#75)
92e0fcb
@duritong duritong mentioned this issue Apr 29, 2021
Closed
figless pushed a commit to figless/puppet-nftables that referenced this issue Aug 25, 2021
@nbarrientos
Squashed 'code/' changes from bd0d799..05c7f19
d756019 
05c7f19 Release 1.2.0 (voxpupuli#76)
92e0fcb fix voxpupuli#74 - ensure table are initialized before flushing them (voxpupuli#75)
942569e Merge pull request voxpupuli#73 from Koumbit/global_chain_not_hardcoded
cf38fe4 create tests for presence of the "global" chain
1a4f336 start declaring the 'global' chain with module resources
ca0e975 Bump version to 1.1.2-rc0 (voxpupuli#72)

git-subtree-dir: code
git-subtree-split: 05c7f19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix #74 - ensure table are initialized before flushing them duritong/puppet-nftables
2 participants
@duritong @nbarrientos