Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-11203

firewall : firewall uid insync function works incorrectly with uid range



    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment


      Basic Info
      Module Version: 3.2.0
      Puppet Version: 6.23.0
      OS Name/Version: CentOS 7

      iptables uid-owner options support defining a rule's owner through a username, a uid or a uid-range.

      [*!*] --uid-owner username

      [*!*] --uid-owner userid[*-*_userid_]Matches if the packet socket's file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

      The puppet-firewall firewall class accepts definition of rules with uid range such as 

      firewall { '002 drop smtp excepts for user 0 to 100':
        chain       => 'OUTPUT',
        proto       => 'tcp',
        dport       => [25],
        destination => $cidr,
        action      => 'drop',
        uid         => "! 0-100",

      When applying the manifest the first time, the rule gets created correctly in iptables. However, during the second apply, the application the rule fails with the following message:

      puppet-agent[712]: can't find user for 0-100

      After investigating, the error message comes from Etc.getpwnam. The function is called in firewall uid's insync method when the username is not strictly numeric. The problem stems from the regular expression that is used not considering the possibility uid can be numeric range, and falsely concludes the uid must be a username when a dash is present.

      The solution would be to fix the regular expression on line 1396 and 1403 (as of v3.2.0) to allow the presence of dashes. The same issue happens with gid when defining gid as a numeric range.

      I have submitted a fix on GitHub: https://github.com/puppetlabs/puppetlabs-firewall/pull/1019

      Desired Behavior:

      firewall rules with uid range do not create apply error on second apply.

      Actual Behavior:

      firewall rules with uid range generate errors on second apply.




            Unassigned Unassigned
            cmdntrf Félix-Antoine Fortin
            0 Vote for this issue
            1 Start watching this issue



                Zendesk Support