Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10358

firewall: log_... => false still requires jump values

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Team:
      Modules
    • Method Found:
      Customer Feedback
    • QA Risk Assessment:
      Needs Assessment

      Description

      Module Version: 1.12.0, 2.2.0
      Puppet Version: 2018.1.11
      OS Name/Version: RHEL 7

      Given a module that sets a parameter prefixed with log_ to a value of false, with no jump parameter value set, catalog compilation fails.

      Example that unexpectedly causes catalog compilation to fail:

        firewall { '904 305cfb035fc4adba0e46cad3d15bca23':
          ensure             => 'present',
          ...
          log_uid            => false,
          ...
        }
      

      Compared to this example, which does not:

        firewall { '905 fe610d70c21ce9c0931056b9ea87cf49':
          ensure             => 'present',
          ...
          jump               => 'DOCKER',
          log_uid            => false,
          ...
        }
      

      How does a user wind up with log_ parameters set to false in the first place? By running puppet resource firewall, which generates them from the unmanaged resources in iptables:

        firewall { '9005 fe610d70c21ce9c0931056b9ea87cf49':
          ensure             => 'present',
          action             => 'accept',
          chain              => 'FORWARD',
          checksum_fill      => false,
          clamp_mss_to_pmtu  => false,
          clusterip_new      => false,
          iniface            => 'docker0',
          isfragment         => false,
          kernel_timezone    => false,
          log_uid            => false,
          outiface           => '! docker0',
          physdev_is_bridged => false,
          physdev_is_in      => false,
          physdev_is_out     => false,
          proto              => 'all',
          queue_bypass       => false,
          random             => false,
          rdest              => false,
          reap               => false,
          rsource            => false,
          rttl               => false,
          socket             => false,
          table              => 'filter',
          time_contiguous    => false,
        }
      

      Desired Behavior:

      Puppet recognizes that a log_ parameter set to false does not require a jump value.

      puppet resource firewall outputs valid resources.

      Actual Behavior:

      Catalog compilation fails:

      Debug: /Firewall[904 305cfb035fc4adba0e46cad3d15bca23]: [validate]
      Error: Parameter log_prefix, log_level and log_uid require jump => LOG
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              david.swan David Swan
              Reporter:
              garrett.guillotte Garrett Guillotte
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support