Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-2119

puppetlabs-firewall ip6tables provider unable to remove rules that use proto => 'all' (-p all)

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • None
    • firewall, supported

    • Scientific Linux 6.6

    Description

      If you add a firewall rule like

        firewall { '000 accept all lo':
      		 
          proto    => 'all',
      		 
          iniface  => 'lo',
      		 
          action   => 'accept',
      		 
          provider => 'ip6tables',
      		 
        }

      and try to remove it again afterwards, puppet fails to remove it with the following error message:

      Error: Execution of '/sbin/ip6tables -t filter -D INPUT -i lo -m comment --comment 000 accept all lo -j ACCEPT' returned 1: ip6tables: Bad rule (does a matching rule exist in that chain?).
      		 
      Error: /Stage[main]/Pl_firewall_w/Firewall[000 accept all lo]/ensure: change from present to absent failed: Execution of '/sbin/ip6tables -t filter -D INPUT -i lo -m comment --comment 000 accept all lo -j ACCEPT' returned 1: ip6tables: Bad rule (does a matching rule exist in that chain?).

      Running the same command outside of puppet produces the same "Bad rule" error message.

      Looking at the debug output I noticed that puppet uses the following command to create the rule:

      Debug: Executing '/sbin/ip6tables -I INPUT 1 -t filter -i lo -p all -m comment --comment 000 accept all lo -j ACCEPT'

      but deletes the rule with:

      Debug: Executing '/sbin/ip6tables -t filter -D INPUT -i lo -m comment --comment 000 accept all lo -j ACCEPT'

      which doesn't contain the "-p all". Adding "-p all" to the delete command and running it in a shell deletes the rules without an error.

      This ip6tables behaviour (which appears to be different to iptables, as the same works there) can be reproduced outside of puppet on a variety of OS (I've tried it on SL6.6, CentOS7.1 and Debian 7), eg

      /sbin/ip6tables -t filter -A INPUT -i eth0 -p all -m comment --comment "accept all to eth0 interface" -j ACCEPT
      		 
       
      		 
      /sbin/ip6tables -t filter -D INPUT -i eth0 -m comment --comment "accept all to eth0 interface" -j ACCEPT
      		 
      ip6tables: Bad rule (does a matching rule exist in that chain?).
      		 
      => fails
      		 
       
      		 
      /sbin/ip6tables -t filter -D INPUT -i eth0 -p all -m comment --comment "accept all to eth0 interface" -j ACCEPT
      		 
      => works

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MODULES-8360 puppetlabs-firewall: cannot remove ip6tables rules

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. MODULES-2154 Documentation for ip6tables-save bug

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Accepted

          Activity

            People

              Unassigned Unassigned
              rwf14f Robert Frank
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support