verbose: ---------------------------------------------------------------- verbose: Begin policy/promise evaluation verbose: ---------------------------------------------------------------- info: Using command line specified bundlesequence verbose: Using bundlesequence => {"role_firewall"} verbose: B: ***************************************************************** verbose: B: BEGIN bundle role_firewall verbose: B: ***************************************************************** verbose: V: Computing value of 'purpose' verbose: A: Promise was KEPT verbose: P: END meta promise (purpose) verbose: V: Computing value of 'tags' verbose: A: Promise was KEPT verbose: P: END meta promise (tags) verbose: V: ......................................................... verbose: V: BEGIN variables (pass 1) verbose: V: Computing value of 'firewall_config' verbose: V: Computing value of 'ipset_config' verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_main_cf_19' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'Apply firewalls' verbose: P: Part of bundle: role_firewall verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'[1] verbose: P: verbose: P: Comment: Apply firewall configs for global and rh8_proto_linux verbose: B: ***************************************************************** verbose: B: BEGIN bundle firewall( {"rh8_proto_linux"}) verbose: B: ***************************************************************** verbose: V: + Private parameter: 'config' in scope 'firewall' (type: s) in pass 1 verbose: V: Computing value of 'purpose' verbose: A: Promise was KEPT verbose: P: END meta promise (purpose) verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 1) verbose: C: + Global class: bundle__firewall_rh8_proto_linux verbose: C: + Global class: bundle__firewall verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_19' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'Apply nftables config rh8_proto_linux' verbose: P: From parameterized bundle: firewall( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'[1] verbose: P: verbose: P: Comment: Apply nftables firewall config rh8_proto_linux verbose: B: ***************************************************************** verbose: B: BEGIN bundle nftables_main( {"rh8_proto_linux"}) verbose: B: ***************************************************************** verbose: V: + Private parameter: 'config' in scope 'nftables_main' (type: s) in pass 1 verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_200' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'nftables_common' verbose: P: From parameterized bundle: nftables_main( {"rh8_proto_linux"}) verbose: P: Base context class: any verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_common'[1] verbose: B: ***************************************************************** verbose: B: BEGIN bundle nftables_common verbose: B: ***************************************************************** verbose: V: ......................................................... verbose: V: BEGIN variables (pass 1) verbose: V: Computing value of 'f' verbose: V: Computing value of 'nftables_count' verbose: V: Computing value of 'nft_addin_path' verbose: V: Computing value of 'nft_addin_rules' verbose: V: Computing value of 'nft_base_rules' verbose: V: Computing value of 'nft_config' verbose: V: Computing value of 'nft_filepath' verbose: V: Computing value of 'nft_file_require' verbose: V: Computing value of 'sysconfig_path' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 1) verbose: V: ......................................................... verbose: V: BEGIN variables (pass 2) verbose: V: Computing value of 'f' verbose: V: Computing value of 'nftables_count' verbose: V: Computing value of 'nft_addin_path' verbose: V: Computing value of 'nft_addin_rules' verbose: V: Computing value of 'nft_base_rules' verbose: V: Computing value of 'nft_config' verbose: V: Computing value of 'nft_filepath' verbose: V: Computing value of 'nft_file_require' verbose: V: Computing value of 'sysconfig_path' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 2) verbose: V: ......................................................... verbose: V: BEGIN variables (pass 3) verbose: V: Computing value of 'f' verbose: V: Computing value of 'nftables_count' verbose: V: Computing value of 'nft_addin_path' verbose: V: Computing value of 'nft_addin_rules' verbose: V: Computing value of 'nft_base_rules' verbose: V: Computing value of 'nft_config' verbose: V: Computing value of 'nft_filepath' verbose: V: Computing value of 'nft_file_require' verbose: V: Computing value of 'sysconfig_path' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 3) verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'nftables_common' in namespace default verbose: A: Zero promises executed for bundle 'nftables_common' verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 200 verbose: Method 'nftables_common' verified verbose: B: ***************************************************************** verbose: B: END bundle nftables_common verbose: B: ***************************************************************** verbose: A: Promise was KEPT verbose: P: END methods promise (nftables_common) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_201' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'nftables_config' verbose: P: Part of bundle: nftables_main verbose: P: Base context class: any verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'[1] verbose: B: ***************************************************************** verbose: B: BEGIN bundle nftables_config( {"rh8_proto_linux"}) verbose: B: ***************************************************************** verbose: V: + Private parameter: 'config' in scope 'nftables_config' (type: s) in pass 1 verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_247' of type "files" (pass 1) verbose: P: Promiser/affected object: '/etc/nftables.d/.' