Force firewall chain delete

Flush chain to get rid of unmanaged firewall rules in that chain
else the remove of the chain will fail.

diff --git a/README.md b/README.md
index f1985e3665e7247fca41c0cbcd2870d91789a6aa..7307e8413ac2bc65d69b545c5bd81840f2537c91 100644 (file)
--- a/README.md
+++ b/README.md
@@ -192,10 +192,10 @@ resources { 'firewallchain':
 }
 ```
 
-> **Note:** If there are unmanaged rules in unmanaged chains, it will take a second Puppet run for the firewall chain to be purged.
-
 > **Note:** If you need more fine-grained control about which unmananged rules get removed, investigate the `purge` and `ignore_foreign` parameters available in `firewallchain`.
 
+> **Note:** `ignore_foreign` of `firewallchain` does not work as expected with a resources purge of `firewall`.
+
 ### Upgrading
 
 Use these steps if you already have a version of the firewall module installed.

diff --git a/lib/puppet/provider/firewallchain/iptables_chain.rb b/lib/puppet/provider/firewallchain/iptables_chain.rb
index fb02753be0029c901764c066973451f0074d3d93..6abe9fbd55f285f0f2eeff004dbc2ee5ead9f547 100644 (file)
--- a/lib/puppet/provider/firewallchain/iptables_chain.rb
+++ b/lib/puppet/provider/firewallchain/iptables_chain.rb
@@ -60,12 +60,14 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do
   end
 
   def destroy
-    allvalidchains do |t, chain, table|
+    allvalidchains do |t, chain, table, protocol|
       if INTERNAL_CHAINS.match?(chain)
         # can't delete internal chains
         warning "Attempting to destroy internal chain #{@resource[:name]}"
       else
-        debug "Deleting chain #{chain} on table #{table}"
+        debug "Flush chain #{chain} on table #{table} (#{protocol})"
+        t.call ['-t', table, '-F', chain]
+        debug "Deleting chain #{chain} on table #{table} (#{protocol})"
         t.call ['-t', table, '-X', chain]
       end
     end