Closed poblahblahblah closed 7 years ago
Fixed in here, please merge my PR https://github.com/chef-cookbooks/iptables/pull/71
It looks like this didn't end up flushing the rules on a chef-client run:
Recipe: iptables::_package
* yum_package[iptables-services] action install
- install version 1.4.21-17.el7 of package iptables-services
Recipe: iptables::disabled
* service[iptables] action disable (up to date)
* service[iptables] action stop (up to date)
* directory[/etc/iptables.d] action delete (up to date)
* execute[iptablesFlush] action nothing (skipped due to action :nothing)
/etc/iptables.d
doesn't exist on RHEL/CentOS 7, so the flush is never triggered. Looking at a CentOS7 system I see that /usr/lib/systemd/system/iptables.service
calls /usr/libexec/iptables/iptables.init
. This appears to be a SysVinit style script and It looks like the script default is to rules read from /etc/sysconfig/iptables
:
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
Would you like me to submit a PR for CentOS/RHEL7 that addresses this? Would we just want to zero this file out and have that trigger the flush?
It needs to be triggered somehow, where the iptables rules dir is on rhel?
Closing this out since it's been merged to master
Cookbook version
3.0.1
Chef-client version
12.14.89
Platform Details
RHEL 6.8
Scenario:
We had shifted some IPTables rules from our hosts into our firewalls and thought an easy way to rollback all of the rulesets in iptables would be to just include iptables::disabled, however we found that while this removes the files from
/etc/iptables.d
, this doesn't flush the existing rule set.Steps to Reproduce:
1) Set up a host and add a few arbitrary rules to IPTables 2) include the
iptables::disabled
recipeExpected Result:
IPTables would be disabled and the ruleset flushed
Actual Result:
IPTables ruleset is still active