Chain names starting with INPUT not detected / try to be recreated #1270
Description
Describe the Bug
If you define a firewall chain whose name starts with INPUT (and I'd guess other bulitin chain names) are somehow not being seen on the agent, causing puppet to attempt to create the chain and failing because it already exists. This is not the same as issue #1217
Expected Behavior
The defined firewall chain should be detected and there should be no attempt to create the chain.
Steps to Reproduce
- Define a chain that starts with INPUT. For instance:
firewallchain { 'INPUT_END_ACL:filter:IPv4':
ensure => present,
}
- Run puppet agent twice (the first time to create the non-existent chain, the second time to see the error), where the following notices and errors will show up:
Notice: /Stage[main]/Utcs_firewall::Pre/Firewallchain[INPUT_END_ACL:filter:IPv4]/ensure: defined 'ensure' as 'present'
Notice: firewallchain[INPUT_END_ACL:filter:IPv4]: Creating: Creating Chain 'INPUT_END_ACL:filter:IPv4' with {:name=>"INPUT_END_ACL:filter:IPv4", :ensure=>"present", :purge=>false, :ignore_foreign=>false, :chain=>"INPUT_END_ACL", :table=>"filter", :protocol=>"IPv4"}
Error: firewallchain[INPUT_END_ACL:filter:IPv4]: Creating: Failed after 0.005958 seconds: Execution of 'iptables -t filter -N INPUT_END_ACL' returned 1: iptables: Chain already exists.
Error: /Stage[main]/Utcs_firewall::Pre/Firewallchain[INPUT_END_ACL:filter:IPv4]: Could not evaluate: Execution encountered an error
- Change the chain name to "END_INPUT_ACL" and the issue goes away
Environment
- openvox 8.23.1
- puppetlabs-firewall 8.2.0
- Ubuntu 24.04