[pve-devel] making the firewall more robust?

[Fabian Grünbichler]

On Tue, Nov 29, 2016 at 10:10:53AM +0100, Stefan Priebe - Profihost AG wrote:
> Hello,
> 
> today i've noticed that the firewall is nearly inactive on a node.
> 
> systemctl status says:
> Nov 29 10:07:05 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> Nov 29 10:07:14 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> Nov 29 10:07:24 node2 pve-firewall[2534]: status update error:
> ipset_restore_cmdlist: ipset v6.23: Error in line 3: The value of the
> CIDR parameter of the IP address is invalid
> 
> So it seems that the whole firewall breaks if there is somewhere
> something wrong.
> 
> I think especially for the firewall it's important to jsut skip that
> line but process all other values.
> 
> How is your opinion? Any idea how to "fix" that?

that bug should already be fixed in git AFAIK.

there are two problems with partially applying firewall rules:
- we don't know which rules are invalid (because of course we try to
  generate valid rules, errors like the above are clearly bugs ;)) - we
  could guess based on some error message by the underlying tools, but
  that is error prone
- applying some rules but not all can have as catastrophic consequences
  as not applying any (e.g., if you miss a single ACCEPT rule because of
  a bug, you might not be able to access your cluster at all!)

bugs such as the above do not occur very often (a quick scan of the log
shows the last bug fixes before the current one were in June) and the
firewall is in general a very stable package with a conservative update
policy.

we could of course implement some kind of error detection and skipping
with an opt-in configuration option - but I am not sure whether this
will not make things more confusing and complicated?