FAQ
Hi,

First, some software versions, just to get them out of the way:

- CentOS 5.x through Centos 6.2
- Ruby 1.8.5 - 1.8.7
- Puppet 2.7.19
- Facter 1.6.11

Just a note - we're working from the EPEL repos almost exclusively.

I am working with the firewall module, and so far I am unable to use
firewallchain. Some digging suggests that it's not completely user error
(though I know I should never rule that out...). Here's my code:

          firewallchain { "SSH:FILTER:IPv4" :
                  ensure => present,
          }

That block of code results in this error:

puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
Inbuilt chains must be in the form {chain}:{table}:{protocol} where
{table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
(alias for filter), chain can be anything without colons or one of
PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
bridging) got 'SSH:FILTER:IPv4' table:'' chain:'' protocol:''

That error code is produced in lib/puppet/type/firewallchain.rb , by
this snippet of code:

      validate do |value|
          if value !~ Nameformat then
              (error message)
          else
              (more stuff)
          end
     end

After poking at this a bit, it turns out that Nameformat is blank when
that if statement is run, instead of containing what is defined in
lib/puppet/provider/firewallchain/iptables_chain.rb .

I know very little about Ruby right now, so I'm not in a good position
to trouble shoot the ruby code. I was wondering if someone else had run
in to this issue, and if so, how did you solve it?

I would appreciate any help I can get on this, as I'm stumped.

-Chris B.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Dan White at Nov 14, 2012 at 5:09 pm
    I believe this is to implement user defined chain-names.
    It is a way to group firewall rules.

    Try this for explanation:
    http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5

    “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- Original Message -----
    From: "oogs" <oogs@merit.edu>
    To: puppet-users@googlegroups.com
    Sent: Wednesday, November 14, 2012 11:55:25 AM
    Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release

    Hi,

    First, some software versions, just to get them out of the way:

    - CentOS 5.x through Centos 6.2
    - Ruby 1.8.5 - 1.8.7
    - Puppet 2.7.19
    - Facter 1.6.11

    Just a note - we're working from the EPEL repos almost exclusively.

    I am working with the firewall module, and so far I am unable to use
    firewallchain. Some digging suggests that it's not completely user error
    (though I know I should never rule that out...). Here's my code:

              firewallchain { "SSH:FILTER:IPv4" :
                      ensure => present,
              }

    That block of code results in this error:

    puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
    Inbuilt chains must be in the form {chain}:{table}:{protocol} where
    {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
    (alias for filter), chain can be anything without colons or one of
    PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
    inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
    bridging) got 'SSH:FILTER:IPv4' table:'' chain:'' protocol:''

    That error code is produced in lib/puppet/type/firewallchain.rb , by
    this snippet of code:

          validate do |value|
              if value !~ Nameformat then
                  (error message)
              else
                  (more stuff)
              end
         end

    After poking at this a bit, it turns out that Nameformat is blank when
    that if statement is run, instead of containing what is defined in
    lib/puppet/provider/firewallchain/iptables_chain.rb .

    I know very little about Ruby right now, so I'm not in a good position
    to trouble shoot the ruby code. I was wondering if someone else had run
    in to this issue, and if so, how did you solve it?

    I would appreciate any help I can get on this, as I'm stumped.

    -Chris B.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Dan White at Nov 14, 2012 at 5:25 pm
    Also, did you see the example in the firewall module README.markdown ?


    Creating a new rule that forwards to a chain, then adding a rule to this chain:

         firewall { '100 forward to MY_CHAIN':
           chain => 'INPUT',
           jump => 'MY_CHAIN',
         }
         # The namevar here is in the format chain_name:table:protocol
         firewallchain { 'MY_CHAIN:filter:IPv4':
           ensure => present,
         }
         firewall { '100 my rule':
           chain => 'MY_CHAIN',
           action => 'accept',
           proto => 'tcp',
           dport => 5000,
         }



    ----- Original Message -----
    From: "Dan White" <ygor@comcast.net>
    To: puppet-users@googlegroups.com
    Sent: Wednesday, November 14, 2012 12:09:48 PM
    Subject: Re: [Puppet Users] firewallchain issues w/ 1.0.0 release

    I believe this is to implement user defined chain-names.
    It is a way to group firewall rules.

