Updating nftables flushes ip(6)tables rules on RHEL 8

Question

Updating nftables flushes ip(6)tables rules on RHEL 8

olifre opened this issue 5 years ago · 2 comments

Expected Behavior

Rules managed by the module stay active even if system is updated.

Actual Behavior

When running:

yum reinstall nftables

all ip(6)tables rules are flushed (of course, that also happens during system updates).
Alternatively:

systemctl restart nftables

also does that. A fix is to restart the ip(6)tables services afterwards or wait for another Puppet run.

Fix

Disabling the nftables service prevents this issue, also during reinstalls of the package (since that ensures the service is not restarted).

Specifications

Please add this info:

Output of facter -p on the failing node (at least the OS related facts)

os => {
  architecture => "x86_64",
  distro => {
    codename => "Core",
    description => "CentOS Linux release 8.1.1911 (Core)",
    id => "CentOS",
    release => {
      full => "8.1.1911",
      major => "8",
      minor => "1"
    },
    specification => ":core-4.1-amd64:core-4.1-noarch"
  },

Version of Puppet and of the module
5.5.19 and 797b300

Answer 1 · 2020-04-14T20:56:42.000Z

Not sure on what is supposed to be done by the module here, if the changes happen with changes outside the Puppet run and are "fixed" at the first Puppet run.
Also, this module is supposed to manage networking only, managing nftables here would be out of scope and may conflict with dedicated firewall modules.

Answer 2 · 2020-04-14T21:37:56.000Z

@alvagante I'm deeply sorry, This issue was supposed to have been reported against puppetlabs-firewall, which manages ip(6)tables but does not manage nftables.
Sorry for the noise.