(MODULES-11476) Fix non-idempotency of firewall table creation #1263
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shubhamshinde360
force-pushed
the
MODULES-11476
branch
5 times, most recently
from
2dd97da to
f848ce3
Compare
shubhamshinde360
force-pushed
the
MODULES-11476
branch
from
f848ce3 to
4d6b4b3
Compare
Contributor
Author
|
Check failures are due to GPG key expiry issues unrelated to the changes in this PR |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
david22swan
reviewed
Jun 9, 2025
The 'iptables-save' command behaves differently on rpm and deb based platforms.
rpm based: If an iptable has been interacted with, it will show up in the command even if it is empty.
deb based: If an iptable has been interacted with, it may not show up in the command if it is empty. If we add and then delete a rule, it shows up. But if we create the table using "iptables -N" it doesn't.
Specific tables always show up with "iptables -t #{table_name}".
Since, the tables are always already created and the module supports a specific set of them. This commit tries to check if they exist one by one using the "iptables -t" command.
Also, since the tables are being checked like this, all tables show up in the output, so adjusted the rpsec according to that.
shubhamshinde360
force-pushed
the
MODULES-11476
branch
from
4d6b4b3 to
2a7bee5
Compare
skyamgarp
approved these changes
Jun 9, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fix non-idempotency of firewall table creation
Additional Context
The 'iptables-save' command behaves differently on rpm and deb based platforms.
rpm based: If an iptable has been interacted with, it will show up in the command even if it is empty.
deb based: If an iptable has been interacted with, it may not show up in the command if it is empty. If we add and then delete a rule, it shows up. But if we create the table using "iptables -N" it doesn't.
Specific tables always show up with "iptables -t #{table_name}".
Since, the tables are always already created and the module supports a specific set of them. This commit tries to check if they exist one by one using the "iptables -t" command.
Also, since the tables are being checked like this, all tables show up in the output, so adjusted the rpsec according to that.
Root cause: This occurs because iptables do not show up in the 'iptables' command when they are empty in deb based distributions.
Related Issues (if any)
Mention any related issues or pull requests.
Checklist
puppet apply)