Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-8360

puppetlabs-firewall: cannot remove ip6tables rules

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Environment:

      Fresh install of CentOS 7 (1810)

    • QA Risk Assessment:
      Needs Assessment

      Description

      With changes from MODULES-2119 puppet cannot remove some ipv6 rules when purging.

      From what I've observed, it's the same problem as in MODULES-2119 - ip6tables-save does not report when "-p all" is used but in contrast to ip4, in ip6 you can only delete rule with "all" if it was provided upon creation or without when it was not.

      Example when second rule was created without "-p all":

      Debug: Executing: '/usr/sbin/ip6tables -t filter -D FORWARD -s fbde::/128 -j ACCEPT -p all'
      Notice: /Stage[main]/Firewall[9008 28772f5ee4dba662c90bbbe0ebc3d65f]/ensure: removed
      Debug: Executing: '/usr/sbin/ip6tables -t filter -D FORWARD -s fbde::/128 -j ACCEPT -p all'
      Notice: /Stage[main]/Firewall[9009 28772f5ee4dba662c90bbbe0ebc3d65f]/ensure: ensured absent

       

      Main big problem I've found is that upon system restart, ip6tables-save and ip6tables-restore will be run so any rules managed by puppet with "-p all" will be converted to ones without. Puppet then cannot remove this rules since "ip6tables -D ... -p all" will not work and results in "ensured absent".

       

      Possible solution:

      Revert changes from MODULES-2119, change general_args in provider/firewall/iptables.rb that it does not include "-p all" in update and insert commands.

      Yet to be tested on real machine but seems to work (I'll create PR when I've tested it more).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alexharv074 Alex Harvey
                Reporter:
                Glorpen Arkadiusz Dzięgiel
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support