Pinned to a specific version of iptables?

[ChrisRitson]

Expected Behavior

Runs without errors in Centos 6.9 (and later)

Actual Behavior

Repeatedly tries to downgrade iptables-1.4.7-16.el6.x86_64 to iptables-1.4.7.el6.x86_64 which generates an error in puppet 3.8 and so faile to restart iptables service because of a dependency failure

Steps to Reproduce the Problem

1. Running puppet to install a very simple ip tables rule set under centos 6.9 and example42-firewall (2.1.3)

Specifications

Please add this info:

1. Output of facter -p on the failing node (at least the OS related facts)

rpm-qa.txt
facter-p.txt

1. Version of Puppet and of the module

Puppet modules (from master):
/etc/puppet/modules
├── androidstudio (???)
├─┬ domcleal-augeasproviders (v1.2.0)
│ └── puppetlabs-stdlib (v4.2.2)
├── x2go (???)
├─┬ herculesteam-augeasproviders_shellvar (v2.2.1)
│ └── herculesteam-augeasproviders_core (v2.1.3)
├── maestrodev-wget (v1.7.0)
├── criticalupdate (???)
├─┬ csncl-cs42_firewall (v0.1.0)
│ └─┬ cs-example42_firewall (v2.1.3)
│ ├── example42-puppi (v2.1.10)
│ └─┬ example42-iptables (v2.1.15)
│ └── puppetlabs-concat (v2.1.0)
├── cs_auth3 (v1.9.0)
├─┬ csncl-cs_firewall (v0.1.0)
│ └── puppetlabs-firewall (v1.7.1)
├── cs_licenses (???)
├── csncl-cs_local_users (v0.1.0)
├── cs_motd (v0.1.0)
├── cs_sysctl (v0.5.0)
├── csncl-cssupportedit (v0.1.0)
├── stahnma-epel (v1.0.0)
├── weeklyupdate (???)
├── csncl-templatemodule (v0.1.0)
├── rohlfs-gconf (v0.0.6)
├── csncl-groups (v0.1.0)
├── hourlycron (???)
├── interfaces (???)
├── saz-resolv_conf (v3.0.5)
├── sessionm-puppet_r (v0.0.2)
├── helen-lightdm (v0.1.0)
├── puppetlabs-lvm (v0.9.0)
├── ncl-matlab (v0.1.0)
├── reboot (???)
├─┬ example42-network (v3.1.5)
│ └── example42-stdmod (v0.0.4)
├─┬ example42-nrpe (v2.0.12)
│ ├── UNMET DEPENDENCY example42-firewall (>= 2.0.0)
│ └── example42-monitor (v2.0.1)
├── puppetlabs-ntp (v1.0.0-rc1)
├── openstack (???)
├── thias-postfix (v0.3.3)
├── rcoleman-puppet_module (v0.0.3)
├── razorsedge-network (v3.4.0)
└── kdm (???)

1. The relevant Puppet code and eventually Hiera data

I wonder if the following patch might address this issue - but only until the version of Centos is changed. I think something better is needed... Can someone (at least) explain why this version of the firewall needs to be pinned to a specific version of the iptables package?

--- modules/firewall/spec/unit/facter/iptables_spec.rb (revision 5641)
+++ modules/firewall/spec/unit/facter/iptables_spec.rb (working copy)
@@ -11,7 +11,7 @@
it {
allow(Facter::Util::Resolution).to receive(:exec).with('iptables --version').
and_return('iptables v1.4.7')

•  Facter.fact(:iptables_version).value.should == '1.4.7'
  

•  Facter.fact(:iptables_version).value.should =~ /^1\.4\.7\W/
  

  }
  end

@@ -18,6 +18,6 @@
describe 'ip6tables_version' do
before { allow(Facter::Util::Resolution).to receive(:exec).
with('ip6tables --version').and_return('ip6tables v1.4.7') }

• it { Facter.fact(:ip6tables_version).value.should == '1.4.7' }

• it { Facter.fact(:ip6tables_version).value.should =~ /^1.4.7\W/ }
  end
  end

Thanks.. Chris Ritson.

[alvagante]

Sorry for lte reply, this module if not maintained, nor recommended any more.
We accept PR to fix issues, and frankly it doesn't matter if they are state of the art solutions, as long as they reasonably don't break things. So feel free to submit your fix.

I see this is module is a dependency of a custom one, if it works well for you, use as you like and submit fixes, if needed, otherwise I'd rather suggest to use the puppetlabs firewall module alternative and convert relevant data.