gistfile1.txt

# facter | grep operatingsystem
operatingsystem => CentOS
operatingsystemrelease => 6.4
# iptables-save
# Generated by iptables-save v1.4.7 on Thu May 23 14:21:42 2013
*filter
:INPUT ACCEPT [6:384]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:328]
COMMIT
# Completed on Thu May 23 14:21:42 2013
# puppet module list
/etc/puppet/modules
└── puppetlabs-firewall (v0.3.0)
/usr/share/puppet/modules (no modules installed)
# cat test1.pp
resources { 'firewall':
  purge => true,
}

firewall {'003 Log all INVALID packets':
  chain      => 'INPUT',
  proto      => 'all',
  state      => 'INVALID',
  jump       => 'LOG',
  log_level  => '3',
  log_prefix => 'IPTABLES Dropped Invalid: ',
}
# cat test2.pp
resources { 'firewall':
  purge => true,
}

firewall {'003 Log all INVALID packets because racecar':
  chain      => 'INPUT',
  proto      => 'all',
  state      => 'INVALID',
  jump       => 'LOG',
  log_level  => '3',
  log_prefix => 'IPTABLES Dropped Invalid: ',
}
# puppet apply test1.pp
Notice: /Firewall[003 Log all INVALID packets]/ensure: created
Notice: Finished catalog run in 0.41 seconds
# puppet apply test2.pp
Error: Execution of '/sbin/iptables -t filter -D INPUT -m comment --comment 003 Log all INVALID packets -m state --state INVALID -j LOG --log-prefix IPTABLES Dropped Invalid:  --log-level 3' returned 2: iptables v1.4.7: unknown option `--log-level'
Try `iptables -h' or 'iptables --help' for more information.

Error: /Firewall[003 Log all INVALID packets]/ensure: change from present to absent failed: Execution of '/sbin/iptables -t filter -D INPUT -m comment --comment 003 Log all INVALID packets -m state --state INVALID -j LOG --log-prefix IPTABLES Dropped Invalid:  --log-level 3' returned 2: iptables v1.4.7: unknown option `--log-level'
Try `iptables -h' or 'iptables --help' for more information.

Notice: /Firewall[003 Log all INVALID packets because racecar]/ensure: created
Notice: Finished catalog run in 0.39 seconds

Yep, that's exactly what happens.