Updating nftables flushes ip(6)tables rules on RHEL 8
olifre opened this issue · 2 comments
Expected Behavior
Rules managed by the module stay active even if system is updated.
Actual Behavior
When running:
yum reinstall nftables
all ip(6)tables rules are flushed (of course, that also happens during system updates).
Alternatively:
systemctl restart nftables
also does that. A fix is to restart the ip(6)tables services afterwards or wait for another Puppet run.
Fix
Disabling the nftables
service prevents this issue, also during reinstalls of the package (since that ensures the service is not restarted).
Specifications
Please add this info:
- Output of
facter -p
on the failing node (at least the OS related facts)
os => {
architecture => "x86_64",
distro => {
codename => "Core",
description => "CentOS Linux release 8.1.1911 (Core)",
id => "CentOS",
release => {
full => "8.1.1911",
major => "8",
minor => "1"
},
specification => ":core-4.1-amd64:core-4.1-noarch"
},
- Version of Puppet and of the module
5.5.19 and 797b300
Not sure on what is supposed to be done by the module here, if the changes happen with changes outside the Puppet run and are "fixed" at the first Puppet run.
Also, this module is supposed to manage networking only, managing nftables here would be out of scope and may conflict with dedicated firewall modules.
@alvagante I'm deeply sorry, This issue was supposed to have been reported against puppetlabs-firewall, which manages ip(6)tables but does not manage nftables.
Sorry for the noise.