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables.d/.'[1] verbose: P: verbose: P: Comment: Create and ensure permissions on /etc/nftables.d/. verbose: Using literal pathtype for '/etc/nftables.d/.' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 247 comment 'Create and ensure permissions on /etc/nftables.d/.' verbose: File '/etc/nftables.d/.' exists as promised verbose: Handling file existence constraints on '/etc/nftables.d' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 247 comment 'Create and ensure permissions on /etc/nftables.d/.' verbose: Owner of '/etc/nftables.d' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 247 comment 'Create and ensure permissions on /etc/nftables.d/.' verbose: Group of '/etc/nftables.d' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 247 comment 'Create and ensure permissions on /etc/nftables.d/.' verbose: File permissions on '/etc/nftables.d' as promised verbose: Basedir '/etc/nftables.d' not promising anything verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 247 comment 'Create and ensure permissions on /etc/nftables.d/.' verbose: No changes done for the files promise '/etc/nftables.d' verbose: A: Promise was KEPT verbose: P: END files promise (/etc/nftables.d) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_254' of type "files" (pass 1) verbose: P: Promiser/affected object: '/etc/sysconfig/nftables.conf' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/sysconfig/nftables.conf'[1] verbose: P: verbose: P: Comment: Service config for nftables verbose: Handling file existence constraints on '/etc/sysconfig/nftables.conf' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: Owner of '/etc/sysconfig/nftables.conf' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: Group of '/etc/sysconfig/nftables.conf' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: File permissions on '/etc/sysconfig/nftables.conf' as promised verbose: Basedir '/etc/sysconfig/nftables.conf' not promising anything verbose: File '/etc/sysconfig/nftables.conf' copy_from '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/default/nftables.conf' verbose: Destination file '/etc/sysconfig/nftables.conf' already exists verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: Owner of '/etc/sysconfig/nftables.conf' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: Group of '/etc/sysconfig/nftables.conf' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: File permissions on '/etc/sysconfig/nftables.conf' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: File '/etc/sysconfig/nftables.conf' is an up to date copy of source verbose: Handling file existence constraints on '/etc/sysconfig/nftables.conf' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: Owner of '/etc/sysconfig/nftables.conf' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: Group of '/etc/sysconfig/nftables.conf' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: File permissions on '/etc/sysconfig/nftables.conf' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 254 comment 'Service config for nftables' verbose: No changes done for the files promise '/etc/sysconfig/nftables.conf' verbose: A: Promise was KEPT verbose: P: END files promise (/etc/sysconfig/nftables.conf) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 1) verbose: P: Promiser/affected object: '/etc/nftables/ipsets.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/ipsets.nft'[1] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: Handling file existence constraints on '/etc/nftables/ipsets.nft' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/ipsets.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/ipsets.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/ipsets.nft' as promised verbose: Basedir '/etc/nftables/ipsets.nft' not promising anything verbose: File '/etc/nftables/ipsets.nft' copy_from '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/default/ipsets.nft' verbose: Destination file '/etc/nftables/ipsets.nft' already exists verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/ipsets.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/ipsets.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/ipsets.nft' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File '/etc/nftables/ipsets.nft' is an up to date copy of source verbose: Handling file existence constraints on '/etc/nftables/ipsets.nft' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/ipsets.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/ipsets.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/ipsets.nft' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: No changes done for the files promise '/etc/nftables/ipsets.nft' verbose: A: Promise was KEPT verbose: P: END files promise (/etc/nftables/ipsets.nft) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 1) verbose: P: Promiser/affected object: '/etc/nftables/standard.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/standard.nft'[2] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: Handling file existence constraints on '/etc/nftables/standard.nft' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/standard.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/standard.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/standard.nft' as promised verbose: Basedir '/etc/nftables/standard.nft' not promising anything verbose: File '/etc/nftables/standard.nft' copy_from '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/default/standard.nft' verbose: Destination file '/etc/nftables/standard.nft' already exists verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/standard.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/standard.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/standard.nft' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File '/etc/nftables/standard.nft' is an up to date copy of source verbose: Handling file existence constraints on '/etc/nftables/standard.nft' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/standard.