Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10565

firewall : cannot parse docker rules on Debian Buster

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Environment:

      Debian Buster, Puppet 5.5

    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 2.2.0
      Puppet Version: 5.5.18
      OS Name/Version: Debian Linux 10 (Buster)

      Desired Behavior: Firewall module can correctly parse iptables rules added by Docker

      Actual Behavior: Firewall module does not parse Docker iptables rules correctly

      After upgrading to Debian Buster, I began seeing the following type of warnings in my Puppet logs:

      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (1) and values (10) count mismatch on line: -A DOCK# Warning: iptables-legacy tables present, use iptables-legacy-save to see them}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (6) count mismatch on line: ER ! -i docker0 -p tcp -m tcp --dport 6501 -j DNAT --to-destination 172.17.0.10:6501}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (1) and values (10) count mismatch on line: -A DOCK# Warning: iptables-legacy tables present, use iptables-legacy-save to see them}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (6) count mismatch on line: ER ! -i docker0 -p tcp -m tcp --dport 6501 -j DNAT --to-destination 172.17.0.10:6501}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (1) and values (10) count mismatch on line: -A DOCK# Warning: iptables-legacy tables present, use iptables-legacy-save to see them}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (6) count mismatch on line: ER ! -i docker0 -p tcp -m tcp --dport 6501 -j DNAT --to-destination 172.17.0.10:6501}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (1) and values (10) count mismatch on line: -A DOCK# Warning: iptables-legacy tables present, use iptables-legacy-save to see them}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (6) count mismatch on line: ER ! -i docker0 -p tcp -m tcp --dport 6501 -j DNAT --to-destination 172.17.0.10:6501}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (1) and values (10) count mismatch on line: -A DOCK# Warning: iptables-legacy tables present, use iptables-legacy-save to see them}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (6) count mismatch on line: ER ! -i docker0 -p tcp -m tcp --dport 6501 -j DNAT --to-destination 172.17.0.10:6501}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (1) and values (10) count mismatch on line: -A DOCK# Warning: iptables-legacy tables present, use iptables-legacy-save to see them}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (6) count mismatch on line: ER ! -i docker0 -p tcp -m tcp --dport 6501 -j DNAT --to-destination 172.17.0.10:6501}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (1) and values (10) count mismatch on line: -A DOCK# Warning: iptables-legacy tables present, use iptables-legacy-save to see them}}
      {{ Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (6) count mismatch on line: ER ! -i docker0 -p tcp -m tcp --dport 6501 -j DNAT --to-destination 172.17.0.10:6501}}

      Note that each pair of warnings seems to be a garbled single line of output from iptables - the comment seems to be splitting `-A DOCKER` into two lines.

      Debian 10 has switched to nftables/netfilter as the default, and so the iptables command is actually iptables-nft translating rules from/to the nft backend. The comments are added during translation.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            paikens@gmail.com Patrick Aikens
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support