Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-3184

firewall: rules aren't purged if iptables is not running when catalog is compiled



    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:


      This came out of my investigation into the cause of MODULES-3006.

      How to reproduce

      On CentOS 7 Puppet Labs vagrant box:

      [root@centos-72-x64 ~]# yum erase -y iptables-services && \
        yum install -y iptables-services

      Note this leaves the iptables service stopped.

      Now apply this manifest, which includes the recommended firewall set up with respect to ordering and purging. It also adds a single rule for inbound ssh.

      class my_fw::pre {
        Firewall {
          require => undef,
        firewall { '00000 accept all icmp':
          proto   => 'icmp',
          action  => 'accept',
        firewall { '00001 accept all to lo interface':
          proto   => 'all',
          iniface => 'lo',
          action  => 'accept',
        firewall { '00002 accept related established rules':
          proto   => 'all',
          state   => ['RELATED', 'ESTABLISHED'],
          action  => 'accept',
      class my_fw::post {
        firewall { '99998 log packet drops':
          jump       => 'LOG',
          proto      => 'all',
          log_prefix => 'iptables InDrop: ',
          log_level  => 'warn',
        firewall { '99999 drop all':
          proto   => 'all',
          action  => 'drop',
          before  =>  undef
      resources { 'firewall':
        purge => true,
      Firewall {
        require => Class['my_fw::pre'],
        before  => Class['my_fw::post'],
      class { ['my_fw::pre', 'my_fw::post']: }
      include firewall
      firewall { '00100 accept on port 22':
        action => 'accept',
        dport => '22',
        proto => 'tcp',

      Expected behaviour

      We expect that this code is idempotent.

      Actual behaviour

      Apply it the first time:

      [root@centos-72-x64 ~]# puppet apply /tmp/test.pp 
      Notice: Compiled catalog for centos-72-x64.home in environment production in 2.96 seconds
      Notice: /Stage[main]/Firewall::Linux::Redhat/Exec[/usr/bin/systemctl daemon-reload]/returns: executed successfully
      Notice: /Stage[main]/Firewall::Linux::Redhat/Service[iptables]/ensure: ensure changed 'stopped' to 'running'
      Notice: /Stage[main]/My_fw::Pre/Firewall[00000 accept all icmp]/ensure: created
      Notice: /Stage[main]/My_fw::Pre/Firewall[00001 accept all to lo interface]/ensure: created
      Notice: /Stage[main]/My_fw::Pre/Firewall[00002 accept related established rules]/ensure: created
      Notice: /Stage[main]/Main/Firewall[00100 accept on port 22]/ensure: created
      Notice: /Stage[main]/My_fw::Post/Firewall[99998 log packet drops]/ensure: created
      Notice: /Stage[main]/My_fw::Post/Firewall[99999 drop all]/ensure: created
      Notice: Applied catalog in 3.98 seconds

      Second time:

      [root@centos-72-x64 ~]# puppet apply /tmp/test.pp 
      Notice: Compiled catalog for centos-72-x64.home in environment production in 0.46 seconds
      Notice: /Stage[main]/Main/Firewall[9005 2c3b855ee5ef4043e1a04ce9c8f1c7eb]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9006 69d6208bb1e040713b9b291359c7012f]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9007 7686fdf971b558f5ebfca49abfeafa8e]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9008 3930cac645f209e9a0c8be3a3255783f]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9009 f86438b2f3f42ca6cd86b79196f1df17]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9012 8c845f77a140a41488a9d29d95a23e0d]/ensure: removed
      Notice: Applied catalog in 2.75 seconds

      Root cause

      The iptables provider instance method assumes that existing firewall resources are defined in the output of the iptables-save command.

      However, if the firewall is not running, they will in fact be found in the /etc/sysconfig/iptables file ref.

      In the initial state on the Puppet Labs CentOS 7 vagrant box we can see the difference as follows:


      [root@centos-72-x64 ~]# iptables-save
      # Generated by iptables-save v1.4.21 on Sun Mar 20 04:13:33 2016
      :INPUT ACCEPT [7:388]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [4:400]
      # Completed on Sun Mar 20 04:13:33 2016


      [root@centos-72-x64 ~]# cat /etc/sysconfig/iptables
      # sample configuration for iptables service
      # you can edit this manually or use system-config-firewall
      # please do not ask us to add additional ports/services to this default configuration
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A FORWARD -j REJECT --reject-with icmp-host-prohibited

      All of these existing rules become 90xx numbered rules in the firewall provider. (See the explanation in the code here as to what the 90xx rules are.)


          Issue Links



              alexharv074 Alex Harvey
              alexharv074 Alex Harvey
              0 Vote for this issue
              4 Start watching this issue



                  Zendesk Support