Firewall chains can't have "-A" in their names or the firewall rule regex gets confused #1170
Description
Describe the Bug
When debugging the upgrade to the v7 of puppetlabs-firewall our rules stopped working. We were getting
Creating: Failed after 0.012428 seconds: undefined method `[]' for nil:NilClass
Error: /Stage[main]/Coldfront::Firewall/Firewall_multi[006 Blocked IPs (tcp)]/Firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Could not evaluate: Execution encountered an error
After a lot of debugging, I found that the regex in def self.rule_to_name was getting confused with the -A in our firewall chain named COLDFRONT-ACCESS.
See the debug output I had added here:
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: List command execute result "# Generated by iptables-save v1.8.8 (nf_tables) on Tue Oct 24 18:06:03 2023\n*filter\n:INPUT ACCEPT [40051:14954037]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [270851:177330168]\n:COLDFRONT-ACCESS - [0:0]\n:DROPFORT-ACCESS - [0:0]\n:DROPFORT-DENY - [0:0]\n:DROPFORT-SMURF-PROTECTION - [0:0]\n:DROPFORT-SYN-FLOOD - [0:0]\n:DROPFORT-TCP-DDOS - [0:0]\n:DROPFORT-UNMANAGED - [0:0]\n:ZABBIX-AGENT - [0:0]\n-A INPUT -p icmp -j ACCEPT\nCOMMIT\n# Completed on Tue Oct 24 18:06:03 2023\n"
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Listing for table *filter
:INPUT ACCEPT [40051:14954037]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270851:177330168]
:COLDFRONT-ACCESS - [0:0]
:DROPFORT-ACCESS - [0:0]
:DROPFORT-DENY - [0:0]
:DROPFORT-SMURF-PROTECTION - [0:0]
:DROPFORT-SYN-FLOOD - [0:0]
:DROPFORT-TCP-DDOS - [0:0]
:DROPFORT-UNMANAGED - [0:0]
:ZABBIX-AGENT - [0:0]
-A INPUT -p icmp -j ACCEPT
COMMIT
# Completed on Tue Oct 24 18:06:03 2023
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: This is a Rule ["-ACCESS - [0:0]"]
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: is a name
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: past resource map
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Name Value is
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Rule hash is {:ensure=>"present", :table=>"filter", :protocol=>"IPv4"}
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Resource map is -A
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Chain regex (?-mix:-A\s(\S+))
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: this is the rule -ACCESS - [0:0]
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Chain scan layers []
Error: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Failed after 0.012428 seconds: undefined method `[]' for nil:NilClass
Error: /Stage[main]/Coldfront::Firewall/Firewall_multi[006 Blocked IPs (tcp)]/Firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Could not evaluate: Execution encountered an error
You can see it thought the name of the chain was a firewall rule.
Expected Behavior
Allow any valid string to be used as a firewall chain name.
Steps to Reproduce
- Create a firewall chain named
SOMETHING-ACCESS - Try to add a firewall rule that jumps to that chain
Environment
- Version 7.0.2
- Platform Rocky 9
Additional Context
It also matches on the ":ZABBIX-AGENT - [0:0]" string too.
These firewall chain names worked in earlier versions just fine as well.