Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10521

puppetlabs-firewall : All masks are forced to CIDR, support wildcard masks



    • Type: Improvement
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
    • Template:
      MODULES Bug Template
    • QA Risk Assessment:
      Needs Assessment


      Basic Info
      Module Version: 2.2.0
      Puppet Version: 6.x
      OS Name/Version: Ubuntu 16.04+ (any really)

      Describe your issue in as much detail as possible...

      Desired Behavior:

      The basic explanation is that I want to be able to use wildcard masks. https://en.wikipedia.org/wiki/Wildcard_mask.  This pretty much is only useful in the IPv4 world but I guess could be used in IPv6 but.. why?

      The confusion comes in that typical documentation I can find for wildcard masks refers to Cisco ACL documentation which represents them in a revers way.  However, systems such as IPtables that know how to process a true dotted mask in a binary method is able to function like this: means that it will match this IP range. 10.[0-3].14.*  

      or means 10.[8-11].*.1

      This can be very powerful to allow a single statement to comprise a specific set of IP address space simply based on binary masking.

      I have currently forked the module and minimally disabled the conversion to CIDR to be able to use this ability.

      Actual Behavior:

      As described in this line of the code.  All dotted masks get converted to a CIDR mask.  This tries to force the value I send to the resource as into something that it cannot process, and thus fails.


      The code needs to be adjusted so that either it tries to convert to CIDR and if that fails it simply just uses the original input, provided it is a proper 0-255 quad IP.. Or possibly a flag that just disables the attempt to convert to CIDR values.


      My usecase:

      As you can see in the following code, I can set $services_vlan to a single value that will work for two use cases.  If I could not do this, I would have to create some sort of array and then loop through that to accomplish my needs.  This is certainly functional but my view is that to force only CIDR masks, limits the ability of what iptables is capable of.

      # In production I have 4 consecutive sites all with a 10.x.14.0/24 subnet that I want to allow
      $services_vlan = ''
      # In non production I have just a single /24 to allow
      $services_vlan = ''
      @firewall { '100 OUTPUT statsd to services vlan':
         chain       => 'OUTPUT',
         action      => 'accept',
         dport       => '8125',
         proto       => 'udp',
         destination => $services_vlan,

      Thanks for considering this option.  I realize it is probably not a common use case but I believe it to be a powerful one that many don't even know exists.




            Unassigned Unassigned
            ona_matt Matt Pascoe
            0 Vote for this issue
            1 Start watching this issue



                Zendesk Support