Cookbook version

3.0.1

Chef-client version

12.14.89

Platform Details

RHEL 6.8

Scenario:

We had shifted some IPTables rules from our hosts into our firewalls and thought an easy way to rollback all of the rulesets in iptables would be to just include iptables::disabled, however we found that while this removes the files from /etc/iptables.d, this doesn't flush the existing rule set.

Steps to Reproduce:

1. Set up a host and add a few arbitrary rules to IPTables
2. include the iptables::disabled recipe

Expected Result:

IPTables would be disabled and the ruleset flushed

Actual Result:

IPTables ruleset is still active

Fixed in here, please merge my PR
#71

It looks like this didn't end up flushing the rules on a chef-client run:

Recipe: iptables::_package
  * yum_package[iptables-services] action install
    - install version 1.4.21-17.el7 of package iptables-services
Recipe: iptables::disabled
  * service[iptables] action disable (up to date)
  * service[iptables] action stop (up to date)
  * directory[/etc/iptables.d] action delete (up to date)
  * execute[iptablesFlush] action nothing (skipped due to action :nothing)

/etc/iptables.d doesn't exist on RHEL/CentOS 7, so the flush is never triggered. Looking at a CentOS7 system I see that /usr/lib/systemd/system/iptables.service calls /usr/libexec/iptables/iptables.init. This appears to be a SysVinit style script and It looks like the script default is to rules read from /etc/sysconfig/iptables:

IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config

Would you like me to submit a PR for CentOS/RHEL7 that addresses this? Would we just want to zero this file out and have that trigger the flush?

It needs to be triggered somehow, where the iptables rules dir is on rhel?

Closing this out since it's been merged to master