Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-3184

firewall: rules aren't purged if iptables is not running when catalog is compiled


    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:


      This came out of my investigation into the cause of MODULES-3006.

      How to reproduce

      On CentOS 7 Puppet Labs vagrant box:

      [root@centos-72-x64 ~]# yum erase -y iptables-services && \
        yum install -y iptables-services

      Note this leaves the iptables service stopped.

      Now apply this manifest, which includes the recommended firewall set up with respect to ordering and purging. It also adds a single rule for inbound ssh.

      class my_fw::pre {
        Firewall {
          require => undef,
        firewall { '00000 accept all icmp':
          proto   => 'icmp',
          action  => 'accept',
        firewall { '00001 accept all to lo interface':
          proto   => 'all',
          iniface => 'lo',
          action  => 'accept',
        firewall { '00002 accept related established rules':
          proto   => 'all',
          state   => ['RELATED', 'ESTABLISHED'],
          action  => 'accept',
      class my_fw::post {
        firewall { '99998 log packet drops':
          jump       => 'LOG',
          proto      => 'all',
          log_prefix => 'iptables InDrop: ',
          log_level  => 'warn',
        firewall { '99999 drop all':
          proto   => 'all',
          action  => 'drop',
          before  =>  undef
      resources { 'firewall':
        purge => true,
      Firewall {
        require => Class['my_fw::pre'],
        before  => Class['my_fw::post'],
      class { ['my_fw::pre', 'my_fw::post']: }
      include firewall
      firewall { '00100 accept on port 22':
        action => 'accept',
        dport => '22',
        proto => 'tcp',

      Expected behaviour

      We expect that this code is idempotent.

      Actual behaviour

      Apply it the first time:

      [root@centos-72-x64 ~]# puppet apply /tmp/test.pp 
      Notice: Compiled catalog for centos-72-x64.home in environment production in 2.96 seconds
      Notice: /Stage[main]/Firewall::Linux::Redhat/Exec[/usr/bin/systemctl daemon-reload]/returns: executed successfully
      Notice: /Stage[main]/Firewall::Linux::Redhat/Service[iptables]/ensure: ensure changed 'stopped' to 'running'
      Notice: /Stage[main]/My_fw::Pre/Firewall[00000 accept all icmp]/ensure: created
      Notice: /Stage[main]/My_fw::Pre/Firewall[00001 accept all to lo interface]/ensure: created
      Notice: /Stage[main]/My_fw::Pre/Firewall[00002 accept related established rules]/ensure: created
      Notice: /Stage[main]/Main/Firewall[00100 accept on port 22]/ensure: created
      Notice: /Stage[main]/My_fw::Post/Firewall[99998 log packet drops]/ensure: created
      Notice: /Stage[main]/My_fw::Post/Firewall[99999 drop all]/ensure: created
      Notice: Applied catalog in 3.98 seconds

      Second time:

      [root@centos-72-x64 ~]# puppet apply /tmp/test.pp 
      Notice: Compiled catalog for centos-72-x64.home in environment production in 0.46 seconds
      Notice: /Stage[main]/Main/Firewall[9005 2c3b855ee5ef4043e1a04ce9c8f1c7eb]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9006 69d6208bb1e040713b9b291359c7012f]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9007 7686fdf971b558f5ebfca49abfeafa8e]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9008 3930cac645f209e9a0c8be3a3255783f]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9009 f86438b2f3f42ca6cd86b79196f1df17]/ensure: removed
      Notice: /Stage[main]/Main/Firewall[9012 8c845f77a140a41488a9d29d95a23e0d]/ensure: removed
      Notice: Applied catalog in 2.75 seconds

      Root cause

      The iptables provider instance method assumes that existing firewall resources are defined in the output of the iptables-save command.

      However, if the firewall is not running, they will in fact be found in the /etc/sysconfig/iptables file ref.

      In the initial state on the Puppet Labs CentOS 7 vagrant box we can see the difference as follows:


      [root@centos-72-x64 ~]# iptables-save
      # Generated by iptables-save v1.4.21 on Sun Mar 20 04:13:33 2016
      :INPUT ACCEPT [7:388]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [4:400]
      # Completed on Sun Mar 20 04:13:33 2016


      [root@centos-72-x64 ~]# cat /etc/sysconfig/iptables
      # sample configuration for iptables service
      # you can edit this manually or use system-config-firewall
      # please do not ask us to add additional ports/services to this default configuration
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p icmp -j ACCEPT
      -A INPUT -i lo -j ACCEPT
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
      -A INPUT -j REJECT --reject-with icmp-host-prohibited
      -A FORWARD -j REJECT --reject-with icmp-host-prohibited

      All of these existing rules become 90xx numbered rules in the firewall provider. (See the explanation in the code here as to what the 90xx rules are.)


          Issue Links




                • Assignee:
                  alexharv074 Alex Harvey
                  alexharv074 Alex Harvey
                • Votes:
                  0 Vote for this issue
                  3 Start watching this issue


                  • Created: