Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-1612

iptables and ip6tables resource_maps out of sync

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • None
    • firewall
    • CentOS 6.6, Ubuntu 14.04

    • 2
    • MODS 2015-01-14

    Description

      I am in the process of setting up a new puppet installation and have had an odd error on one machine out of three. The error is:

      Error: Could not run: Invalid address from IPAddr.new: NEW

      This error occurred on a Centos 6.6 box, but not on a different RHEL 6.5 box that has the same configuration applied to it.

      I have eventually tracked the problem down to some rogue IPv6 firewall rules that have appeared on the CentOS 6.6 box. The rule from ip6tables-save that causes the problem is:

      -A INPUT -d fe80::/64 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT

      (I don't know ruby, so apologies if the following breakdown is wrong)

      Some debugging shows that the hash variable for that above ip6tables-save linebefore the loop on line 342 of iptables.rb contains:

      :destination=>"NEW",
      :proto=>"--dport",
      :chain=>"udp",
      :state=>["546"],
      :jump=>"ACCEPT"
      

      This point is reached via the ip6tables provider. One obvious difference between the iptables and ip6tables providers is that the resource_map variables are different. In fact, my error can be fixed by adjusting the value for the :dport key in ip6tables to match the value in iptables ["-m multiport --dports", "--dport"].

      It looks like various elements have been modified, or added, in resource_map in the iptables provider but the equivalent change hasn't been applied to the ip6tables provider. For example, the following keys have either been added or have differences for non-obvious reasons:

      :dport
      :dst_range
      :dst_type
      :ipsec_dir
      :ipsec_policy
      :mac_source
      :mask
      :set_mark
      :socket
      :sport
      :src_range
      :src_type
      :tcp_flags
      :ipset

      For the specific error I had, it's only the :dport difference that lead to my error. I don't have enough understanding of the code to know if the differences above represent other problems, but the values specified in the iptables provider seem to be supported by both iptables and ip6tables on RHEL 6.5.

      Attachments

        Activity

          People

            morgan Morgan Rhodes
            orican Kevin Rogers
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support