From 73900b8dbad28c7362f2773f7a350c01960e8082 Mon Sep 17 00:00:00 2001 From: Ruel Tmeizeh - RuhNet Date: Thu, 20 Feb 2025 18:47:04 -0500 Subject: [PATCH] Fix stale cache when state is inconsistent If a firewall rule is added to allow an IP address, it is cached. When a user manually runs `firewall-cmd --reload` with this daemon running, any cached record would remain, even though reloading FirewallD would cause it to actually be removed from the rules. When Kazoo sends an AMQP message to the daemon to remove the rule, the command would be run and would fail, since the rule no longer exists on the firewall. Before, the cached record remained, so subsequent commands from Kazoo to add it would be ignored, since the daemon "thinks" it still has the rule in the firewall. Removing the cached record BEFORE trying to run the command to remove it (which correctly fails) fixes the issue and makes sure that the state of the cache tracks the actual firewall state better. --- firewall.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/firewall.go b/firewall.go index 9cba929..1af8ed9 100644 --- a/firewall.go +++ b/firewall.go @@ -122,13 +122,14 @@ func firewallDelete(ipaddr, portstring string) error { logit(5, "Firewall removing from zone '"+zone+"': "+ipaddr) + ipcache.Remove(ipaddr) + //ipcache.Remove(ipaddr+":"+pp.Port+"/"+pp.Proto) + fwOutput, err := exec.Command("firewall-cmd", "--zone="+zone, "--remove-source="+ipaddr).CombinedOutput() if err != nil { logit(3, "Error executing firewall-cmd: "+err.Error()+" OUTPUT: "+string(fwOutput)) return errors.New("Error executing firewall-cmd: " + err.Error()) } - ipcache.Remove(ipaddr) - //ipcache.Remove(ipaddr+":"+pp.Port+"/"+pp.Proto) return nil }