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/standard.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/standard.nft' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: No changes done for the files promise '/etc/nftables/standard.nft' verbose: A: Promise was KEPT verbose: P: END files promise (/etc/nftables/standard.nft) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 1) verbose: P: Promiser/affected object: '/etc/nftables/zz_deny.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/zz_deny.nft'[3] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: Handling file existence constraints on '/etc/nftables/zz_deny.nft' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/zz_deny.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/zz_deny.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/zz_deny.nft' as promised verbose: Basedir '/etc/nftables/zz_deny.nft' not promising anything verbose: File '/etc/nftables/zz_deny.nft' copy_from '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/default/zz_deny.nft' verbose: Destination file '/etc/nftables/zz_deny.nft' already exists verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/zz_deny.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/zz_deny.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/zz_deny.nft' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File '/etc/nftables/zz_deny.nft' is an up to date copy of source verbose: Handling file existence constraints on '/etc/nftables/zz_deny.nft' verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Owner of '/etc/nftables/zz_deny.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: Group of '/etc/nftables/zz_deny.nft' as promised (0) verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: File permissions on '/etc/nftables/zz_deny.nft' as promised verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 261 comment 'Base firewall for nftables' verbose: No changes done for the files promise '/etc/nftables/zz_deny.nft' verbose: A: Promise was KEPT verbose: P: END files promise (/etc/nftables/zz_deny.nft) verbose: P: ......................................................... verbose: P: BEGIN promise 'addin_file_copy' of type "files" (pass 1) verbose: P: Promiser/affected object: '/etc/nftables.d/addin.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables.d/addin.nft'[1] verbose: P: verbose: P: Comment: Addin firewall rules for nftables verbose: Handling file existence constraints on '/etc/nftables.d/addin.nft' verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: Owner of '/etc/nftables.d/addin.nft' as promised (0) verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: Group of '/etc/nftables.d/addin.nft' as promised (0) verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: File permissions on '/etc/nftables.d/addin.nft' as promised verbose: Basedir '/etc/nftables.d/addin.nft' not promising anything verbose: File '/etc/nftables.d/addin.nft' copy_from '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/rh8_proto_linux/addin.nft' verbose: Destination file '/etc/nftables.d/addin.nft' already exists verbose: Image file '/etc/nftables.d/addin.nft' has a wrong digest/checksum, should be copy of '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/rh8_proto_linux/addin.nft' verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' info: Copied file '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/rh8_proto_linux/addin.nft' from x.x.x.x to '/etc/nftables.d/addin.nft.cfnew' verbose: C: + promise outcome class 'nft_reload_needed' verbose: Copy of regular file succeeded '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/rh8_proto_linux/addin.nft' to '/etc/nftables.d/addin.nft.cfnew' verbose: Backup for '/etc/nftables.d/addin.nft' is '/etc/nftables.d/addin.nft.cfsaved' verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' info: Backed up '/etc/nftables.d/addin.nft' as '/etc/nftables.d/addin.nft.cfsaved' verbose: C: + promise outcome class 'nft_reload_needed' verbose: Final verification of transmission ... verbose: New file '/etc/nftables.d/addin.nft.cfnew' transmitted correctly - verified verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' info: Moved '/etc/nftables.d/addin.nft.cfnew' to '/etc/nftables.d/addin.nft' verbose: C: + promise outcome class 'nft_reload_needed' info: Moved '/etc/nftables.d/addin.nft.cfsaved' to repository location '/var/cfengine/replaced_files/_etc_nftables_d_addin_nft_cfsaved' verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' info: Archived backup '/etc/nftables.d/addin.nft.cfsaved' verbose: C: + promise outcome class 'nft_reload_needed' verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' info: Updated '/etc/nftables.d/addin.nft' from source '/var/cfengine/masterfiles/deploy/aitcfe/rh9-nftable-testing/files/firewall/rh8_proto_linux/addin.nft' on 'fqdn.masked' verbose: C: + promise outcome class 'nft_reload_needed' verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: Owner of '/etc/nftables.d/addin.nft' as promised (0) verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: Group of '/etc/nftables.d/addin.nft' as promised (0) verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: File permissions on '/etc/nftables.d/addin.nft' as promised verbose: Handling file existence constraints on '/etc/nftables.d/addin.nft' verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: Owner of '/etc/nftables.d/addin.nft' as promised (0) verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: Group of '/etc/nftables.d/addin.nft' as promised (0) verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: File permissions on '/etc/nftables.d/addin.nft' as promised verbose: Additional promise info: handle 'addin_file_copy' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 268 comment 'Addin firewall rules for nftables' verbose: files promise '/etc/nftables.d/addin.nft' repaired verbose: C: + promise outcome class 'nft_reload_needed' verbose: A: Promise REPAIRED verbose: P: END files promise (/etc/nftables.d/addin.nft) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_247' of type "files" (pass 2) verbose: P: Promiser/affected object: '/etc/nftables.d/.' