Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10864

puppetlabs/firewall : error if Firewallchain[POSTROUTING:filter:ethernet] does exist.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Needs Information
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: 2.7.0
      Puppet Version: 6.19.1
      OS Name/Version: Linux 5.4.65-1-pve

      When ensuring the internal chains to be present:

          # https://tickets.puppetlabs.com/browse/MODULES-7519
          firewallchain { 'PREROUTING:nat:IPv4': ensure => present, }
          firewallchain { 'INPUT:nat:IPv4': ensure => present, }
          firewallchain { 'OUTPUT:nat:IPv4': ensure => present, }
          firewallchain { 'POSTROUTING:nat:IPv4': ensure => present, }
          firewallchain { 'PREROUTING:mangle:IPv4': ensure => present, }
          firewallchain { 'INPUT:mangle:IPv4': ensure => present, }
          firewallchain { 'FORWARD:mangle:IPv4': ensure => present, }
          firewallchain { 'OUTPUT:mangle:IPv4': ensure => present, }
          firewallchain { 'POSTROUTING:mangle:IPv4': ensure => present, }
          firewallchain { 'INPUT:security:IPv4': ensure => present, }
          firewallchain { 'FORWARD:security:IPv4': ensure => present, }
          firewallchain { 'OUTPUT:security:IPv4': ensure => present, }
          firewallchain { 'PREROUTING:raw:IPv4': ensure => present, }
          firewallchain { 'OUTPUT:raw:IPv4': ensure => present, }
          firewallchain { 'INPUT:filter:IPv4': ensure => present, }
          firewallchain { 'FORWARD:filter:IPv4': ensure => present, }
          firewallchain { 'OUTPUT:filter:IPv4': ensure => present, }
          firewallchain { 'PREROUTING:nat:IPv6': ensure => present, }
          firewallchain { 'INPUT:nat:IPv6': ensure => present, }
          firewallchain { 'OUTPUT:nat:IPv6': ensure => present, }
          firewallchain { 'POSTROUTING:nat:IPv6': ensure => present, }
          firewallchain { 'PREROUTING:mangle:IPv6': ensure => present, }
          firewallchain { 'INPUT:mangle:IPv6': ensure => present, }
          firewallchain { 'FORWARD:mangle:IPv6': ensure => present, }
          firewallchain { 'OUTPUT:mangle:IPv6': ensure => present, }
          firewallchain { 'POSTROUTING:mangle:IPv6': ensure => present, }
          firewallchain { 'INPUT:security:IPv6': ensure => present, }
          firewallchain { 'FORWARD:security:IPv6': ensure => present, }
          firewallchain { 'OUTPUT:security:IPv6': ensure => present, }
          firewallchain { 'PREROUTING:raw:IPv6': ensure => present, }
          firewallchain { 'OUTPUT:raw:IPv6': ensure => present, }
          firewallchain { 'INPUT:filter:IPv6': ensure => present, }
          firewallchain { 'FORWARD:filter:IPv6': ensure => present, }
          firewallchain { 'OUTPUT:filter:IPv6': ensure => present, }
          firewallchain { 'INPUT:filter:ethernet': ensure => present, }
          firewallchain { 'FORWARD:filter:ethernet': ensure => present, }
          firewallchain { 'OUTPUT:filter:ethernet': ensure => present, }
          firewallchain { 'PREROUTING:nat:ethernet': ensure => present, }
          firewallchain { 'OUTPUT:nat:ethernet': ensure => present, }
          firewallchain { 'POSTROUTING:nat:ethernet': ensure => present, }
       

      The following error is thrown:

      Firewallchain[POSTROUTING:filter:ethernet]: INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'filter' 

      Which seems to be caused by the case statement in '/firewall/lib/puppet/type/firewallchain.rb' starting on line 60 and ebtables-save reporting the PREROUTING and POSTROUTING:

      # Generated by ebtables-save v1.0 (legacy) on Tue 10 Nov 2020 03:52:53 PM CET
      *nat
      :PREROUTING ACCEPT
      :OUTPUT ACCEPT
      :POSTROUTING ACCEPT*filter
      :INPUT ACCEPT
      :FORWARD ACCEPT
      :OUTPUT ACCEPT
      :POSTROUTING ACCEPT
      :PREROUTING ACCEPT
       

       

      Desired Behavior:

      Info: Using configured environment 'production'
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Retrieving locales
      Info: Loading facts
      Info: Caching catalog for host-01.mydomain.com
      Info: Applying configuration version '1605013302'
      Notice: Applied catalog in 38.69 seconds

      Actual Behavior:

      Info: Using configured environment 'production'
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Retrieving locales
      Info: Loading facts
      Info: Caching catalog for host-01.mydomain.com
      Error: /Stage[main]/Profiles::Linux_pve/Resources[firewallchain]: Failed to generate additional resources using 'generate': Parameter name failed on Firewallchain[POSTROUTING:filter:ethernet]: INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'filter'
      Info: Applying configuration version '1605013232'
      Notice: Applied catalog in 32.23 seconds 

      Please take a moment and attach any relevant log output and/or manifests. This will help us immensely when troubleshooting the issue.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mklapwijk M.D. Klapwijk
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:

                  Zendesk Support