Module Version: 2.7.0
Puppet Version: 5.5.21
OS Name/Version: RedHat Enterprise 7
When I removed a firewall rule from the class being applied to a host, it was not removed on the puppet client. Puppet agent output even says it's deleting the rule, but the rule remains. Purge is set to true globally and on the specific chain. Further testing indicates 'iptables -D' is returning a failure code, but puppet does not detect the failure.
Puppet indicates failure when iptables returns non-zero.
Removed rule remains after puppet agent is run, despite output claiming the rule was removed.
After running puppet agent in debug mode, I attempted to run the iptables command listed in the debug output from the command line, but got the error:
(DEV):[root@wi06vmd-rdns1 state]# iptables -D DNS_server -p udp -m multiport --dports 53 -m recent --set --name DNSFOREIGN --mask 255.255.255.255 --rsource -m set --match-set foreign_IPs_4 src -m comment --comment "490 throttle foreign udp clients"
iptables: Bad rule (does a matching rule exist in that chain?).
(DEV):[root@wi06vmd-rdns1 state]# echo $?
iptables -D arguments match those used to load this rule in /etc/sysconfig/iptables.
Puppet output indicated that the removal was successful, despite the non-zero exit code.