Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-2119

puppetlabs-firewall ip6tables provider unable to remove rules that use proto => 'all' (-p all)

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • None
    • firewall, supported
    • Scientific Linux 6.6

    Description

      If you add a firewall rule like

        firewall { '000 accept all lo':
          proto    => 'all',
          iniface  => 'lo',
          action   => 'accept',
          provider => 'ip6tables',
        }
      

      and try to remove it again afterwards, puppet fails to remove it with the following error message:

      Error: Execution of '/sbin/ip6tables -t filter -D INPUT -i lo -m comment --comment 000 accept all lo -j ACCEPT' returned 1: ip6tables: Bad rule (does a matching rule exist in that chain?).
      Error: /Stage[main]/Pl_firewall_w/Firewall[000 accept all lo]/ensure: change from present to absent failed: Execution of '/sbin/ip6tables -t filter -D INPUT -i lo -m comment --comment 000 accept all lo -j ACCEPT' returned 1: ip6tables: Bad rule (does a matching rule exist in that chain?).
      

      Running the same command outside of puppet produces the same "Bad rule" error message.

      Looking at the debug output I noticed that puppet uses the following command to create the rule:

      Debug: Executing '/sbin/ip6tables -I INPUT 1 -t filter -i lo -p all -m comment --comment 000 accept all lo -j ACCEPT'
      

      but deletes the rule with:

      Debug: Executing '/sbin/ip6tables -t filter -D INPUT -i lo -m comment --comment 000 accept all lo -j ACCEPT'
      

      which doesn't contain the "-p all". Adding "-p all" to the delete command and running it in a shell deletes the rules without an error.

      This ip6tables behaviour (which appears to be different to iptables, as the same works there) can be reproduced outside of puppet on a variety of OS (I've tried it on SL6.6, CentOS7.1 and Debian 7), eg

      /sbin/ip6tables -t filter -A INPUT -i eth0 -p all -m comment --comment "accept all to eth0 interface" -j ACCEPT
       
      /sbin/ip6tables -t filter -D INPUT -i eth0 -m comment --comment "accept all to eth0 interface" -j ACCEPT
      ip6tables: Bad rule (does a matching rule exist in that chain?).
      => fails
       
      /sbin/ip6tables -t filter -D INPUT -i eth0 -p all -m comment --comment "accept all to eth0 interface" -j ACCEPT
      => works
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              rwf14f Robert Frank
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support