Open oliparcol opened 2 months ago
@2fa Would you mind looking at a comment in #1188 to see if it is related? Thanks in advance, for your time and attention.
@corporate-gadfly your reproduction steps looks very similar to this problem so i would assume that it is related, yes. They've merged it an hour ago so it should be fixed in the next version.
No luck with 8.0.2.
Running:
puppet apply -e 'firewallchain {"PREROUTING:mangle:IPv4": ensure=>"present"}'
continues to give the output:
Notice: /Stage[main]/Main/Firewallchain[PREROUTING:mangle:IPv4]/ensure: defined 'ensure' as 'present'
Notice: firewallchain[PREROUTING:mangle:IPv4]: Creating: Creating Chain 'PREROUTING:mangle:IPv4' with {:name=>"PREROUTING:mangle:IPv4", :ensure=>"present", :purge=>false, :ignore_foreign=>false, :chain=>"PREROUTING", :table=>"mangle", :protocol=>"IPv4", :policy=>"accept"}
Notice: firewallchain[PREROUTING:mangle:IPv4]: Creating: Ensuring changes to 'PREROUTING:mangle:IPv4' persist
Notice: firewallchain[PREROUTING:mangle:IPv4]: Creating: Finished in 0.131559 seconds
Kindly let me know, if I can provide more details.
@corporate-gadfly do you have rules in table before that that contains *
symbol anywhere?
You can check iptables-save
output to be sure. And also you can check if that chains is already there.
@corporate-gadfly do you have rules in table before that that contains
*
symbol anywhere?
No.
# iptables-save | grep '*'
*filter
You can check
iptables-save
output to be sure. And also you can check if that chains is already there.
# iptables-save -t mangle
# Generated by iptables-save v1.8.7 on Fri May 24 13:56:37 2024
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Fri May 24 13:56:37 2024
@corporate-gadfly Looks like my fix works in a non nf_tables version of iptables. iptables-save
doesn't output empty tables at all in a new version. Great stuff 😃
I will reopen original issue #1206
TY:
Operating System: Ubuntu 22.04.4 LTS
Kernel: Linux 5.15.0-100-generic
Architecture: x86-64
Hardware Vendor: VMware, Inc.
Hardware Model: VMware7,1
and:
# iptables -V
iptables v1.8.7 (nf_tables)
Describe the Bug
When applying on a server without any iptables rule the following puppet code with the resource firewallchain declared without any rule:
The following output is always emitted:
Expected Behavior
I would expect no output to be emitted.
Environment
Additional Context
I believe that the issue comes from the fact that
iptables-save
doesn't show empty tables. The code is therefore not able to distinguish an existing empty table from a non-existing one. Specifying the table with the-t
option (e.g.iptables-save -t <table>
does display the empty table).