Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10959

firewall : Not detecting when iptables -D fails

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 2.7.0
      Puppet Version: 5.5.21
      OS Name/Version: RedHat Enterprise 7

      When I removed a firewall rule from the class being applied to a host, it was not removed on the puppet client.  Puppet agent output even says it's deleting the rule, but the rule remains.  Purge is set to true globally and on the specific chain.  Further testing indicates 'iptables -D' is returning a failure code, but puppet does not detect the failure.

      Desired Behavior:

      Puppet indicates failure when iptables returns non-zero.

      Actual Behavior:

      Removed rule remains after puppet agent is run, despite output claiming the rule was removed.

      After running puppet agent in debug mode, I attempted to run the iptables command listed in the debug output from the command line, but got the error:


      (DEV):[root@wi06vmd-rdns1 state]# iptables -D DNS_server -p udp -m multiport --dports 53 -m recent --set --name DNSFOREIGN --mask 255.255.255.255 --rsource -m set --match-set foreign_IPs_4 src -m comment --comment "490 throttle foreign udp clients"
      iptables: Bad rule (does a matching rule exist in that chain?).
      (DEV):[root@wi06vmd-rdns1 state]# echo $?
      1
      (DEV):[root@wi06vmd-rdns1 state]#


      iptables -D arguments match those used to load this rule in /etc/sysconfig/iptables.

      Puppet output indicated that the removal was successful, despite the non-zero exit code.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            mnejedlotds Mark Nejedlo
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support