Fix managing build-in chain on iptables nft #1261
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`iptables-save` does not show any build-in chains when they have not been interacted with. This leads to the chain being (re)-created. PR#1206 attempted to fix this, by listing the chain instead of creating it, but this method only seems to work on non-nft iptables[1]. Fix this for nft version of iptables by setting the policy of the chain instead of listing it. This seems to work for both nft and non-nft version of iptables (tested on Ubuntu 20.04 and 24.04). Fixes puppetlabs#1217 [1] puppetlabs#1217 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
iptables-savedoes not show any build-in chains when they have not been interacted with. This leads to the chain being (re)-created.#1206 attempted to fix this, by listing the chain instead of creating it, but this method only seems to work on non-nft iptables (#1217 (comment)).
Fix this for nft version of iptables by setting the policy of the chain instead of listing it. This seems to work for both nft and non-nft version of iptables (tested on Ubuntu 20.04 and 24.04).
Fixes #1217
Summary
Provide a detailed description of all the changes present in this pull request.
Additional Context
Add any additional context about the problem here.
Related Issues (if any)
Mention any related issues or pull requests.
Checklist
puppet apply)