begin
iptables delete_args
rescue Puppet::ExecutionFailure => e
+ # There is currently a bug in ip6tables where delete rules do not match rules using any protocol
+ # if '-p' all is missing.
+ #
+ # https://bugzilla.netfilter.org/show_bug.cgi?id=1015
+ #
+ # This tries deleting again with -p all to see if that helps.
+ if self.class.instance_variable_get(:@protocol) == 'IPv6' && properties[:proto] == 'all'
+ iptables delete_args.concat('-p', 'all')
+ end
+
# Check to see if the iptables rule is already gone. This can sometimes
# happen as a side effect of other resource changes. If it's not gone,
# raise the error as per usual.
def delete_args
# Split into arguments
line = properties[:line].gsub(%r{^\-A }, '-D ').split(%r{\s+(?=(?:[^"]|"[^"]*")*$)}).map { |v| v.gsub(%r{^"}, '').gsub(%r{"$}, '') }
- if self.class.instance_variable_get(:@protocol) == 'IPv6' && properties[:proto] == 'all'
- #
- # There is currently a bug in ip6tables where delete rules do not match rules using any protocol
- # if '-p' all is missing.
- #
- # https://bugzilla.netfilter.org/show_bug.cgi?id=1015
- #
- # This check looks for this case, and adds '-p all' to the rule for ipv6.
- #
- line = line.concat ['-p', 'all']
- end
line.unshift('-t', properties[:table])
end
it 'delete_args is an array' do
expect(instance.delete_args.class).to eq(Array)
end
-
- it 'attempts to match ipv6 rule' do
- expect(instance.delete_args).to eq(['-t', 'filter', '-D', 'INPUT', '-i', 'lo', '-m', 'comment', '--comment', '001 accept all to lo interface v6', '-j', 'ACCEPT', '-p', 'all'])
- end
-
- it 'delete_args is the same as the rule string when joined' do
- expect(instance.delete_args.join(' ')).to eq(bare_sample_rule.gsub(%r{\-A},
- '-t filter -D') + ' -p all')
- end
end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff