Non idempotent logs for empty firewall chains #1217
Comments
|
#1206 should fix that |
|
@2fa Would you mind looking at a comment in #1188 to see if it is related? Thanks in advance, for your time and attention. |
|
@corporate-gadfly your reproduction steps looks very similar to this problem so i would assume that it is related, yes. They've merged it an hour ago so it should be fixed in the next version. |
|
No luck with 8.0.2. Running: continues to give the output: Kindly let me know, if I can provide more details. |
|
@corporate-gadfly do you have rules in table before that that contains You can check |
No.
|
|
@corporate-gadfly Looks like my fix works in a non nf_tables version of iptables. I will reopen original issue #1206 |
|
TY: and: |
|
Good day, @2fa. Coming back to this issue, which still exists in the 8.x versions on Ubuntu 22, I asked, horror of all horrors, ChatGPT if there was a way to have the rules in the default tables show up. The helpful hint was to add placeholder rules and then remove them. E.g.: followed by: After this, Now, I know zilch about the Also, for reference, there is a netfilter bugzilla which mentions the sparseness of |
|
I was thinking of doing the following (one-time) to flush and recreate the default |
|
I also experienced this after updating the firewall module from 6.0.0 to 8.1.2. It seems that setting an explicit policy for one of the chains in an table is sufficient to make Maybe the |
|
Just wondering if any progress on this bug or anyone working on it before I dig deeper. We just upgraded and hit with this too |
`iptables-save` does not show any build-in chains when they have not been interacted with. This leads to the chain being (re)-created. PR#1206 attempted to fix this, by listing the chain instead of creating it, but this method only seems to work on non-nft iptables[1]. Fix this for nft version of iptables by setting the policy of the chain instead of listing it. This seems to work for both nft and non-nft version of iptables (tested on Ubuntu 20.04 and 24.04). Fixes puppetlabs#1217 [1] puppetlabs#1217 (comment)
`iptables-save` does not show any build-in chains when they have not been interacted with. This leads to the chain being (re)-created. PR#1206 attempted to fix this, by listing the chain instead of creating it, but this method only seems to work on non-nft iptables[1]. Fix this for nft version of iptables by setting the policy of the chain instead of listing it. This seems to work for both nft and non-nft version of iptables (tested on Ubuntu 20.04 and 24.04). Fixes puppetlabs#1217 [1] puppetlabs#1217 (comment)
Describe the Bug
When applying on a server without any iptables rule the following puppet code with the resource firewallchain declared without any rule:
The following output is always emitted:
Expected Behavior
I would expect no output to be emitted.
Environment
Additional Context
I believe that the issue comes from the fact that
iptables-savedoesn't show empty tables. The code is therefore not able to distinguish an existing empty table from a non-existing one. Specifying the table with the-toption (e.g.iptables-save -t <table>does display the empty table).The text was updated successfully, but these errors were encountered: