Parsing fails randomly with large iptables present (e.g. k3s auto-managed rules)Β #1266
Description
Describe the Bug
Sometimes, new rules cannot be applied and runs fail with
Could not evaluate: undefined method `[]' for nil:NilClass
Expected Behavior
New firewall rules should be added without problems
Steps to Reproduce
Steps to reproduce the behavior:
- Deploy a machine with the module
- Install k3s which manages its own iptables-rules
- Add an additional firewall rule using the module
- Now, sometimes (cannot reproduce deterministically) the Puppet run
puppet agent -tfails with the error mentioned above
Environment
- Puppet 7.32.1
- puppetlabs-firewall v8.1.7
-
- Platform RHEL 9.4
Additional Context
In our setup, we're managing k3s clusters and sometimes, Puppet runs fail when new firewall rules appear. Sometimes, the next run just works fine but from time to time all subsequent runs fail.
After debugging, my assumption is that stderr and stdout are put into the same variable here: https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/provider/firewall/firewall.rb#L475
It seems that for long iptables-save outputs, the stderr appears randomly within a line of the stdout output. This results in lines like
KUBE-SVC-ASDF ! -s 10.42.0.0/16 -d 10.43.161.110/32 -p tcp -m comment --comment "longhorn-system/longhorn# Warning: iptables-legacy tables present, use iptables-legacy save to see them
which cannot be parsed by https://github.com/puppetlabs/puppetlabs-firewall/blob/main/lib/puppet/provider/firewall/firewall.rb#L545 because the " for --comment is not closed. Consequently, key_value[1] = [key_value[0], key_value[1], key_value[2]].join in line 547 tries to join only nil values.
I changed the iptables-save command to iptables-save 2>/dev/null in lines 12-15 which seems to fix the issue but does not seem like a good idea π