Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve firewalld support #304

Merged
merged 24 commits into from
Jan 3, 2025
Merged

Improve firewalld support #304

merged 24 commits into from
Jan 3, 2025

Conversation

decoyjoe
Copy link
Contributor

Description

I started out meaning to just fix a couple of bugs with the firewalld provider. I ended up needing to refactor and modernize the firewalld implementation in order to get it into a supportable state. Many bugs were fixed along the way.

Key changes in this release:

  • Rich Rules on firewalld: The firewall_rule resource now creates rich rules on firewalld platforms instead of using the deprecated --direct interface.
  • Flexible firewall selection: The cookbook now uses the default['firewall']['solution'] attribute to determine the firewall solution to use instead of a hardcoded assignment for each platform. It defaults to the platform's native firewall (same as previous hardcoded values).
  • Firewalld 2.0.0: Platforms using firewalld 2.0.0 and later, such as RHEL 10 and Ubuntu 24.04, are now supported.

Added

  • Support for firewalld 2.0.0 and the platforms that use it; RHEL 10 and Ubuntu 24.04.
    • priority, ingress_priority, egress_priority properties added to firewalld_zone.
  • Added firewalld_rich_rule resource for adding/removing rich rules to/from firewalld zones.
  • Support for IPv6 rules on firewalld platforms.
  • Support for using any compatible firewall solution on any platform. Defaults to the operating system's default firewall solution.

Changed

  • Ensure firewalld service remains enabled and started when installed.
  • firewall_rule resource now creates rich rules on firewalld platforms, instead of the using the deprecated --direct firewalld interface.

Fixed

  • Fixed: firewall_rule resource fails with a --zone is an invalid option with --direct error on firewalld.
  • Fixed: New zones created by firewalld_zone unexpectedly have forwarding enabled by default.
  • Fixed: firewalld_* resources ignore properties whose value is false.
  • Fixed: firewalld_* resources were not idempotent when using ports, source_ports, and rich_rules properties.
  • Fixed: ufw provider doesn't ensure ufw service is enabled.

Removed

  • Removed deprecated disabled property from firewall resource.
  • Removed all default['firewall']['firewalld'] attributes. Use the firewalld_zone resource to manage firewalld zone configuration.
  • Removed firewalld action :save from firewall resource. Firewalld rules are now always added permanently.
  • Removed firewalld property permanent from firewall_rule resource. Firewalld rules are now always added permanently.
  • Removed properties disabled_zone and enabled_zone from firewall resource. Use the firewalld_zone resource to manage firewalld zone configuration.
  • Removed recipe firewall::firewalld. Its functionality has been merged into the firewall::default recipe.
  • Removed attributes default['firewall']['ubuntu_iptables'] and default['firewall']['redhat7_iptables']. Use the new default['firewall']['solution'] attribute to set the desired firewall solution to use.

Issues Resolved

Check List

  • A summary of changes made is included in the CHANGELOG under ## Unreleased
  • New functionality includes testing.
  • New functionality has been documented in the README if applicable.

@decoyjoe
Remove FreeBSD from Test Kitchen; it's not supported by this cookbook
f26f6d8 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Correct the suite platform matrix in Test Kitchen
d5c69f5 
Suites now correctly test against all compatible platforms for each
firewall solution.

Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Add modern platforms and remove obsolete ones
624f186 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Update list of platforms that the cookbook supports
4ddbcd7 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Get firewalld working in kitchen-dokken containers
057c7f3 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Fixed: firewall_rule resource fails on firewalld
348e80c 
The resource was specifying --zone when creating --direct rules, which
is not allowed for direct rules in firewalld.

Fixes sous-chefs#298

Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Ensure firewalld service remains enabled and started when installed
455427e 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Fixed: New zones are created with forwarding enabled
4611460 
Due to firewalld/firewalld#1438

Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Fixed: firewalld resources ignore properties whose value is false
60f2812 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Test firewalld on all compatible Linux platforms
339737f 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Add support for firewalld 2.0.0
df13e29 
The firewalld_zone resource has been updated to support priority,
ingress_priority, and egress_priority zone options introduced in
firewalld 2.0.0.

As a result, this update extends support to RHEL 10, its derivatives,
and Ubuntu 24.04, all of which utilize firewalld 2.0.0 or later.

Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Fixed ufw test when running in kitchen-dokken
750fd4c 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Disable Oracle 9 iptables test, its iptables package fails to install
6c23c16 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Fixed: firewalld resources were not idempotent
6243de3 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Add firewalld_rich_rule resource
c7e353b 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Migrate firewall_rule to a modern custom resource
7213e70 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Remove deprecated disabled property from firewall resource
9dc78fa 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
firewall_rule now implements firewalld rich rules on firewalld platforms
59fda7b 
Refactors firewalld support to use rich rules instead of the "--direct"
interface, which was deprecated with the firewalld 1.0.0 release [1].

Adds IPv6 support for firewalld platforms (fixes sous-chefs#86).

[1] https://firewalld.org/2021/06/the-upcoming-1-0-0

Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Fixed: ufw provider doesn't ensure ufw service is enabled
4bff6ac 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Allow any compatible firewall solution on Linux platforms
459bb2a 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Pin dokken to Chef 18.3 due to bug in latest Chef container
848615a 
Until chef/chef#14760 is fixed.

Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Add upgrade instructions for this release
4dbf1e7 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Linting
dff0975 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Run tests with kitchen-dokken in GitHub Actions CI
6f34a40 
Signed-off-by: Joseph Larionov <[email protected]>
@decoyjoe
Copy link
Contributor Author

Bonus fix: All kitchen tests now run successfully in GitHub Actions CI.

@decoyjoe decoyjoe marked this pull request as ready for review January 2, 2025 17:31
@decoyjoe decoyjoe requested a review from a team as a code owner January 2, 2025 17:31
@bmhughes bmhughes added Release: Major Release to Chef Supermarket as a major change when merged Bug Something isn't working Feature Request Enhancement to existing functionality or new functionality labels Jan 3, 2025
@bmhughes
Copy link

bmhughes commented Jan 3, 2025

Wow @decoyjoe! Thanks for this, really great job. I'll get this released now.

@bmhughes bmhughes merged commit b8ec824 into sous-chefs:main Jan 3, 2025
169 checks passed
@kitchen-porter
Copy link
Contributor

Released as: 7.0.0

@decoyjoe
Copy link
Contributor Author

decoyjoe commented Jan 3, 2025

Thanks! I'll keep an eye on the repo's issues in-case a new bug crops up due to this refactor.

@decoyjoe decoyjoe deleted the fix-firewalld-support branch January 3, 2025 16:57
This was referenced Jan 3, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@decoyjoe
Copy link
Contributor Author

decoyjoe commented Jan 3, 2025

I should have surveyed the open issues a bit better before creating the PR. I found these open issues that are all fixed by this PR:

@decoyjoe decoyjoe restored the fix-firewalld-support branch January 4, 2025 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmhughes bmhughes bmhughes approved these changes

Assignees
No one assigned
Labels
Bug Something isn't working Feature Request Enhancement to existing functionality or new functionality Release: Major Release to Chef Supermarket as a major change when merged
Projects
None yet
Milestone
No milestone
3 participants
@decoyjoe @bmhughes @kitchen-porter