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables.d/.'[1] verbose: P: verbose: P: Comment: Create and ensure permissions on /etc/nftables.d/. verbose: Using literal pathtype for '/etc/nftables.d/.' verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_254' of type "files" (pass 2) verbose: P: Promiser/affected object: '/etc/sysconfig/nftables.conf' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/sysconfig/nftables.conf'[1] verbose: P: verbose: P: Comment: Service config for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 2) verbose: P: Promiser/affected object: '/etc/nftables/ipsets.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/ipsets.nft'[1] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 2) verbose: P: Promiser/affected object: '/etc/nftables/standard.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/standard.nft'[2] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 2) verbose: P: Promiser/affected object: '/etc/nftables/zz_deny.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/zz_deny.nft'[3] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'addin_file_copy' of type "files" (pass 2) verbose: P: Promiser/affected object: '/etc/nftables.d/addin.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables.d/addin.nft'[1] verbose: P: verbose: P: Comment: Addin firewall rules for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_247' of type "files" (pass 3) verbose: P: Promiser/affected object: '/etc/nftables.d/.' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables.d/.'[1] verbose: P: verbose: P: Comment: Create and ensure permissions on /etc/nftables.d/. verbose: Using literal pathtype for '/etc/nftables.d/.' verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_254' of type "files" (pass 3) verbose: P: Promiser/affected object: '/etc/sysconfig/nftables.conf' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/sysconfig/nftables.conf'[1] verbose: P: verbose: P: Comment: Service config for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 3) verbose: P: Promiser/affected object: '/etc/nftables/ipsets.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/ipsets.nft'[1] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 3) verbose: P: Promiser/affected object: '/etc/nftables/standard.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/standard.nft'[2] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_261' of type "files" (pass 3) verbose: P: Promiser/affected object: '/etc/nftables/zz_deny.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables/zz_deny.nft'[3] verbose: P: verbose: P: Comment: Base firewall for nftables verbose: P: ......................................................... verbose: P: BEGIN promise 'addin_file_copy' of type "files" (pass 3) verbose: P: Promiser/affected object: '/etc/nftables.d/addin.nft' verbose: P: From parameterized bundle: nftables_config( {"rh8_proto_linux"}) verbose: P: Base context class: el9 verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_config'/default/nftables_config/files/'/etc/nftables.d/addin.nft'[1] verbose: P: verbose: P: Comment: Addin firewall rules for nftables verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'nftables_config' in namespace default verbose: A: Promises kept in 'nftables_config' = 5 verbose: A: Promises not kept in 'nftables_config' = 0 verbose: A: Promises repaired in 'nftables_config' = 1 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'nftables_config' = 100.0% verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 201 verbose: Method 'nftables_config' invoked repairs verbose: B: ***************************************************************** verbose: B: END bundle nftables_config verbose: B: ***************************************************************** verbose: A: Promise REPAIRED verbose: P: END methods promise (nftables_config) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_202' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'nftables_check' verbose: P: Part of bundle: nftables_main verbose: P: Base context class: any verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'[1] verbose: B: ***************************************************************** verbose: B: BEGIN bundle nftables_check verbose: B: ***************************************************************** verbose: P: ......................................................... verbose: P: BEGIN promise 'check_syntax' of type "commands" (pass 1) verbose: P: Promiser/affected object: '/usr/sbin/nft -c -f /etc/sysconfig/nftab' verbose: P: Part of bundle: nftables_check verbose: P: Base context class: el9.(nft_reload_needed|nft_restart_needed|nftables_reload_failed|nftables_systemd_failed) verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/commands/'/usr/sbin/nft -c -f /etc/sysconfig/nftables.conf'[1] verbose: Promiser string contains a valid executable '/usr/sbin/nft' - ok info: Executing 'no timeout' ... '/usr/sbin/nft -c -f /etc/sysconfig/nftables.conf' verbose: Setting umask to 77 verbose: Additional promise info: handle 'check_syntax' version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 291 verbose: Finished command related to promiser '/usr/sbin/nft -c -f /etc/sysconfig/nftables.conf' -- succeeded verbose: C: + promise outcome class 'nft_syntax_ok_reached' verbose: C: + promise outcome class 'nft_syntax_ok_repaired' info: Completed execution of '/usr/sbin/nft -c -f /etc/sysconfig/nftables.conf' verbose: A: Promise REPAIRED verbose: P: END commands promise (/usr/sbin/nft -c -f /etc/sysco...) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_300' of type "methods" (pass 2) verbose: P: Promiser/affected object: 'nftables_actions' verbose: P: Part of bundle: nftables_check verbose: P: Base context class: el9.nft_syntax_ok_repaired verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'[1] verbose: B: ***************************************************************** verbose: B: BEGIN bundle nftables_actions verbose: B: ***************************************************************** verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_320' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'nftables_restart' verbose: P: Part of bundle: nftables_actions verbose: P: Base context class: el9.nft_syntax_ok_repaired.(nft_restart_needed|nftables_systemd_failed) verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'/default/nftables_actions/methods/'nftables_restart'[1] verbose: B: ***************************************************************** verbose: B: BEGIN bundle standard_services( {"nftables","restart"}) verbose: B: ***************************************************************** verbose: V: + Private parameter: 'service' in scope 'standard_services' (type: s) in pass 1 verbose: V: + Private parameter: 'state' in scope 'standard_services' (type: s) in pass 1 verbose: execresult ran '/bin/systemctl --no-ask-password --global --system -pLoadState,CanStop,UnitFileState,ActiveState,LoadState,CanStart,CanReload show nftables' successfully verbose: Caching result for function 'execresult("$(call_systemctl) $(systemd_properties) show $(service)","noshell")' verbose: V: ......................................................... verbose: V: BEGIN variables (pass 1) verbose: V: Computing value of 'call_systemctl' verbose: V: Computing value of 'systemd_properties' verbose: V: Computing value of 'init' verbose: V: Computing value of 'c_service' verbose: V: Computing value of 'systemd_service_info' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 1) verbose: C: + Private class: restart verbose: C: + Private class: non_disabling verbose: C: + Private class: service_enabled verbose: C: + Private class: service_loaded verbose: C: + Private class: can_stop_service verbose: C: + Private class: can_start_service verbose: C: + Private class: can_reload_service verbose: C: + Private class: request_restart verbose: Skipping promise '$(call_systemctl) -q start $(service)' because constraint 'ifvarclass => action_start' is not met verbose: Skipping promise '$(call_systemctl) -q stop $(service)' because constraint 'ifvarclass => action_stop' is not met verbose: Skipping promise '$(call_systemctl) -q reload $(service)' because constraint 'ifvarclass => action_reload' is not met verbose: Skipping promise '$(call_systemctl) -q restart $(service)' because constraint 'ifvarclass => action_restart' is not met verbose: Skipping promise '$(call_systemctl) -q enable $(service)' because constraint 'ifvarclass => action_enable' is not met verbose: Skipping promise '$(call_systemctl) -q disable $(service)' because constraint 'ifvarclass => action_disable' is not met verbose: Skipping promise '$(call_systemctl) $(state) $(service)' because constraint 'ifvarclass => action_custom' is not met verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_services_cf_358' of type "reports" (pass 1) verbose: P: Promiser/affected object: 'standard_services: using systemd layer t' verbose: P: From parameterized bundle: standard_services( {"nftables","restart"}) verbose: P: Base context class: verbose_mode.systemd verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'/default/nftables_actions/methods/'nftables_restart'/default/standard_services/reports/'standard_services: using systemd layer to restart nftables'[1] R: standard_services: using systemd layer to restart nftables verbose: A: Promise was KEPT verbose: P: END reports promise (standard_services: using syste...) verbose: V: ......................................................... verbose: V: BEGIN variables (pass 2) verbose: V: Computing value of 'call_systemctl' verbose: V: Computing value of 'systemd_properties' verbose: V: Computing value of 'init' verbose: V: Computing value of 'c_service' verbose: V: Computing value of 'chkconfig_mode' verbose: V: Computing value of 'svcadm_mode' verbose: V: Computing value of 'systemd_service_info' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 2) verbose: Skipping promise '$(call_systemctl) -q start $(service)' because constraint 'ifvarclass => action_start' is not met verbose: Skipping promise '$(call_systemctl) -q stop $(service)' because constraint 'ifvarclass => action_stop' is not met verbose: Skipping promise '$(call_systemctl) -q reload $(service)' because constraint 'ifvarclass => action_reload' is not met verbose: Skipping promise '$(call_systemctl) -q restart $(service)' because constraint 'ifvarclass => action_restart' is not met verbose: Skipping promise '$(call_systemctl) -q enable $(service)' because constraint 'ifvarclass => action_enable' is not met verbose: Skipping promise '$(call_systemctl) -q disable $(service)' because constraint 'ifvarclass => action_disable' is not met verbose: Skipping promise '$(call_systemctl) $(state) $(service)' because constraint 'ifvarclass => action_custom' is not met verbose: V: ......................................................... verbose: V: BEGIN variables (pass 3) verbose: V: Computing value of 'call_systemctl' verbose: V: Computing value of 'systemd_properties' verbose: V: Computing value of 'init' verbose: V: Computing value of 'c_service' verbose: V: Computing value of 'chkconfig_mode' verbose: V: Computing value of 'svcadm_mode' verbose: V: Computing value of 'systemd_service_info' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 3) verbose: Skipping promise '$(call_systemctl) -q start $(service)' because constraint 'ifvarclass => action_start' is not met verbose: Skipping promise '$(call_systemctl) -q stop $(service)' because constraint 'ifvarclass => action_stop' is not met verbose: Skipping promise '$(call_systemctl) -q reload $(service)' because constraint 'ifvarclass => action_reload' is not met verbose: Skipping promise '$(call_systemctl) -q restart $(service)' because constraint 'ifvarclass => action_restart' is not met verbose: Skipping promise '$(call_systemctl) -q enable $(service)' because constraint 'ifvarclass => action_enable' is not met verbose: Skipping promise '$(call_systemctl) -q disable $(service)' because constraint 'ifvarclass => action_disable' is not met verbose: Skipping promise '$(call_systemctl) $(state) $(service)' because constraint 'ifvarclass => action_custom' is not met verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'standard_services' in namespace default verbose: A: Promises kept in 'standard_services' = 1 verbose: A: Promises not kept in 'standard_services' = 0 verbose: A: Promises repaired in 'standard_services' = 0 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'standard_services' = 100.0% verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 320 verbose: Method 'standard_services' verified verbose: B: ***************************************************************** verbose: B: END bundle standard_services verbose: B: ***************************************************************** verbose: A: Promise was KEPT verbose: P: END methods promise (nftables_restart) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_323' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'nftables_reload' verbose: P: Part of bundle: nftables_actions verbose: P: Base context class: el9.nft_syntax_ok_repaired.(nft_reload_needed|nftables_reload_failed) verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'/default/nftables_actions/methods/'nftables_reload'[1] verbose: B: ***************************************************************** verbose: B: BEGIN bundle standard_services( {"nftables","reload"}) verbose: B: ***************************************************************** verbose: V: + Private parameter: 'service' in scope 'standard_services' (type: s) in pass 1 verbose: V: + Private parameter: 'state' in scope 'standard_services' (type: s) in pass 1 verbose: V: ......................................................... verbose: V: BEGIN variables (pass 1) verbose: V: Computing value of 'call_systemctl' verbose: V: Computing value of 'systemd_properties' verbose: V: Computing value of 'init' verbose: V: Computing value of 'c_service' verbose: V: Computing value of 'systemd_service_info' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 1) verbose: C: + Private class: reload verbose: C: + Private class: non_disabling verbose: C: + Private class: service_enabled verbose: C: + Private class: service_loaded verbose: C: + Private class: can_stop_service verbose: C: + Private class: can_start_service verbose: C: + Private class: can_reload_service verbose: C: + Private class: request_reload verbose: Skipping promise '$(call_systemctl) -q start $(service)' because constraint 'ifvarclass => action_start' is not met verbose: Skipping promise '$(call_systemctl) -q stop $(service)' because constraint 'ifvarclass => action_stop' is not met verbose: Skipping promise '$(call_systemctl) -q reload $(service)' because constraint 'ifvarclass => action_reload' is not met verbose: Skipping promise '$(call_systemctl) -q restart $(service)' because constraint 'ifvarclass => action_restart' is not met verbose: Skipping promise '$(call_systemctl) -q enable $(service)' because constraint 'ifvarclass => action_enable' is not met verbose: Skipping promise '$(call_systemctl) -q disable $(service)' because constraint 'ifvarclass => action_disable' is not met verbose: Skipping promise '$(call_systemctl) $(state) $(service)' because constraint 'ifvarclass => action_custom' is not met verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_services_cf_358' of type "reports" (pass 1) verbose: P: Promiser/affected object: 'standard_services: using systemd layer t' verbose: P: From parameterized bundle: standard_services( {"nftables","reload"}) verbose: P: Base context class: verbose_mode.systemd verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'/default/nftables_actions/methods/'nftables_reload'/default/standard_services/reports/'standard_services: using systemd layer to reload nftables'[1] R: standard_services: using systemd layer to reload nftables verbose: A: Promise was KEPT verbose: P: END reports promise (standard_services: using syste...) verbose: V: ......................................................... verbose: V: BEGIN variables (pass 2) verbose: V: Computing value of 'call_systemctl' verbose: V: Computing value of 'systemd_properties' verbose: V: Computing value of 'init' verbose: V: Computing value of 'c_service' verbose: V: Computing value of 'chkconfig_mode' verbose: V: Computing value of 'svcadm_mode' verbose: V: Computing value of 'systemd_service_info' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 2) verbose: Skipping promise '$(call_systemctl) -q start $(service)' because constraint 'ifvarclass => action_start' is not met verbose: Skipping promise '$(call_systemctl) -q stop $(service)' because constraint 'ifvarclass => action_stop' is not met verbose: Skipping promise '$(call_systemctl) -q reload $(service)' because constraint 'ifvarclass => action_reload' is not met verbose: Skipping promise '$(call_systemctl) -q restart $(service)' because constraint 'ifvarclass => action_restart' is not met verbose: Skipping promise '$(call_systemctl) -q enable $(service)' because constraint 'ifvarclass => action_enable' is not met verbose: Skipping promise '$(call_systemctl) -q disable $(service)' because constraint 'ifvarclass => action_disable' is not met verbose: Skipping promise '$(call_systemctl) $(state) $(service)' because constraint 'ifvarclass => action_custom' is not met verbose: V: ......................................................... verbose: V: BEGIN variables (pass 3) verbose: V: Computing value of 'call_systemctl' verbose: