Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-1223

firewallchain try to be removed before it's firewall rules

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Environment:
    • Template:
    • Story Points:
      2
    • Sprint:
      MODS 2014-12-17, MODS 2015-01-07

      Description

      I was playing around withyour examples:

      test.pp

      # test.pp
      firewall { '100 forward to MY_CHAIN':
        ensure  => $ensure,
        chain   => 'INPUT',
        jump    => 'MY_CHAIN',
      }
      # The namevar here is in the format chain_name:table:protocol
      firewallchain { 'MY_CHAIN:filter:IPv4':
        ensure  => $ensure,
      }
      firewall { '100 my rule':
        ensure  => $ensure,
        chain   => 'MY_CHAIN',
        action  => 'accept',
        proto   => 'tcp',
        dport   => 5000,
      }
      

      (I've just added the ensure parameter`).

      When ensure is set to present firewall rules and chain are created as expected:

      with_ensure_present

      # puppet apply test.pp
      Notice: /Stage[main]/Main/Firewallchain[MY_CHAIN:filter:IPv4]/ensure: created
      Notice: /Stage[main]/Main/Firewall[100 forward to MY_CHAIN]/ensure: created
      Notice: /Stage[main]/Main/Firewall[100 my rule]/ensure: created
      Notice: Finished catalog run in 1.51 seconds
       
      # iptables -L -n
      Chain INPUT (policy ACCEPT)
      target     prot opt source               destination         
      MY_CHAIN   tcp  --  0.0.0.0/0            0.0.0.0/0           /* 100 forward to MY_CHAIN */ 
       
      Chain FORWARD (policy ACCEPT)
      target     prot opt source               destination         
       
      Chain OUTPUT (policy ACCEPT)
      target     prot opt source               destination         
       
      Chain MY_CHAIN (1 references)
      target     prot opt source               destination         
      ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 5000 /* 100 my rule */ 
      

      I then just tried to remove those rules/chains and reset my system to its initial state by setting ensure to absent.

      with_ensure_absent

      # puppet apply test.pp
      Error: Execution of '/sbin/iptables -t filter -X MY_CHAIN' returned 1: iptables: Too many links.
      Error: /Stage[main]/Main/Firewallchain[MY_CHAIN:filter:IPv4]/ensure: change from present to absent failed: Execution of '/sbin/iptables -t filter -X MY_CHAIN' returned 1: iptables: Too many links.
      Notice: /Firewall[100 forward to MY_CHAIN]: Dependency Firewallchain[MY_CHAIN:filter:IPv4] has failures: true
      Warning: /Firewall[100 forward to MY_CHAIN]: Skipping because of failed dependencies
      Notice: /Firewall[100 my rule]: Dependency Firewallchain[MY_CHAIN:filter:IPv4] has failures: true
      Warning: /Firewall[100 my rule]: Skipping because of failed dependencies
      Notice: Finished catalog run in 0.82 seconds
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                travis Travis Fields
                Reporter:
                remi.ferrand Remi Ferrand
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support