Ask Your Question

Simple mark rules using puppetlabs-firewall

asked 2015-01-29 11:25:14 -0600

asdf5 gravatar image

updated 2015-01-30 02:44:34 -0600

I'm not sure if I'm missing something, but there doesn't seem to be a way to create a simple mark rule using puppetlabs-firewall (1.4). For example:

iptables -A POSTROUTING -m mark --mark 0x1 -m comment --comment "123 SNAT magic packets" -j SNAT --to-source

The existing functionality can only create rules using connection tracking. Negated mark rules cause the parsing to break:

Debug: Puppet::Type::Firewall::ProviderIptables: Line [-A POSTROUTING ! -d -m mark ! --mark 0x1 -m comment --comment "141 Local net" -j SNAT --to-source], table [nat], counter [3]
Debug: Puppet::Type::Firewall::ProviderIptables: Working on [connmark]
Debug: Puppet::Type::Firewall::ProviderIptables: Working on [ctstate]
Debug: Puppet::Type::Firewall::ProviderIptables: Working on [destination]
Error: /Firewall[005 ipsec]: Could not evaluate: Invalid address from 0x1
/var/lib/puppet/lib/puppet/util/ipcidr.rb:12:in `rescue in initialize'
/var/lib/puppet/lib/puppet/util/ipcidr.rb:8:in `initialize'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:370:in `new'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:370:in `block in rule_to_hash'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:341:in `each'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:341:in `rule_to_hash'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:209:in `block in instances'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:204:in `each'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:204:in `instances'
/var/lib/puppet/lib/puppet/provider/firewall.rb:27:in `query'
/var/lib/puppet/lib/puppet/provider/firewall.rb:18:in `properties'
/var/lib/puppet/lib/puppet/provider/firewall/iptables.rb:183:in `exists?'

(Some extra debugging lines added to module above to show where it gets to.) I don't know any ruby, but it looks like the parser expects things to appear in a particular order. Is there an easy way to at least get this not to break?

edit retag flag offensive close merge delete


Edit iptables.rb in the module and adjust the definition of @resource_map, adding a line just after ":ctstate": :mark => "-m mark --mark", Then insert it into the list where @resource_list is defined after ":pkttype". This stops Puppet breaking when it encounters these rules.

asdf5 gravatar imageasdf5 ( 2015-01-30 03:59:34 -0600 )edit

Hi cscheib - that's the problem - I can't generate a rule of this type using Puppet. If I put one in manually it then stops the module working. It seems to be an issue with the parser (see my previous comment).

asdf5 gravatar imageasdf5 ( 2015-01-30 04:00:59 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2015-01-30 04:28:32 -0600

asdf5 gravatar image

I've raised this as a ticket in JIRA with details of what I'm using to work around the problem:

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2015-01-29 11:25:14 -0600

Seen: 320 times

Last updated: Jan 30 '15