Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10591

firewall : execute rules deletions after rules addition



    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
    • Environment:

      Debian Stretch/Buster

    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment


      *Module Version:*2.2.0
      *Puppet Version:*6.12
      OS Name/Version:

      Debian Stretch/Buster

      Desired Behavior:

      Purge rules with ensure: absent after addition of rules with ensure: present.

      Actual Behavior:

      Hi there,

      I started to test firewall module from puppetlabs. I have noticed that rules which should be purged (ensure: absent) are deleted before addition of "valid" (ensure: present) rules. It can lead to unpleasant errors in case there is change in rules name (or number) e.g. the changed rules will be marked as absent and they will be deleted from firewall and then added later in puppet run. This can result in blocking of valid connections by firewall.

      Precondition: purge rules in chains.

      When i set purge for FW chain e.g.:


      { 'INPUT:filter:IPv4': ensure => present, policy => drop, purge => true, before => undef, }


      I see that there is added relation that FW chain should run before FW rule:
      Debug: /Stage[main]/my_firewall::Post/Firewallchain[INPUT:filter:IPv4]/before: before to Firewall[0001 accept all to lo interface using provider iptables]


      When FW chain is applied before FW rule it purges obsolete rules before a new rules are applied. If i add relation that FW chains should run after FW rules it ends up in dependency cycle.


      Furthermore when i don't use purge => true in FW chain the above relation e.g. FW chain should be before FW rules isn't created / added into catalogue. Unfortunately i cannot find what code does it it seems to be some Puppet auto-magic ...


      Is there any workaround for this issue?


      EDIT: i was able to hot-fix it with following collectors. I guess it works only for build-in chains as non build-in ones need to be created before FW rules which require them.

      Firewall <| ensure == 'present' and chain == 'INPUT' |> -> Firewallchain <| ensure == 'present' |>
      Firewall <| ensure == 'present' and chain == 'OUTPUT' |> -> Firewallchain <| ensure == 'present' |>
      Firewall <| ensure == 'present' and chain == 'FORWARD' |> -> Firewallchain <| ensure == 'present' |>






            Unassigned Unassigned
            E Adrian
            0 Vote for this issue
            1 Start watching this issue



                Zendesk Support