Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-9433

pupetlabs-firewall: [ Invalid address from IPAddr.new ]

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Environment:

      puppet 5.5.0

      puppetlabs-firewall 1.8.2

      Client : CentOS Linux release 7.4

    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Using puppetlabs-firewall 1.8.2 on client : CentOS Linux release 7.4 with puppet-agent-5.5.0 ( puppet server puppet-5.5.0 ) is giving following issue:

      Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
      Debug: Executing: '/sbin/iptables-save'
      Error: Could not run: Invalid address from IPAddr.new: XYZ_from
      /opt/puppetlabs/puppet/cache/lib/puppet/util/ipcidr.rb:12:in `rescue in initialize'
      /opt/puppetlabs/puppet/cache/lib/puppet/util/ipcidr.rb:7:in `initialize'
      /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewall/iptables.rb:544:in `new'
      /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewall/iptables.rb:544:in `block in rule_to_hash'
      /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewall/iptables.rb:530:in `each'
      /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewall/iptables.rb:530:in `rule_to_hash'
      /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewall/iptables.rb:336:in `block in instances'
      /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewall/iptables.rb:331:in `each'
      /opt/puppetlabs/puppet/cache/lib/puppet/provider/firewall/iptables.rb:331:in `instances'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1164:in `block in instances'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1163:in `collect'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:1163:in `instances'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/resource/ral.rb:24:in `search'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/indirector/indirection.rb:273:in `search'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/resource.rb:228:in `find_or_save_resources'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/resource.rb:142:in `block in main'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:65:in `override'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:260:in `override'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/resource.rb:137:in `main'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:383:in `run_command'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:375:in `block in run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:661:in `exit_on_fail'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:375:in `run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:137:in `run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:73:in `execute'
      /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'

      I have kinda idea why it's failing, so on some systems, we are using iptables for monitoring or checking input/output traffic ( not for actual firewalls/iptables rules) and looks like firewall module is expecting it as actual iptables rule. So if you see below, no ACCEPT/REJECT/DROP. Also, these below rules are dynamically created by some application, so it's not stored in /etc/sysconfig/iptables

      Is this something which you can help with?

      Example
      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      all – 1.2.3.4/26 anywhere xyz-name xyz_to
      all – 5.6.7.8/26 anywhere abc-name abc_to
      all – 5.6.7.8/24 anywhere nxz-name nxz_to
      all – 5.4.3.2/24 anywhere tyx-name tyx_to

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      all – anywhere 1.2.3.4/26 xyz-name xyz_to
      all – anywhere 5.6.7.8/26 abc-name abc_to
      all – anywhere 5.6.7.8/24 nxz-name nxz_to
      all – anywhere 5.4.3.2/24 tyx-name tyx_to

      Thanks much

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            rgarb16 Gaurav
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support