Comments (12)
Using quotes instead of ' had no effect on our systems. The problem persisted as long as log_level is used.
from puppetlabs-firewall.
@KlavsKlavsen I believe you have a rule that the firewall provider is unable to purge. The failed iptables -D command indicates this. What does your exist iptables-save
look like today? If you purge the rule in question manually does the bug go away?
from puppetlabs-firewall.
The rule it's trying to purge was added, because the above manifest succeeds in adding the rule to iptables saved config - but fails to add it using iptables.
I then reloaded iptables service to see if the saved worked, and it did.
After removing the rule manually from iptables running config - it still fails, if I enable the manifest - exactly the same way.
It's trying to run:
/sbin/iptables -t filter -A INPUT -m comment --comment 998 Log all -j LOG --log-prefix default drop
If I enclose it like this:
/sbin/iptables -t filter -A INPUT -m comment --comment "998 Log all" -j LOG --log-prefix "default drop"
It works, when I run it manually.
from puppetlabs-firewall.
The rule it's trying to purge was added, because the above manifest succeeds in adding the rule to iptables saved config - but fails to add it using iptables.
That doesn't make sense. We add the rule first using iptables
then we just run iptables-save
usually to persist it. If we can't add the rule to the running configuration, we therefore can't persist it.
Anyway, I'm getting somewhat confused by your explanation and otherwise can't replicate it ... here is a gist of how I tried to replicate it ... can you do something similar for me ... showing steps so I can reproduce it here? https://gist.github.com/kbarber/5636235
from puppetlabs-firewall.
Here's the situation that's occurring for us.
If we start out with
firewall {'003 Log all INVALID packets':
chain => 'INPUT',
proto => 'all',
state => 'INVALID',
jump => 'LOG',
log_level => '3',
log_prefix => 'IPTABLES Dropped Invalid: ',
}
and do a Puppet run, everything will work fine and iptables will be constructed as desired (although the bug in 184 will start occurring on subsequent runs).
If we then change the rule to be something like:
firewall {'003 Log all INVALID packets because racecar':
chain => 'INPUT',
proto => 'all',
state => 'INVALID',
jump => 'LOG',
log_level => '3',
log_prefix => 'IPTABLES Dropped Invalid: ',
}
When we do a puppet run, puppet will not be able to remove the old rule, will return the error stated by the OP and as a result, iptables will now have duplicate rules with the comment from the rule in puppet being the only difference.
from puppetlabs-firewall.
@ITBlogger like this? https://gist.github.com/kbarber/5636445
from puppetlabs-firewall.
Yep, that's exactly what happens.
from puppetlabs-firewall.
I appearently got confused as to what was the cause - my issue is the exact same as you demonstrated, and as ITBlogger also has.
from puppetlabs-firewall.
Pull request #189 addresses this
from puppetlabs-firewall.
Should be fixed by #189, recently merged. @ITBlogger @KlavsKlavsen can you confirm?
from puppetlabs-firewall.
Yep, it looks like this bug is now fixed. Thought it might fix the other bug where puppet keeps regenerating iptables with every puppet run, but that bug is still there.
from puppetlabs-firewall.
@ITBlogger thanks for confirming. The other bug is still open.
from puppetlabs-firewall.
Related Issues (20)
- Use nftables instead of iptables where it is supported.
- Getting problems on the firewall on redhat 8
- No value is detected for nflog-prefix HOT 2
- Allow --reject-with tcp-reset for TCP rules
- Could not evaluate: `proto` must be set to `tcp` for `isfragment` to be true.
- firewall.toports expects an undef value or a match for Pattern[/^\d+(?:-\d+)?$/], got Integer
- Hyphen in the ipset's hash name breaks a firewall resource
- Puppet repeatedly attempts to correct firewall rules when `source` has a prefix length of zero HOT 8
- Add path option for cgroup
- Add back IPv6 protocol support for recent rule masks HOT 1
- Add support for parsing and using socket parameters
- issue with match_mark regex HOT 1
- Performance degradation in resource_api version
- single quotes in rule comments produces errors HOT 4
- puppet generate types fail on versions >= 7.0.0 HOT 2
- Non idempotent logs for empty firewall chains HOT 8
- hostnames with multiple address are not handled completely
- Link in CONTRIBUTING.md returns a 404.
- Defining a state as an array can cause an unnecessary updating action
- Using a LOG jump with a log_level of 4 causes an unnecessary updating action
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppetlabs-firewall.