Issue #15583 has been reported by Sakari Maaranen.
----------------------------------------
Bug #15583: puppetlabs-firewall not working with libvirt default NAT and mangle
rules
https://projects.puppetlabs.com/issues/15583
Author: Sakari Maaranen
Status: Unreviewed
Priority: Normal
Assignee:
Category: modules
Target version:
Affected Puppet version: 2.7.18
Keywords: firewall iptables nat mangle flush puppetlabs-firewall
Branch:
I have a CentOS 6.2 server with libvirt and the latest puppetmaster from the
puppetlabs official yum repository. I have installed the puppetlabs-firewall
module, which otherwise works great, but fails to purge the NAT and mangle
tables.
The puppet directive only flushes the usual tables, but not nat and mangle:
resources { "firewall":
purge => true
}
Only does:
iptables --flush
So I have to manually run the following commands after server reboot:
iptables --table nat --flush
iptables --table mangle --flush
These are the firewall rules, which the puppetlabs-firewall recommended default
configuration is ignoring:
# Generated by iptables-save v1.4.7 on Wed Jul 18 18:28:40 2012
*mangle
:PREROUTING ACCEPT [259:90933]
:INPUT ACCEPT [259:90933]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [219:95850]
:POSTROUTING ACCEPT [219:95850]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Jul 18 18:28:40 2012
# Generated by iptables-save v1.4.7 on Wed Jul 18 18:28:40 2012
*nat
:PREROUTING ACCEPT [5:358]
:POSTROUTING ACCEPT [12:824]
:OUTPUT ACCEPT [12:824]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE
--to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE
--to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Jul 18 18:28:40 2012
Because Puppet fails to purge these rules, it causes the puppet agent run to
fail. After manually flushing nat and mangle, puppet will run again.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
