For the last few weeks, I have been busy building edge-routers in Chef (more on that later). And while I was at it, I fixed a bunch of stuff in the Advanced FireWall cookbook. There is enough bugfixes and new features to release a new version of the cookbook, so, 8 weeks after 0.0.4, allow me to introduce AFW 0.0.5 .
First and foremost, I would like to thank jeremiahsnapp and elliotkendallUCSF for submitting pull requests via github. It's always pleasant to receive help from others ;)
Now, on the list of (significant) changes:
ed12e60 - Check rule interface with nil? in addition to empty?; look for node ip under 'ipaddress' in addition to 'network''lanip', by elliotkendallUCSF
At AWeber, we use a custom Ohai attribute to select the IP of the interface that's on the LAN. Most of the time, this is eth0. We do this because Chef will use the interface that has the default gateway in node'ipaddress', and we don't always set the default gateway on the interface that's on the LAN. Anyway, lanip is a custom attribute that will not exist on other Chef installation. This fix will fallback to using node'ipaddress' if lanip doesn't exist, which is cleaner.
0a0d682 - Add init & upstart scripts
This use to not be needed because we were running Chef as a daemon, and it would run as part of the boot process and load the firewall rules. But it appears that Chef doesn't always clean up correctly, and we ended up with systems that were going down because of chef runs not finishing properly and consuming tons of memory. Instead, we decided to run Chef as a cron job every 30 minutes. As a result, the firewall isn't loaded by Chef anymore, and this commit provides init scripts for both upstart and classic initd.
9c6af65 - Do not use the default network interface by default, simply do not specify one
This is a rather significant change: previously, when no interface was specified, AFW would use the default one (often eth0). But it creates tons of problems on routers that have many interfaces, so instead of multiplying the number of rule, we decided to remove the interface constraint. The new behavior is: if no interface is specific, the iptables rule will not contain an interface parameter, effectively allowing all interfaces. This is mostly OK because all rules are required to have either a source or a destination, so we still limit rule to only a few hosts.
72c4f27 - Fix missing node parameter for creation of predefined rules
The AFW mode AFW.create_rule() wasn't working right with predefined rules. This fixes it.
bd603ff - Add OSPF support
OSPF uses multicast, and is another protocol on top of IP. This commit simply adds it to the list of allowed protocols.
484f07e - Resolve FQDN into IPs before writing the rule
After adding the upstart script, we notice that the rule wouldn't get loaded as part of the boot process. The issue was that trying to resolve FQDNs into IPs too early breaks upstart. So, instead, we decided to do the DNS resolution in AFW, and only store IPs in the ruleset. This is cleaner anyway, and ensure that iptables-restore will always be fast.
81dd201 - Skip rules that fail validation
We use VLANs, and we configure then with Chef using a specific cookbook. The problem is, we run into a race condition when the VLAN interface doesn't exist yet, but AFW tries to create a rule for it. This commit makes AFW skip the rules that have network interfaces that don't exist. The failure will be logged, and the chef run will continue.
f607a16 - Clean up AFW node attributes at the end of Chef Run
AFW was previously storing rules as node attributes on the chef server. This creates problems when rules are removed from the roles or cookbooks, but not from the chef server. This commit makes AFW clean up all the rules after the ruleset template is created. No more stale rules.
That's it. Not a lot of lines a code, but quite a few changes. Those changes are stable and shouldn't create any problem, but feel free to report issues on github if something comes up.