-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non idempotent logs for empty firewall chains #1217
Comments
#1206 should fix that |
@2fa Would you mind looking at a comment in #1188 to see if it is related? Thanks in advance, for your time and attention. |
@corporate-gadfly your reproduction steps looks very similar to this problem so i would assume that it is related, yes. They've merged it an hour ago so it should be fixed in the next version. |
No luck with 8.0.2. Running:
continues to give the output:
Kindly let me know, if I can provide more details. |
@corporate-gadfly do you have rules in table before that that contains You can check |
No.
|
@corporate-gadfly Looks like my fix works in a non nf_tables version of iptables. I will reopen original issue #1206 |
TY:
and:
|
Good day, @2fa. Coming back to this issue, which still exists in the 8.x versions on Ubuntu 22, I asked, horror of all horrors, ChatGPT if there was a way to have the rules in the default tables show up. The helpful hint was to add placeholder rules and then remove them. E.g.:
followed by:
After this, Now, I know zilch about the Also, for reference, there is a netfilter bugzilla which mentions the sparseness of |
I was thinking of doing the following (one-time) to flush and recreate the default
|
I also experienced this after updating the firewall module from 6.0.0 to 8.1.2. It seems that setting an explicit policy for one of the chains in an table is sufficient to make
Maybe the |
Describe the Bug
When applying on a server without any iptables rule the following puppet code with the resource firewallchain declared without any rule:
The following output is always emitted:
Expected Behavior
I would expect no output to be emitted.
Environment
Additional Context
I believe that the issue comes from the fact that
iptables-save
doesn't show empty tables. The code is therefore not able to distinguish an existing empty table from a non-existing one. Specifying the table with the-t
option (e.g.iptables-save -t <table>
does display the empty table).The text was updated successfully, but these errors were encountered: