Cookbook version

4.3.4

Chef-client version

13.8.5-1

Platform Details

debian-8, debian-9

Scenario:

If the iptables rules specified in the cookbook/recipe are invalid, the error message from a chef-client client run should identify the text of the rule that failed to apply.

Steps to Reproduce:

chef generate cookbook iptables-demo
cd iptables-demo
echo "depends 'iptables', '~> 4.3.4'" >> metadata.rb
echo "include_recipe 'iptables::default'" >> recipes/default.rb
echo "iptables_rule 'sample' do" >> recipes/default.rb
echo "  lines '-A DROP'" >> recipes/default.rb
echo "end" >> recipes/default.rb
## configure test kitchen for debian-8
kitchen converge

Expected Result:

chef-client should report the standard output of /usr/sbin/rebuild-iptables, and this output should include the specific iptables rule that failed to apply (in this case -A DROP, because it has no chain name).

Actual Result:

iptables-apply indeed generates the message,

Applying new iptables rules from '/etc/iptables/general'... iptables-restore: line 5 failed

where line 5 of this file is,

-A DROP

But rebuild-iptables doesn't output this last piece of information:

Expected process to exit with [0], but received '1'
---- Begin output of /usr/sbin/rebuild-iptables ----
STDOUT:
STDERR: iptables-restore: line 5 failed
/usr/sbin/rebuild-iptables:137:in `

doing #67 and removing the extra shell_out layer would probably help this a lot

Hi,

I am closing this as it relates to an old version of the cookbook which has since been fundamentally changed. If you still have the issue with the latest version please could you open a new issue,

Thanks