Details
-
Bug
-
Status: Reopened
-
Major
-
Resolution: Unresolved
-
None
-
None
-
CentOS Linux release 7.5.1804
Linux kernel 3.10.0-862.3.3.el7.x86_64
iptables v1.4.21
puppet agent 4.10.12
puppetlabs/firewall 1.12.0
-
-
Needs Assessment
-
Needs Assessment
Description
When we use the firewall module, on some servers it tries to remove chains that match INTERNAL_CHAINS (INPUT, OUTPUT, etc).
Example output:
Warning: Firewallchain[PREROUTING:nat:IPv4](provider=iptables_chain): Attempting to destroy internal chain PREROUTING:nat:IPv4
Error: Execution of '/sbin/iptables -t nat -X PREROUTING' returned 1: iptables: Invalid argument. Run `dmesg' for more information.
Error: /Stage[main]/Firewallnetmatch/Firewallchain[PREROUTING:nat:IPv4]/ensure: change from present to absent failed: Execution of '/sbin/iptables -t nat -X PREROUTING' returned 1: iptables: Invalid argument. Run `dmesg' for more information.
Relevant Ruby code:
def destroy
allvalidchains do |t, chain, table|
if chain =~ INTERNAL_CHAINS
# can't delete internal chains
warning "Attempting to destroy internal chain #{@resource[:name]}"
end
debug "Deleting chain #{chain} on table #{table}"
t.call ['-t', table, '-X', chain]
end
end
Here it will warn if it encounters one of those chains, but will happily continue trying to delete the chain. Since we should never try deleting an internal chain, IMHO it would be better to just return. (And not warn? But that's up for debate.)
Attachments
Issue Links
- relates to
-
-
- Needs Information
-
