Incorrect processing of built in chains

[CtrlC-Root]

So here's my puppet manifest http://tny.cz/63ae0209 which I apply like this in my node definitions:

node default
{
    stage {'config':
        before => Stage['main']
    }

    class {'linux::firewall':
        stage => 'config'
    }
}

About 10-20% of the time I get this error in my puppet agent's logs:

Execution of '/sbin/ip6tables -t filter -N INPUT' returned 1: ip6tables: Chain already exists.

Which doesn't make sense. Why is the firewall module attempting to create a built in chain? I'm running the latest version of puppet (3.2.2) and the firewall module (0.3.1). I've tried to correlate this problem to a pre-existing condition on the machine with no success. So I also don't know why this only happens some of the time, it would seem indicative of a missing relationship somewhere in my manifests, but I haven't been able to find one.

[CtrlC-Root]

So am I the only one who has experienced this issue?

[ruckc]

i've ran into something potentially similar, where an initial puppet run is
executing, via an ssh connection, and since my chains default to DROP, and
they are autorequired by rules, the rest of the rules don't get added
(since the puppet session died) and the box is essentially locked requiring
console access.

On Tue, Jul 16, 2013 at 7:50 PM, Alexandru Barbur
[email protected]:

So am I the only one who has experienced this issue?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/214#issuecomment-21082798
.

[CtrlC-Root]

Yes, this is the motivating problem behind my wish to resolve this issue. Until this is fixed, I have to personally visit every machine I bring under puppet control, just in case the agent fails halfway through the firewall rules, after changing the policy to DROP but before adding the SSH rules. I'd try to fix it myself, but I don't know Ruby very well.

[ruckc]

I ended up modifying firewall/lib/puppet/type/firewall.rb and removing the
autorequire(:firewallchain) do ... end block with an explicit exec{'create
chain in accept':} and firewallchain{'INPUT': action=>drop} with
Firewall{require=>Exec['create chain in accept'],
before=>Firewallchain['INPUT']}

Curtis Ruck
Anytime: 210-857-1126

On Tue, Jul 16, 2013 at 8:07 PM, Alexandru Barbur
[email protected]:

Yes, this is the motivating problem behind my wish to resolve this issue.
Until this is fixed, I have to personally visit every machine I bring under
puppet control, just in case the agent fails halfway through the firewall
rules, after changing the policy to DROP but before adding the SSH rules.
I'd try to fix it myself, but I don't know Ruby very well.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/214#issuecomment-21083446
.

[CtrlC-Root]

If you wouldn't mind, could you maybe explain to me why that solves the problem for you? I'm trying to understand what that part of the code does.

[phemmer]

This would be fixed by PR #271

[chelnak]

Hello! We are doing some house keeping and noticed that this issue has been open for a long time.

We're going to close it but please do raise another issue if the issue still persists. 😄