ufw::allow any:all unless not matching

[exptom]

Hi,

I have a particular firewall rule that gets executed on every puppet run because the unless statement is never matching.

ufw::allow { "allow-replication-from-${::fqdn}":
    proto => 'tcp',
    from  => $replication_ip,
    ip    => 'any',
  }

This produces this ufw rule:

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW       10.0.0.10/tcp

Which is handled by line 23 of allow.pp

'any:all'    => "ufw status | grep -qE ' +ALLOW +${from_match}$'",

The problem is the regex is ensuring that ${from_match} is at the end of the output but the output actually ends with the protocol (/tcp in this case).

There seem to be some cases when a From IP is not suffixed with the protocol so the regex needs adjusting to account for both cases.

Could the regex be changed to this?

'any:all'    => "ufw status | grep -qE ' +ALLOW +${from_match}(/${proto})?$'",

[attachmentgenie]

my regex foo is a bit rusty, but do feel free to turn this into some unit tests. that would be most welcome

[exptom]

I haven't got any experience of that but I'll give it a go :)

[flavius]

@exptom, @attachmentgenie I still have this issue with rules using the following parameters:

"allow-tcp-from-OLD_Frontend" => array("type" => "allow", "from" => "x.x.x.x", "proto" => "tcp", "port" => "all", "ip" => "any"),
"allow-tcp-from-OLD_Backend" => array("type" => "allow", "from" => "x.x.x.x", "proto" => "tcp", "port" => "all", "ip" => "any"),
"allow-tcp-from-OLD_Service" => array("type" => "allow", "from" => "x.x.x.x", "proto" => "tcp", "port" => "all", "ip" => "any"),

The problematic line is

'any:all'    => "grep -qE ' +ALLOW +${from_match}$'",

if I change it to

'any:all'    => "ufw status | grep -qE ' +ALLOW +${from_match}${proto_match}$'",

then it works.

[igalic]

wow, how did this ever work??