Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-8350

firewall: Deletion of some ip6tables rules fails silently

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Environment:
    • Template:
      MODULES Bug Template
    • Acceptance Criteria:
      Hide

      Puppet deletes/purges all not managed rules or at least shows an error when the ip6tables provider gives an non zero exit code.

      Show
      Puppet deletes/purges all not managed rules or at least shows an error when the ip6tables provider gives an non zero exit code.
    • Epic Link:
    • Team:
      Modules
    • Method Found:
      Manual Test
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 1.14.0
      Puppet Version: 4.10.12
      OS Name/Version: CentOS Linux release 7.6.1810 (Core)

      Desired Behavior: Default CentOS 7 ip6tables firewall rules not managed by Puppet should be removed.

      Actual Behavior: Puppet tries to remove not managed rules on every run and fails to show the underlying error, instead it just shows the change.

      Example default rule in CentOS 7:

      ACCEPT     all      ::/0                 ::/0                 state RELATED,ESTABLISHED
      

      Puppet tries to delete this rule:

      Debug: Puppet::Type::Firewallchain::ProviderIptables_chain: [instance] 'INPUT:filter:IPv6' accept
      Debug: Puppet::Type::Firewallchain::ProviderIptables_chain: [instance] 'FORWARD:filter:IPv6' accept
      Debug: Puppet::Type::Firewallchain::ProviderIptables_chain: [instance] 'OUTPUT:filter:IPv6' accept
      Debug: Executing: '/usr/bin/systemctl is-active iptables'
      Debug: Executing: '/usr/bin/systemctl is-enabled iptables'
      Debug: Executing: '/usr/bin/systemctl is-active ip6tables'
      Debug: Executing: '/usr/bin/systemctl is-enabled ip6tables'
      Debug: Prefetching ip6tables resources for firewall
      Debug: Puppet::Type::Firewall::ProviderIp6tables: [prefetch(resources)]
      Debug: Puppet::Type::Firewall::ProviderIp6tables: [instances]
      Debug: Executing: '/usr/sbin/ip6tables-save'
      Debug: Firewall[9005 2c3b855ee5ef4043e1a04ce9c8f1c7eb](provider=ip6tables): Deleting rule 9005 2c3b855ee5ef4043e1a04ce9c8f1c7eb
      Debug: Executing: '/usr/sbin/ip6tables -t filter -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -p all'
      Notice: /Stage[main]/Iptables/Firewall[9005 2c3b855ee5ef4043e1a04ce9c8f1c7eb]/ensure: ensured absent
      Debug: Firewall[9005 2c3b855ee5ef4043e1a04ce9c8f1c7eb](provider=ip6tables): [flush]
      Debug: Firewall[9005 2c3b855ee5ef4043e1a04ce9c8f1c7eb](provider=ip6tables): [persist_iptables]
      Debug: Executing: '/usr/libexec/iptables/ip6tables.init save'
      

      The underlying call to ip6tables fails with the following error:

      /usr/sbin/ip6tables -t filter -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -p all
      ip6tables: Bad rule (does a matching rule exist in that chain?).
      

      Puppet does not show this error message and does not seem to notice that an error happend.

      Possible sources of error:
      In our firewall rules we have a default rule for related and established rules that is added by puppet:

      ACCEPT     all      ::/0                 ::/0                 state RELATED,ESTABLISHED /* 003 accept related established rules (IPv6) */
      

      The original rule from CentOS (shown earlier) and the identical rule from Puppet (besides the comment) maybe interfere with the deletion.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              martin.moerner Martin Mörner
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:

                Zendesk Support