Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10660

puppetlabs-firewall: LXD generated rules results into Skipping unparsable iptables rule

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 2.3.0
      Puppet Version: 6.15.0
      OS Name/Version:

      Ubuntu 18.04

      Desired Behavior:

      Puppet should not throw any warnings.

      Actual Behavior:

      Edit: Looks like https://github.com/puppetlabs/puppetlabs-firewall/pull/907#issuecomment-626396688 implements --hex-string but only for iptables, not ip6tables?

      Since LXD (https://linuxcontainers.org/) 4.0, puppet throw some warning that rules are not parseable:

      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --fr
      om 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b373
      e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --fr
      om 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638eabe
      af5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --
      from 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b3
      73e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --
      from 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638ea
      beaf5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --fr
      om 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b373
      e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --fr
      om 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638eabe
      af5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --
      from 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b3
      73e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --
      from 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638ea
      beaf5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --fr
      om 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b373
      e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --fr
      om 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638eabe
      af5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --
      from 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b3
      73e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --
      from 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      Warning: Puppet::Type::Firewall::ProviderIp6tables: Skipping unparsable iptables rule: keys (10) and values (15) count mismatch on line: -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638ea
      beaf5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      

      Running: ip6tables-save | grep "icmpv6-type 136" give this back

      -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --from 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b373e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --from 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      -A INPUT -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638eabeaf5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eea2d09|" --algo bm --from 66 --to 72 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth314a07c6 -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f801721665b499ec1c5b373e61|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container sevendays (eth0)" -j DROP
      -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|00163eac7aad|" --algo bm --from 66 --to 72 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      -A FORWARD -i br1 -p ipv6-icmp -m physdev --physdev-in veth2719ae8c -m icmp6 --icmpv6-type 136 -m string ! --hex-string "|2a0104f8017216658f43a6638eabeaf5|" --algo bm --from 48 --to 64 -m comment --comment "generated for LXD container gmodtobi (eth0)" -j DROP
      

      Reference (Reason for this rules): https://github.com/lxc/lxd/blob/e891cc12dc4bf9c0424a586638d91e852d6e5387/lxd/firewall/drivers/drivers_xtables.go#L501-L521

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            jkroepke Jan-Otto Kröpke
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support