Hi,
First, some software versions, just to get them out of the way:
- CentOS 5.x through Centos 6.2
- Ruby 1.8.5 - 1.8.7
- Puppet 2.7.19
- Facter 1.6.11
Just a note - we''re working from the EPEL repos almost exclusively.
I am working with the firewall module, and so far I am unable to use
firewallchain. Some digging suggests that it''s not completely user
error
(though I know I should never rule that out...). Here''s my code:
firewallchain { "SSH:FILTER:IPv4" :
ensure => present,
}
That block of code results in this error:
puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
Inbuilt chains must be in the form {chain}:{table}:{protocol} where
{table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
(alias for filter), chain can be anything without colons or one of
PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
bridging) got ''SSH:FILTER:IPv4'' table:''''
chain:'''' protocol:''''
That error code is produced in lib/puppet/type/firewallchain.rb , by
this snippet of code:
validate do |value|
if value !~ Nameformat then
(error message)
else
(more stuff)
end
end
After poking at this a bit, it turns out that Nameformat is blank when
that if statement is run, instead of containing what is defined in
lib/puppet/provider/firewallchain/iptables_chain.rb .
I know very little about Ruby right now, so I''m not in a good position
to trouble shoot the ruby code. I was wondering if someone else had run
in to this issue, and if so, how did you solve it?
I would appreciate any help I can get on this, as I''m stumped.
-Chris B.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
I believe this is to implement user defined chain-names.
It is a way to group firewall rules.
Try this for explanation:
http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- Original Message -----
From: "oogs" <oogs@merit.edu>
To: puppet-users@googlegroups.com
Sent: Wednesday, November 14, 2012 11:55:25 AM
Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release
Hi,
First, some software versions, just to get them out of the way:
- CentOS 5.x through Centos 6.2
- Ruby 1.8.5 - 1.8.7
- Puppet 2.7.19
- Facter 1.6.11
Just a note - we''re working from the EPEL repos almost exclusively.
I am working with the firewall module, and so far I am unable to use
firewallchain. Some digging suggests that it''s not completely user
error
(though I know I should never rule that out...). Here''s my code:
firewallchain { "SSH:FILTER:IPv4" :
ensure => present,
}
That block of code results in this error:
puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
Inbuilt chains must be in the form {chain}:{table}:{protocol} where
{table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
(alias for filter), chain can be anything without colons or one of
PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
bridging) got ''SSH:FILTER:IPv4'' table:''''
chain:'''' protocol:''''
That error code is produced in lib/puppet/type/firewallchain.rb , by
this snippet of code:
validate do |value|
if value !~ Nameformat then
(error message)
else
(more stuff)
end
end
After poking at this a bit, it turns out that Nameformat is blank when
that if statement is run, instead of containing what is defined in
lib/puppet/provider/firewallchain/iptables_chain.rb .
I know very little about Ruby right now, so I''m not in a good position
to trouble shoot the ruby code. I was wondering if someone else had run
in to this issue, and if so, how did you solve it?
I would appreciate any help I can get on this, as I''m stumped.
-Chris B.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Also, did you see the example in the firewall module README.markdown ?
Creating a new rule that forwards to a chain, then adding a rule to this chain:
firewall { ''100 forward to MY_CHAIN'':
chain => ''INPUT'',
jump => ''MY_CHAIN'',
}
# The namevar here is in the format chain_name:table:protocol
firewallchain { ''MY_CHAIN:filter:IPv4'':
ensure => present,
}
firewall { ''100 my rule'':
chain => ''MY_CHAIN'',
action => ''accept'',
proto => ''tcp'',
dport => 5000,
}
----- Original Message -----
From: "Dan White" <ygor@comcast.net>
To: puppet-users@googlegroups.com
Sent: Wednesday, November 14, 2012 12:09:48 PM
Subject: Re: [Puppet Users] firewallchain issues w/ 1.0.0 release
I believe this is to implement user defined chain-names.
It is a way to group firewall rules.
Try this for explanation:
http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
----- Original Message -----
From: "oogs" <oogs@merit.edu>
To: puppet-users@googlegroups.com
Sent: Wednesday, November 14, 2012 11:55:25 AM
Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release
Hi,
First, some software versions, just to get them out of the way:
- CentOS 5.x through Centos 6.2
- Ruby 1.8.5 - 1.8.7
- Puppet 2.7.19
- Facter 1.6.11
Just a note - we''re working from the EPEL repos almost exclusively.
I am working with the firewall module, and so far I am unable to use
firewallchain. Some digging suggests that it''s not completely user
error
(though I know I should never rule that out...). Here''s my code:
firewallchain { "SSH:FILTER:IPv4" :
ensure => present,
}
That block of code results in this error:
puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
Inbuilt chains must be in the form {chain}:{table}:{protocol} where
{table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
(alias for filter), chain can be anything without colons or one of
PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
bridging) got ''SSH:FILTER:IPv4'' table:''''
chain:'''' protocol:''''
That error code is produced in lib/puppet/type/firewallchain.rb , by
this snippet of code:
validate do |value|
if value !~ Nameformat then
(error message)
else
(more stuff)
end
end
After poking at this a bit, it turns out that Nameformat is blank when
that if statement is run, instead of containing what is defined in
lib/puppet/provider/firewallchain/iptables_chain.rb .
I know very little about Ruby right now, so I''m not in a good position
to trouble shoot the ruby code. I was wondering if someone else had run
in to this issue, and if so, how did you solve it?
I would appreciate any help I can get on this, as I''m stumped.
-Chris B.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Hi,
Yes, I did! I can create rules at will, the problem is that I can''t
create chains using firewallchain. Here''s another snippet from my
class:
firewallchain {
[''SMTP:FILTER:IPV4'',''HTTP:FILTER:IPV4'',''POP3:FILTER:IPV4'',''IMAP:FILTER:IPV4'']:
ensure => present,
}
(This results in 4 copies of the error message I pasted)
Rules are created like this:
firewall { ''008 SMTP Jump'':
chain => ''INPUT'',
proto => ''tcp'',
dport =>
[''25'',''465'',''587'',''1025''],
jump => ''SMTP'',
}->
(...)
firewall { ''040 SMTP Allowed'':
chain => ''SMTP'',
action => ''accept'',
}->
(...)
This should, in theory, create 4 chains (SMTP, HTTP, POP3, and IMAP),
and then go ahead and create the appropriate rules. It follows the same
syntax as the example, however, it produces the same error message that
I mentioned in my original email.
This isn''t a syntax error, as far as I can tell. The error I get stems
from an if/else statement that I believe is doing something odd. I
mention this in the bottom half of my original email.
When I replace the firewallchains call with a custom define that
executes "iptables -N ${name}", I am able to create all my chains and
rules assuming I start with a blank iptables. However, this starts to
get tricky when I have some chains that already exist, and no easy/clean
mechanism to check for their existence. I am trying to avoid this
scenario, and would rather use firewallchains to manage my chains.
-Chris B.
On 11/14/12 12:25 PM, Dan White wrote:> Also, did you see the example in the firewall module README.markdown ?
>
>
> Creating a new rule that forwards to a chain, then adding a rule to this
chain:
>
> firewall { ''100 forward to MY_CHAIN'':
> chain => ''INPUT'',
> jump => ''MY_CHAIN'',
> }
> # The namevar here is in the format chain_name:table:protocol
> firewallchain { ''MY_CHAIN:filter:IPv4'':
> ensure => present,
> }
> firewall { ''100 my rule'':
> chain => ''MY_CHAIN'',
> action => ''accept'',
> proto => ''tcp'',
> dport => 5000,
> }
>
>
>
> ----- Original Message -----
> From: "Dan White" <ygor@comcast.net>
> To: puppet-users@googlegroups.com
> Sent: Wednesday, November 14, 2012 12:09:48 PM
> Subject: Re: [Puppet Users] firewallchain issues w/ 1.0.0 release
>
> I believe this is to implement user defined chain-names.
> It is a way to group firewall rules.
>
> Try this for explanation:
>
http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5
>
> “Sometimes I think the surest sign that intelligent life exists elsewhere
in the universe is that none of it has tried to contact us.”
> Bill Waterson (Calvin & Hobbes)
>
> ----- Original Message -----
> From: "oogs" <oogs@merit.edu>
> To: puppet-users@googlegroups.com
> Sent: Wednesday, November 14, 2012 11:55:25 AM
> Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release
>
> Hi,
>
> First, some software versions, just to get them out of the way:
>
> - CentOS 5.x through Centos 6.2
> - Ruby 1.8.5 - 1.8.7
> - Puppet 2.7.19
> - Facter 1.6.11
>
> Just a note - we''re working from the EPEL repos almost
exclusively.
>
> I am working with the firewall module, and so far I am unable to use
> firewallchain. Some digging suggests that it''s not completely user
error
> (though I know I should never rule that out...). Here''s my code:
>
> firewallchain { "SSH:FILTER:IPv4" :
> ensure => present,
> }
>
> That block of code results in this error:
>
> puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
> Inbuilt chains must be in the form {chain}:{table}:{protocol} where
> {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
> (alias for filter), chain can be anything without colons or one of
> PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
> inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
> bridging) got ''SSH:FILTER:IPv4''
table:'''' chain:''''
protocol:''''
>
> That error code is produced in lib/puppet/type/firewallchain.rb , by
> this snippet of code:
>
> validate do |value|
> if value !~ Nameformat then
> (error message)
> else
> (more stuff)
> end
> end
>
> After poking at this a bit, it turns out that Nameformat is blank when
> that if statement is run, instead of containing what is defined in
> lib/puppet/provider/firewallchain/iptables_chain.rb .
>
> I know very little about Ruby right now, so I''m not in a good
position
> to trouble shoot the ruby code. I was wondering if someone else had run
> in to this issue, and if so, how did you solve it?
>
> I would appreciate any help I can get on this, as I''m stumped.
