Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-11158

puppetlabs-firewall : K3s: Skipping unparsable iptables rule: keys (5) and values (9) count mismatch

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Acceptance Criteria:
      Hide

      The puppetlabs/firewall module can correctly parse K3s dynamically generated iptables rules.

      Show
      The puppetlabs/firewall module can correctly parse K3s dynamically generated iptables rules.
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

       

      Module Version:  puppetlabs/firewall v3.1.0
      Puppet Version:  7.9.0
      OS Name/Version:  Debian 10 (Buster)

       

      Desired Behavior:

      Puppetlabs "firewall" module can successfully manage rules on a node running K3s (lightweight Kubernetes) without throwing warnings.

      Actual Behavior:

      On a Debian 10 system running K3s v1.21.2+k3s1, I see the following warnings:

      root@apc:~# puppet apply -e 'include my_fw'
      Notice: Compiled catalog for apc.host in environment production in 0.14 seconds
      Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (9) count mismatch on line: -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cbr0\" id: \"51b5ab4bfffd46f1c286f98066cafc520df147198bec22ec0c812dab252964b1\"" -m multiport --dports 80 -j CNI-DN-6c854a1c6875bf32e16f3
      Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (9) count mismatch on line: -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cbr0\" id: \"91e2188a61b4f1437fcf3a224f5f59baaf109bb82a8069eef51616a7b8d70d8d\"" -m multiport --dports 5671 -j CNI-DN-e91031af49b46c2e6e6a4
      Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (9) count mismatch on line: -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cbr0\" id: \"ab98b4663372813ebe2319bdda155a384b081fce59c4b9c46f7c7a9d25b5d77a\"" -m multiport --dports 443 -j CNI-DN-156325f5a6ec66aaa1d18
      Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (5) and values (9) count mismatch on line: -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"cbr0\" id: \"544de100ead7c3adbdbee3f7b5696ffced7d1039fbee8c024127d6a91f32c867\"" -m multiport --dports 5050 -j CNI-DN-47efd1300c7635ab8200a
      Notice: Applied catalog in 0.69 seconds
      

      My assumption is that the comments are being parsed incorrectly due to the escaped double quotes.

       

      The manifests I'm using are almost identical to the module README examples:

       

      root@apc:~# find /opt/puppetlabs/puppet/modules/my_fw/manifests/ -type f -exec cat {} \;
      class my_fw::pre {
        Firewall {
          require => undef,
        }  firewall { '000 accept all icmp':
          proto  => 'icmp',
          action => 'accept',
        }
        -> firewall { '001 accept all to lo interface':
          proto   => 'all',
          iniface => 'lo',
          action  => 'accept',
        }
        -> firewall { '002 reject local traffic not on loopback interface':
          iniface     => '! lo',
          proto       => 'all',
          destination => '127.0.0.1/8',
          action      => 'reject',
        }
        -> firewall { '003 accept related established rules':
          proto  => 'all',
          state  => ['RELATED', 'ESTABLISHED'],
          action => 'accept',
        }
        -> firewall { '100 allow ssh access':
          dport  => 22,
          proto  => 'tcp',
          action => 'accept',
        }
      }
      class my_fw::post {
        firewall { '999 drop all':
          proto  => 'all',
          action => 'accept',
          before => undef,
        }
      }
      class my_fw {
        class { 'firewall': }
        class { 'my_fw::pre': }
        class { 'my_fw::post': }
       
        Firewall {
          before  => Class['my_fw::post'],
          require => Class['my_fw::pre'],
        }
      }

       

      The system is configured to use "iptables-legacy" instead of "iptables-nft" (due to a separate issue):

       

      root@apc:~# update-alternatives --display iptables
      iptables - manual mode
        link best version is /usr/sbin/iptables-nft
        link currently points to /usr/sbin/iptables-legacy
        link iptables is /usr/sbin/iptables
        slave iptables-restore is /usr/sbin/iptables-restore
        slave iptables-save is /usr/sbin/iptables-save
      /usr/sbin/iptables-legacy - priority 10
        slave iptables-restore: /usr/sbin/iptables-legacy-restore
        slave iptables-save: /usr/sbin/iptables-legacy-save
      /usr/sbin/iptables-nft - priority 20
        slave iptables-restore: /usr/sbin/iptables-nft-restore
        slave iptables-save: /usr/sbin/iptables-nft-save
      

      Please let me know if there's any additional information I can provide.  Thank you!

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            apcheamitru Alexander Cheamitru
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support