Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-3125

Firewall rules not ordered when using Puppet 4.x

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Cannot Reproduce
    • None
    • None
    • firewall
    • PE 2015.3.2

    • Modules
    • Modules Triage

    Description

      I'm having an issue with the puppetlabs-firewall module, I have some code that has been used before with the module to apply some IPTables rules. It was originally used with Puppet 3.8.

      The same code doesn't seem to work with PE 2015.3.2. The IPTables rules are applied in reverse order. The resources are executed in the correct order, but the firewall provider in the module does not correctly use the

      iptables -I <chain> <order number> syntax. 
      

      Using the --debug flag I can see that the insert command will always use 1 as the order number (presumably default) when executing under PE 2015.3.

      Example executed command from Puppet 3.8:

      Debug: Firewall[003 accept related established rules](provider=iptables): Current resource: Puppet::Type::Firewall
      Debug: Executing '/sbin/iptables -I INPUT 4 -t filter -p all -m comment --comment 003 accept related established rules -m state --state ESTABLISHED,RELATED -j ACCEPT'
      Notice: /Stage[main]/Pp_cengn_security::Fw_pre/Firewall[003 accept related established rules]/ensure: created
      

      Example of the same resource being evaluated in PE 2015.3.2:

      Debug: Firewall[003 accept related established rules](provider=iptables): Current resource: Puppet::Type::Firewall
      Debug: Executing: '/sbin/iptables -I INPUT 1 -t filter -p all -m comment --comment 003 accept related established rules -m state --state ESTABLISHED,RELATED -j ACCEPT'
      Notice: /Stage[main]/Pp_cengn_security::Fw_pre/Firewall[003 accept related established rules]/ensure: created
      

      As you can see - the order number after the 'INPUT' is evaluated as 1 instead of 4 as it is supposed to be in the PE example.

      The module states that it is compatible with the Puppet version included in PE 2015.3, so I would expect the same resource syntax to evaluate the same in both versions. Is this a bug or something I need to fix in my own code?

      Snippet with two resource definitions from my fw_pre class:

        firewall { '003 accept related established rules':
          proto  => 'all',
          state  => ['RELATED', 'ESTABLISHED'],
          action => 'accept',
        } ->
        firewall { '100  allow ssh':
          dport  => 22,
          proto  => 'tcp',
          action => 'accept',
        }
      

      And the class instantiation from site.pp:

      class {'firewall':}
       
        resources { 'firewall':
          purge => true,
        }
       
        Firewall {
          before  => Class['pp_cengn_security::fw_post'],
          require => Class['pp_cengn_security::fw_pre'],
        }
        include pp_cengn_security::fw_pre
        include pp_cengn_security::fw_post
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              rmaika Raymond Maika
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support