Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-1341

firewall with purge=>true fails when first run with firewalld installed and iptables-service not installed



    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall, supported
    • Environment:

      Fedora 20 (probably any systemd-based system with firewalld as the default)
      puppetlabs/puppetlabs-firewall e8dca83

      Also Centos 7.0 and RHEL 7.0

    • Template:
    • Story Points:
    • Sprint:
      MODS 2015-07-08


      The out-of-the-box default minimal Fedora 20 system has firewalld installed and enabled, and no iptables-services package. Against this I run a puppet catalog that includes just:

      resources { "firewall": purge => true; }
      class { "firewall": }

      When the firewall class is included on this puppet catalog, it includes resources to remove firewalld and install iptables-services. However, before those are run, the iptables are enumerated and purged, so the catalog fails on three counts:
      1) the enumeration includes and caches all the firewalld chains and rules prior to removing the firewalld package, though purging them is unnecessary because they disappear when firewalld is removed.
      2) this purging uses /usr/libexec/iptables/iptables.init before it is installed via the iptables-serveices package.
      3) The chains and rules enumerated in (1) correspond to iptable chains and rules that are deleted when firewalld is removed (package removal has a postuninstall script), but they remain in the modules cache. Later, an attempt is made again to purge them, but the purge fails, because they are already gone.

      Actual Results:
      The complete (failed) debug output for the above is attached. The first failure is at line 237:

       237 ==> default: Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
       238 ==> default: Debug: Executing '/sbin/iptables-save'
       239 ==> default: Debug: /Firewall[9001 62d1ab13e33ca508e42463ca58d129a0]: [validate]

      and the second failure is at line 610:

       610 ==> default: Debug: Prefetching iptables resources for firewall
       611 ==> default: Debug: Puppet::Type::Firewall::ProviderIptables: [prefetch(resources)]
       612 ==> default: Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
       613 ==> default: Debug: Executing '/sbin/iptables-save'
       614 ==> default: Debug: Firewall[9061 82a606d35548e723cae92f65d14582d8](provider=iptables): Deleting rule 9061 82a606d35548e723cae92f65d14582d8
       615 ==> default: Debug: Executing '/sbin/iptables -t filter -D FWDI_public -j FWDI_public_log'
       616 ==> default: Notice: /Stage[main]/Main/Firewall[9061 82a606d35548e723cae92f65d14582d8]/ensure: removed
       617 ==> default: Debug: Firewall[9061 82a606d35548e723cae92f65d14582d8](provider=iptables): [flush]
       618 ==> default: Debug: Firewall[9061 82a606d35548e723cae92f65d14582d8](provider=iptables): [persist_iptables]
       619 ==> default: Debug: Executing '/usr/libexec/iptables/iptables.init save'
       620 ==> default: Warning: Firewall[9061 82a606d35548e723cae92f65d14582d8](provider=iptables): Unable to persist firewall rules: Execution of '/usr/libexec/iptables/iptables.init save' returned 1:

      The third failure is at line 1033:

      1033 ==> default: Debug: Firewall[9014 1f845d0cfc7df66eb0266a1a280b1436](provider=iptables): Deleting rule 9014 1f845d0cfc7df66eb0266a1a280b1436
      1034 ==> default: Debug: Executing '/sbin/iptables -t nat -D PREROUTING_ZONES -i p7p1 -g PRE_public'
      1035 ==> default: Error: Execution of '/sbin/iptables -t nat -D PREROUTING_ZONES -i p7p1 -g PRE_public' returned 1: iptables: No chain/target/match by that name.
      1036 ==> default: Error: /Stage[main]/Main/Firewall[9014 1f845d0cfc7df66eb0266a1a280b1436]/ensure: change from present to absent failed: Execution of '/sbin/iptables -t nat -D PREROUTING_ZONES -i p7p1 -g      PRE_public' returned 1: iptables: No chain/target/match by that name.

      Expected Results:
      1) firewalld is removed (removing its default chains/rules)
      2) iptables-services is installed
      3) prefetch finds no rules, so purge does nothing


          Issue Links



              jonathan.tripathy Jonny (JT) Tripathy
              bradr Brad R
              6 Vote for this issue
              15 Start watching this issue



                  Zendesk Support