Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-9750

puppetlabs-firewall : arguments to physdev-is-in

    XMLWordPrintable

Details

    • Hide

      puppetlabs-firewall module works with additional arguments to iptables  physdev option like inverse for example.

      -m physdev ! --physdev-is-in

      Show
      puppetlabs-firewall module works with additional arguments to iptables  physdev option like inverse for example. -m physdev ! --physdev-is-in
    • Modules
    • Customer Feedback
    • Reviewed
    • Needs Assessment

    Description

       

       If additional arguments are usued in iptables rules with physdev option like inverse:

      -m physdev ! --physdev-is-in

      puppetlabs-firewall module  is unable to parse these and  in OpenShift enviroment this leads to long  loop

      There was tickets which added physdev-is-* option but looks misses addtional args like inverse.

       

      https://tickets.puppetlabs.com/browse/MODULES-4234

      https://github.com/puppetlabs/puppetlabs-firewall/pull/685

       

       

      [root@XXXX provider]# puppet resource --verbose --debug --trace firewall

      Debug: Runtime environment: puppet_version=3.8.6, ruby_version=2.0.0, run_mode=user, default_encoding=UTF-8

      Debug: Puppet::Type::Firewall::ProviderIptables: [instances]

      Debug: Executing '/sbin/iptables-save'

      Warning: Puppet::Type::Firewall::ProviderIptables: Skipping unparsable iptables rule: keys (7) and values (11) count mismatch on line: -A KUBE-SERVICES -d 10.1.2.3/32 -p tcp -m comment --comment

      "mdm-platform-tip-qe-dev/nginx: external IP" -m tcp --dport 8080 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j YYY

      Debug: /Firewall[100 zds allow]: [validate]

      Debug: /Firewall[100 zds allow]: Provider iptables does not support features hop_limiting; not managing attribute hop_limit

      Debug: /Firewall[100 zds allow]: Provider iptables does not support features ishasmorefrags; not managing attribute ishasmorefrags

       

       

      Only option with "-m physdev ! --physdev-is-in" leads to warning, with inverse aka  "-m physdev --physdev-is-in" works fine.

       

      Chain KUBE-SERVICES (0 references)

      target     prot opt source               destination

      YYY        tcp  --  anywhere             10.1.2.3       /* mdm-platform-tip-qe-dev/nginx: external IP */ tcp dpt:webcache ADDRTYPE match src-type !LOCAL

      YYY        tcp  --  anywhere             10.1.2.3       /* mdm-platform-tip-qe-dev/nginx: external IP */ tcp dpt:webcache PHYSDEV match ! --physdev-is-in ADDRTYPE match src-type !LOCAL

      YYY        tcp  --  anywhere             10.1.2.3       /* mdm-platform-tip-qe-dev/nginx: external IP */ tcp dpt:webcache PHYSDEV match --physdev-is-in ADDRTYPE match src-type !LOCAL

       

       

      iptables -A KUBE-SERVICES -d 10.1.2.3/32 -p tcp -m comment --comment "mdm-platform-tip-qe-dev/nginx: external IP" -m tcp --dport 8080 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j YYY

       

      Attachments

        Activity

          People

            loredana.ionce Loredana Ionce
            domantas.speciunas@seb.se Domantas Speciunas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support