Ask Your Question
1

firewall: Invalid address from IPAddr.new !

asked 2013-12-12 08:38:29 -0500

deric gravatar image

I've install the puppetlabs-firewall (latest version from git) and I've followed the README instructions and added this to site.pp:

resources { "firewall":
  purge => true
}

Firewall {
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}
class { ['my_fw::pre', 'my_fw::post']: }
class { 'firewall': }

Now I'm getting this error:

Error: /Stage[main]//Resources[firewall]: Failed to generate additional resources using 'generate': Invalid address from IPAddr.new: !

Any idea what does it mean?

edit retag flag offensive close merge delete

Comments

Like smsearcy below, this error went away once we ran `iptables --flush`. This could be bug that occurs when reading the existing rules on the system, and not with your current manifests.

stefanlasiewski gravatar imagestefanlasiewski ( 2015-03-26 12:27:43 -0500 )edit

3 answers

Sort by ยป oldest newest most voted
1

answered 2013-12-18 19:47:31 -0500

Stefan gravatar image

It looks like the puppetlabs-firewall module uses the ipaddr ruby library to normalize different IP notations and puppet seems to feed this method with invalid input.

Because you purge firewall rules the provider has to run the instances method of your provider to get a list of currently present rules. This leads to the conclusion that your system does have a firewall rule that the module is unable to handle correctly. I am not familiar with the puppetlabs-firewall module but you should be able to reproduce the error by running

puppet resource firewall

If this leads to the same error ... (more)

edit flag offensive delete link more
0

answered 2015-01-12 23:29:57 -0500

TommyTheKid gravatar image

@Stefan: since the trace output is too long for a comment...

I am having a similar, and probably related issue on CentOS 6.6. If I had to guess, I would say it doesn't like IPv6 addresses?

# puppet resource --verbose --debug --trace firewall
Debug: Runtime environment: run_mode=user, ruby_version=1.8.7, puppet_version=3.7.3
Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
Debug: Executing '/sbin/iptables-save'
Debug: /Firewall[000 INPUT accept all to lo interface]: [validate]
Debug: /Firewall[000 INPUT accept all to lo interface]: Provider iptables does not support features hop_limiting; not managing attribute hop_limit
Debug: /Firewall[000 INPUT accept all to lo interface]: Provider iptables does not support features ishasmorefrags; not managing attribute ishasmorefrags
Debug: /Firewall[000 INPUT accept all to lo interface]: Provider iptables does not support features islastfrag; not managing attribute islastfrag
Debug: /Firewall[000 INPUT accept all to lo interface]: Provider iptables does not support features isfirstfrag; not managing attribute isfirstfrag
Debug: /Firewall[001 INPUT allow icmp type 0 (ping)]: [validate]
Debug: /Firewall[001 INPUT allow icmp type 0 (ping)]: Provider iptables does not support features hop_limiting; not managing attribute hop_limit
Debug: /Firewall[001 INPUT allow icmp type 0 (ping)]: Provider iptables does not support features ishasmorefrags; not managing attribute ishasmorefrags
Debug: /Firewall[001 INPUT allow icmp type 0 (ping)]: Provider iptables does not support features islastfrag; not managing attribute islastfrag
Debug: /Firewall[001 INPUT allow icmp type 0 (ping)]: Provider iptables does not support features isfirstfrag; not managing attribute isfirstfrag
Debug: /Firewall[001 INPUT allow icmp type 8 (ping)]: [validate]
Debug: /Firewall[001 INPUT allow icmp type 8 (ping)]: Provider iptables does not support features hop_limiting; not managing attribute hop_limit
Debug: /Firewall[001 INPUT allow icmp type 8 (ping)]: Provider iptables does not support features ishasmorefrags; not managing attribute ishasmorefrags
Debug: /Firewall[001 INPUT allow icmp type 8 (ping)]: Provider iptables does not support features islastfrag; not managing attribute islastfrag
Debug: /Firewall[001 INPUT allow icmp type 8 (ping)]: Provider iptables does not support features isfirstfrag; not managing attribute isfirstfrag
Debug: /Firewall[003 INPUT allow related and established rules]: [validate]
Debug: /Firewall[003 INPUT allow related and established rules]: Provider iptables does not support features hop_limiting; not managing attribute hop_limit
Debug: /Firewall[003 INPUT allow related and established rules]: Provider iptables does not support features ishasmorefrags; not managing attribute ishasmorefrags
Debug: /Firewall[003 INPUT allow related and established rules]: Provider iptables does not support features islastfrag; not managing attribute islastfrag
Debug: /Firewall[003 INPUT allow related and established rules]: Provider iptables does not support features isfirstfrag; not managing attribute isfirstfrag
Debug: /Firewall[049 INPUT allow dhcp udp from anyone internal]: [validate]
Debug: /Firewall[049 INPUT allow dhcp udp from anyone internal]: Provider iptables does not support features hop_limiting; not managing attribute hop_limit
Debug: /Firewall[049 INPUT allow dhcp udp from anyone internal]: Provider iptables does not support features ishasmorefrags; not managing attribute ishasmorefrags
Debug: /Firewall[049 INPUT allow dhcp udp from anyone internal]: Provider iptables does not support features islastfrag; not managing attribute ...
(more)
edit flag offensive delete link more

Comments

1

I had the same issue and found this ticket: https://tickets.puppetlabs.com/browse/MODULES-1612 It does appear to be a IPv6 issue and they are working on it. I used the same workaround of flushing the ip6tables.

smsearcy gravatar imagesmsearcy ( 2015-01-15 11:49:14 -0500 )edit
0

answered 2014-01-16 16:59:58 -0500

serverhorror gravatar image

updated 2014-01-16 17:11:58 -0500

(Commenting since I can otherwise add meaningful information, feel free to moderate if that is not actually helpful)

My workaround is at the end

I have the same problem. The complete output is:

Puppet version:

$ puppet --version
3.4.2

OS Version:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.4 LTS
Release:    12.04
Codename:   precise

Debug output:

$ sudo puppet resource --verbose --debug --trace --modulepath /opt/puppet/shiny-octo-bear/modules/ firewall
Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
Debug: Executing '/sbin/iptables-save'
Error: Could not run: Invalid address from IPAddr.new: !
/opt/puppet/shiny-octo-bear/modules ...
(more)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2013-12-12 08:38:29 -0500

Seen: 1,341 times

Last updated: Jan 12 '15