Issue #9439 has been updated by Ken Barber. Subject changed from puppetlabs-firewall: Doesn't work with the stock RHEL6 AMI on EC2 to puppetlabs-firewall: Doesn't work with the existing iptables rulesets that weren't previously managed by the firewall resource Description updated Keywords set to iptables, rhel6, existing rules
---------------------------------------- Bug #9439: puppetlabs-firewall: Doesn't work with the existing iptables rulesets that weren't previously managed by the firewall resource https://projects.puppetlabs.com/issues/9439 Author: Ashley Penney Status: Accepted Priority: Normal Assignee: Category: firewall Target version: Keywords: iptables, rhel6, existing rules Branch: Puppetlabs-firewall breaks when there are existing rules ... this is obvious for example in the RHEL6 AMI for EC2. Something in iptables-save I believe causes this problem based on what I've seen in other bug reports. It's still a problem with the latest copy in git. iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@ashp ~]# puppetd -tv info: Retrieving plugin info: Loading facts in mysql_version info: Loading facts in concat_basedir info: Loading facts in augeasversion info: Loading facts in iptables info: Loading facts in rhelversion info: Loading facts in mysql_exists info: Loading facts in mysql_version info: Loading facts in concat_basedir info: Loading facts in augeasversion info: Loading facts in iptables info: Loading facts in rhelversion info: Loading facts in mysql_exists info: Caching catalog for ashp.perimeterusa.com err: Could not prefetch firewall provider 'iptables': No resource and no name in property hash in iptables instance info: Applying configuration version '1315857090' err: /Firewall[000 - ssh]: Could not evaluate: No resource and no name in property hash in iptables instance notice: /Stage[main]/Firewall::Standard/Exec[persist-firewall]: Dependency Firewall[000 - ssh] has failures: true warning: /Stage[main]/Firewall::Standard/Exec[persist-firewall]: Skipping because of failed dependencies notice: Finished catalog run in 11.12 seconds [root@ashp ~]# vim /var/log/messages [root@ashp ~]# iptables-save # Generated by iptables-save v1.4.7 on Mon Sep 12 15:57:24 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7043:1179511] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Sep 12 15:57:24 2011 [root@ashp ~]# /etc/init.d/iptables stop iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] [root@ashp ~]# puppetd -tv info: Retrieving plugin info: Loading facts in mysql_version info: Loading facts in concat_basedir info: Loading facts in augeasversion info: Loading facts in iptables info: Loading facts in rhelversion info: Loading facts in mysql_exists info: Loading facts in mysql_version info: Loading facts in concat_basedir info: Loading facts in augeasversion info: Loading facts in iptables info: Loading facts in rhelversion info: Loading facts in mysql_exists info: Caching catalog for ashp.perimeterusa.com info: Applying configuration version '1315857090' notice: /Firewall[000 - ssh]/ensure: created info: /Firewall[000 - ssh]: Scheduling refresh of Exec[persist-firewall] notice: /Stage[main]/Firewall::Standard/Exec[persist-firewall]: Triggered 'refresh' from 1 events notice: Finished catalog run in 12.43 seconds -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
