Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Defining a state as an array can cause an unnecessary updating action #1224

Open
sbrowne-godaddy opened this issue Jun 12, 2024 · 0 comments

Comments

@sbrowne-godaddy
Copy link

sbrowne-godaddy commented Jun 12, 2024

Describe the Bug

When using the state parameter as an array with a single value, the matching routine expects the loaded value to also be an array, even if there is only a single value within the array.

Expected Behavior

Whilst the policy applies cleanly, re-applying the policy will attempt to update the rule every time the policy is applied.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Define firewall policy similar to:
  firewall { '997 drop invalid forward (v4)':
    chain  => 'FORWARD',
    proto  => 'all',
    state  => ['INVALID'],
    jump   => 'DROP',
    before => undef,
  }
  1. Apply.
  2. Ouput expected:
...
Notice: /Stage[main]/Profile::Base::Firewall::Post/Firewall[997 drop invalid forward (v4)]/state: current_value 'INVALID', should be ['INVALID'] (noop) (corrective)
...

Environment

  • Version: module tag v8.0.2, puppet 8.6.0
  • Platform: RHEL7, RHEL9

Additional Context

Reducing the value to a string does clean up the issue:

  firewall { '997 drop invalid forward (v4)':
    chain  => 'FORWARD',
    proto  => 'all',
    state  => 'INVALID',
    jump   => 'DROP',
    before => undef,
  }

However I feel that a single-entry array for this parameter should not cause an error. When comparing the rules, the single-entry array should be flattened to a string to match how it is loaded from the destination system. (or vice-versa).

This is a changed behaviour in the module, admittedly from a much older release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants