Affects Version/s: None
Fix Version/s: None
Fedora 20 (probably any systemd-based system with firewalld as the default)
Also Centos 7.0 and RHEL 7.0
The out-of-the-box default minimal Fedora 20 system has firewalld installed and enabled, and no iptables-services package. Against this I run a puppet catalog that includes just:
When the firewall class is included on this puppet catalog, it includes resources to remove firewalld and install iptables-services. However, before those are run, the iptables are enumerated and purged, so the catalog fails on three counts:
1) the enumeration includes and caches all the firewalld chains and rules prior to removing the firewalld package, though purging them is unnecessary because they disappear when firewalld is removed.
2) this purging uses /usr/libexec/iptables/iptables.init before it is installed via the iptables-serveices package.
3) The chains and rules enumerated in (1) correspond to iptable chains and rules that are deleted when firewalld is removed (package removal has a postuninstall script), but they remain in the modules cache. Later, an attempt is made again to purge them, but the purge fails, because they are already gone.
The complete (failed) debug output for the above is attached. The first failure is at line 237:
and the second failure is at line 610:
The third failure is at line 1033:
1) firewalld is removed (removing its default chains/rules)
2) iptables-services is installed
3) prefetch finds no rules, so purge does nothing