V: Computing value of 'systemd_properties' verbose: V: Computing value of 'init' verbose: V: Computing value of 'c_service' verbose: V: Computing value of 'chkconfig_mode' verbose: V: Computing value of 'svcadm_mode' verbose: V: Computing value of 'systemd_service_info' verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 3) verbose: Skipping promise '$(call_systemctl) -q start $(service)' because constraint 'ifvarclass => action_start' is not met verbose: Skipping promise '$(call_systemctl) -q stop $(service)' because constraint 'ifvarclass => action_stop' is not met verbose: Skipping promise '$(call_systemctl) -q reload $(service)' because constraint 'ifvarclass => action_reload' is not met verbose: Skipping promise '$(call_systemctl) -q restart $(service)' because constraint 'ifvarclass => action_restart' is not met verbose: Skipping promise '$(call_systemctl) -q enable $(service)' because constraint 'ifvarclass => action_enable' is not met verbose: Skipping promise '$(call_systemctl) -q disable $(service)' because constraint 'ifvarclass => action_disable' is not met verbose: Skipping promise '$(call_systemctl) $(state) $(service)' because constraint 'ifvarclass => action_custom' is not met verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'standard_services' in namespace default verbose: A: Promises kept in 'standard_services' = 1 verbose: A: Promises not kept in 'standard_services' = 0 verbose: A: Promises repaired in 'standard_services' = 0 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'standard_services' = 100.0% verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 323 verbose: Method 'standard_services' verified verbose: B: ***************************************************************** verbose: B: END bundle standard_services verbose: B: ***************************************************************** verbose: A: Promise was KEPT verbose: P: END methods promise (nftables_reload) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_329' of type "reports" (pass 1) verbose: P: Promiser/affected object: 'nft_syntax_ok_repaired is available and ' verbose: P: Part of bundle: nftables_actions verbose: P: Base context class: el9 verbose: P: "if" class condition: nft_syntax_ok_repaired verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'/default/nftables_actions/reports/'nft_syntax_ok_repaired is available and set'[1] R: nft_syntax_ok_repaired is available and set verbose: A: Promise was KEPT verbose: P: END reports promise (nft_syntax_ok_repaired is avai...) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_332' of type "reports" (pass 1) verbose: P: Promiser/affected object: 'nftables files installed; will attempt s' verbose: P: Part of bundle: nftables_actions verbose: P: Base context class: el9 verbose: P: "if" class condition: nft_syntax_ok_repaired.!require_files_present verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'/default/nftables_actions/reports/'nftables files installed; will attempt start on next run'[1] R: nftables files installed; will attempt start on next run verbose: A: Promise was KEPT verbose: P: END reports promise (nftables files installed; will...) verbose: Skipping promise 'nftables service failed or syntax invalid' because constraint 'ifvarclass => !nft_syntax_ok_repaired.(nftables_reload_failed|nftables_systemd_failed)' is not met verbose: Skipping promise 'nftables service failed or syntax invalid' because constraint 'ifvarclass => !nft_syntax_ok_repaired.(nftables_reload_failed|nftables_systemd_failed)' is not met verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_335' of type "reports" (pass 3) verbose: P: Promiser/affected object: 'nftables service successfully started or' verbose: P: Part of bundle: nftables_actions verbose: P: Base context class: el9 verbose: P: "if" class condition: nft_syntax_ok_repaired.(nft_reload_needed|nft_restart_needed) verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_check'/default/nftables_check/methods/'nftables_actions'/default/nftables_actions/reports/'nftables service successfully started or restarted with $(config)'[1] R: nftables service successfully started or restarted with $(config) verbose: A: Promise was KEPT verbose: P: END reports promise (nftables service successfully ...) verbose: Skipping promise 'nftables service failed or syntax invalid' because constraint 'ifvarclass => !nft_syntax_ok_repaired.(nftables_reload_failed|nftables_systemd_failed)' is not met verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'nftables_actions' in namespace default verbose: A: Promises kept in 'nftables_actions' = 7 verbose: A: Promises not kept in 'nftables_actions' = 0 verbose: A: Promises repaired in 'nftables_actions' = 0 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'nftables_actions' = 100.0% verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 300 verbose: Method 'nftables_actions' verified verbose: B: ***************************************************************** verbose: B: END bundle nftables_actions verbose: B: ***************************************************************** verbose: A: Promise was KEPT verbose: P: END methods promise (nftables_actions) verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'nftables_check' in namespace default verbose: A: Promises kept in 'nftables_check' = 8 verbose: A: Promises not kept in 'nftables_check' = 0 verbose: A: Promises repaired in 'nftables_check' = 1 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'nftables_check' = 100.0% verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 202 verbose: Method 'nftables_check' invoked repairs verbose: B: ***************************************************************** verbose: B: END bundle nftables_check verbose: B: ***************************************************************** verbose: A: Promise REPAIRED verbose: P: END methods promise (nftables_check) verbose: P: ......................................................... verbose: P: BEGIN promise 'promise_firewall_cf_203' of type "methods" (pass 1) verbose: P: Promiser/affected object: 'nftables_actions' verbose: P: Part of bundle: nftables_main verbose: P: Base context class: any verbose: P: Stack path: /default/role_firewall/methods/'Apply firewalls'/default/firewall/methods/'Apply nftables config rh8_proto_linux'/default/nftables_main/methods/'nftables_actions'[1] verbose: B: ***************************************************************** verbose: B: BEGIN bundle nftables_actions verbose: B: ***************************************************************** verbose: Skipping promise 'nftables service failed or syntax invalid' because constraint 'ifvarclass => !nft_syntax_ok_repaired.(nftables_reload_failed|nftables_systemd_failed)' is not met verbose: Skipping promise 'nftables service failed or syntax invalid' because constraint 'ifvarclass => !nft_syntax_ok_repaired.(nftables_reload_failed|nftables_systemd_failed)' is not met verbose: Skipping promise 'nftables service failed or syntax invalid' because constraint 'ifvarclass => !nft_syntax_ok_repaired.(nftables_reload_failed|nftables_systemd_failed)' is not met verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'nftables_actions' in namespace default verbose: A: Zero promises executed for bundle 'nftables_actions' verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 203 verbose: Method 'nftables_actions' verified verbose: B: ***************************************************************** verbose: B: END bundle nftables_actions verbose: B: ***************************************************************** verbose: A: Promise was KEPT verbose: P: END methods promise (nftables_actions) verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'nftables_main' in namespace default verbose: A: Promises kept in 'nftables_main' = 15 verbose: A: Promises not kept in 'nftables_main' = 0 verbose: A: Promises repaired in 'nftables_main' = 4 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'nftables_main' = 100.0% verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/lib/sysenglib/firewall.cf' at line 19 comment 'Apply nftables firewall config rh8_proto_linux' verbose: Method 'nftables_main' invoked repairs verbose: B: ***************************************************************** verbose: B: END bundle nftables_main verbose: B: ***************************************************************** verbose: A: Promise REPAIRED verbose: P: END methods promise (Apply nftables config rh8_prot...) verbose: V: Computing value of 'purpose' verbose: A: Promise was KEPT verbose: P: END meta promise (purpose) verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 2) verbose: V: Computing value of 'purpose' verbose: A: Promise was KEPT verbose: P: END meta promise (purpose) verbose: C: ......................................................... verbose: C: BEGIN classes / conditions (pass 3) verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'firewall' in namespace default verbose: A: Promises kept in 'firewall' = 21 verbose: A: Promises not kept in 'firewall' = 0 verbose: A: Promises repaired in 'firewall' = 5 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'firewall' = 100.0% verbose: A: ................................................... verbose: Additional promise info: version 'cb57786dc' source path '/var/cfengine/inputs/roles/firewall/main.cf' at line 19 comment 'Apply firewall configs for global and rh8_proto_linux' verbose: Method 'firewall' invoked repairs verbose: B: ***************************************************************** verbose: B: END bundle firewall verbose: B: ***************************************************************** verbose: A: Promise REPAIRED verbose: P: END methods promise (Apply firewalls) verbose: V: Computing value of 'purpose' verbose: A: Promise was KEPT verbose: P: END meta promise (purpose) verbose: V: Computing value of 'tags' verbose: A: Promise was KEPT verbose: P: END meta promise (tags) verbose: V: ......................................................... verbose: V: BEGIN variables (pass 2) verbose: V: Computing value of 'firewall_config' verbose: V: Computing value of 'ipset_config' verbose: V: Computing value of 'purpose' verbose: A: Promise was KEPT verbose: P: END meta promise (purpose) verbose: V: Computing value of 'tags' verbose: A: Promise was KEPT verbose: P: END meta promise (tags) verbose: V: ......................................................... verbose: V: BEGIN variables (pass 3) verbose: V: Computing value of 'firewall_config' verbose: V: Computing value of 'ipset_config' verbose: A: ................................................... verbose: A: Bundle Accounting Summary for 'role_firewall' in namespace default verbose: A: Promises kept in 'role_firewall' = 33 verbose: A: Promises not kept in 'role_firewall' = 0 verbose: A: Promises repaired in 'role_firewall' = 6 verbose: A: Aggregate compliance (promises kept/repaired) for bundle 'role_firewall' = 100.0% verbose: A: ................................................... verbose: B: ***************************************************************** verbose: B: END bundle role_firewall verbose: B: ***************************************************************** verbose: Waiting for background processes verbose: No more background processes to wait for verbose: No lock purging needed (lock DB usage: 0 %) Dump of "--show-evaluated-classes" bundle__firewall source=promise bundle__firewall_rh8_proto_linux source=promise bundle_misc source=promise el9 source=promise group_rh8_proto_linux source=promise nft_reload_needed nft_syntax_ok_reached nft_syntax_ok_repaired nftables_enabled source=promise nftables_systemd_failed source=promise role_firewall source=promise verbose: Logging total compliance, total 'Outcome of version cb57786dc (agent-0): Promises observed to be kept 98.36%, Promises repaired 1.64%, Promises not repaired 0.00%'