>
> -Chris B.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Robin Lee Powell
2013-Oct-02 05:32 UTC
Re: [Puppet Users] firewallchain issues w/ 1.0.0 release
It turns out that it has to be ":filter:", not ":FILTER:" as the docs state. -Robin On Wed, Nov 14, 2012 at 01:23:36PM -0500, oogs wrote:> Hi, > > Yes, I did! I can create rules at will, the problem is that I can''t > create chains using firewallchain. Here''s another snippet from my > class: > > firewallchain { [''SMTP:FILTER:IPV4'',''HTTP:FILTER:IPV4'',''POP3:FILTER:IPV4'',''IMAP:FILTER:IPV4'']: > ensure => present, > } > > (This results in 4 copies of the error message I pasted) > > Rules are created like this: > > firewall { ''008 SMTP Jump'': > chain => ''INPUT'', > proto => ''tcp'', > dport => [''25'',''465'',''587'',''1025''], > jump => ''SMTP'', > }-> > > (...) > > firewall { ''040 SMTP Allowed'': > chain => ''SMTP'', > action => ''accept'', > }-> > > (...) > > This should, in theory, create 4 chains (SMTP, HTTP, POP3, and > IMAP), and then go ahead and create the appropriate rules. It > follows the same syntax as the example, however, it produces the > same error message that I mentioned in my original email. > > This isn''t a syntax error, as far as I can tell. The error I get > stems from an if/else statement that I believe is doing something > odd. I mention this in the bottom half of my original email. > > When I replace the firewallchains call with a custom define that > executes "iptables -N ${name}", I am able to create all my chains > and rules assuming I start with a blank iptables. However, this > starts to get tricky when I have some chains that already exist, and > no easy/clean mechanism to check for their existence. I am trying to > avoid this scenario, and would rather use firewallchains to manage > my chains. > > -Chris B. > > > On 11/14/12 12:25 PM, Dan White wrote: > >Also, did you see the example in the firewall module README.markdown ? > > > > > >Creating a new rule that forwards to a chain, then adding a rule to this chain: > > > > firewall { ''100 forward to MY_CHAIN'': > > chain => ''INPUT'', > > jump => ''MY_CHAIN'', > > } > > # The namevar here is in the format chain_name:table:protocol > > firewallchain { ''MY_CHAIN:filter:IPv4'': > > ensure => present, > > } > > firewall { ''100 my rule'': > > chain => ''MY_CHAIN'', > > action => ''accept'', > > proto => ''tcp'', > > dport => 5000, > > } > > > > > > > >----- Original Message ----- > >From: "Dan White" <ygor@comcast.net> > >To: puppet-users@googlegroups.com > >Sent: Wednesday, November 14, 2012 12:09:48 PM > >Subject: Re: [Puppet Users] firewallchain issues w/ 1.0.0 release > > > >I believe this is to implement user defined chain-names. > >It is a way to group firewall rules. > > > >Try this for explanation: > >http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5 > > > >“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” > >Bill Waterson (Calvin & Hobbes) > > > >----- Original Message ----- > >From: "oogs" <oogs@merit.edu> > >To: puppet-users@googlegroups.com > >Sent: Wednesday, November 14, 2012 11:55:25 AM > >Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release > > > >Hi, > > > >First, some software versions, just to get them out of the way: > > > >- CentOS 5.x through Centos 6.2 > >- Ruby 1.8.5 - 1.8.7 > >- Puppet 2.7.19 > >- Facter 1.6.11 > > > >Just a note - we''re working from the EPEL repos almost exclusively. > > > >I am working with the firewall module, and so far I am unable to use > >firewallchain. Some digging suggests that it''s not completely user error > >(though I know I should never rule that out...). Here''s my code: > > > > firewallchain { "SSH:FILTER:IPv4" : > > ensure => present, > > } > > > >That block of code results in this error: > > > >puppet-agent[22035]: Failed to apply catalog: Parameter name failed: > >Inbuilt chains must be in the form {chain}:{table}:{protocol} where > >{table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty > >(alias for filter), chain can be anything without colons or one of > >PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the > >inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet > >bridging) got ''SSH:FILTER:IPv4'' table:'''' chain:'''' protocol:'''' > > > >That error code is produced in lib/puppet/type/firewallchain.rb , by > >this snippet of code: > > > > validate do |value| > > if value !~ Nameformat then > > (error message) > > else > > (more stuff) > > end > > end > > > >After poking at this a bit, it turns out that Nameformat is blank when > >that if statement is run, instead of containing what is defined in > >lib/puppet/provider/firewallchain/iptables_chain.rb . > > > >I know very little about Ruby right now, so I''m not in a good position > >to trouble shoot the ruby code. I was wondering if someone else had run > >in to this issue, and if so, how did you solve it? > > > >I would appreciate any help I can get on this, as I''m stumped. > > > >-Chris B. > > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- http://intelligence.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go''i li''u .e lu go''i li''u .i ji''a go''i lu na''e go''i li''u .e lu go''i na''i li''u .e lu no''e go''i li''u .e lu to''e go''i li''u .e lu lo mamta be do cu sofybakni li''u -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.