    Try this for explanation:
    http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5

    “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- Original Message -----
    From: "oogs" <oogs@merit.edu>
    To: puppet-users@googlegroups.com
    Sent: Wednesday, November 14, 2012 11:55:25 AM
    Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release

    Hi,

    First, some software versions, just to get them out of the way:

    - CentOS 5.x through Centos 6.2
    - Ruby 1.8.5 - 1.8.7
    - Puppet 2.7.19
    - Facter 1.6.11

    Just a note - we're working from the EPEL repos almost exclusively.

    I am working with the firewall module, and so far I am unable to use
    firewallchain. Some digging suggests that it's not completely user error
    (though I know I should never rule that out...). Here's my code:

              firewallchain { "SSH:FILTER:IPv4" :
                      ensure => present,
              }

    That block of code results in this error:

    puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
    Inbuilt chains must be in the form {chain}:{table}:{protocol} where
    {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
    (alias for filter), chain can be anything without colons or one of
    PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
    inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
    bridging) got 'SSH:FILTER:IPv4' table:'' chain:'' protocol:''

    That error code is produced in lib/puppet/type/firewallchain.rb , by
    this snippet of code:

          validate do |value|
              if value !~ Nameformat then
                  (error message)
              else
                  (more stuff)
              end
         end

    After poking at this a bit, it turns out that Nameformat is blank when
    that if statement is run, instead of containing what is defined in
    lib/puppet/provider/firewallchain/iptables_chain.rb .

    I know very little about Ruby right now, so I'm not in a good position
    to trouble shoot the ruby code. I was wondering if someone else had run
    in to this issue, and if so, how did you solve it?

    I would appreciate any help I can get on this, as I'm stumped.

    -Chris B.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Oogs at Nov 14, 2012 at 6:23 pm
    Hi,

    Yes, I did! I can create rules at will, the problem is that I can't
    create chains using firewallchain. Here's another snippet from my class:

              firewallchain {
    ['SMTP:FILTER:IPV4','HTTP:FILTER:IPV4','POP3:FILTER:IPV4','IMAP:FILTER:IPV4']:
                      ensure => present,
              }

    (This results in 4 copies of the error message I pasted)

    Rules are created like this:

              firewall { '008 SMTP Jump':
                      chain => 'INPUT',
                      proto => 'tcp',
                      dport => ['25','465','587','1025'],
                      jump => 'SMTP',
              }->

    (...)

              firewall { '040 SMTP Allowed':
                      chain => 'SMTP',
                      action => 'accept',
              }->

    (...)

    This should, in theory, create 4 chains (SMTP, HTTP, POP3, and IMAP),
    and then go ahead and create the appropriate rules. It follows the same
    syntax as the example, however, it produces the same error message that
    I mentioned in my original email.

    This isn't a syntax error, as far as I can tell. The error I get stems
    from an if/else statement that I believe is doing something odd. I
    mention this in the bottom half of my original email.

    When I replace the firewallchains call with a custom define that
    executes "iptables -N ${name}", I am able to create all my chains and
    rules assuming I start with a blank iptables. However, this starts to
    get tricky when I have some chains that already exist, and no easy/clean
    mechanism to check for their existence. I am trying to avoid this
    scenario, and would rather use firewallchains to manage my chains.

    -Chris B.

    On 11/14/12 12:25 PM, Dan White wrote:
    Also, did you see the example in the firewall module README.markdown ?


    Creating a new rule that forwards to a chain, then adding a rule to this chain:

    firewall { '100 forward to MY_CHAIN':
    chain => 'INPUT',
    jump => 'MY_CHAIN',
    }
    # The namevar here is in the format chain_name:table:protocol
    firewallchain { 'MY_CHAIN:filter:IPv4':
    ensure => present,
    }
    firewall { '100 my rule':
    chain => 'MY_CHAIN',
    action => 'accept',
    proto => 'tcp',
    dport => 5000,
    }



    ----- Original Message -----
    From: "Dan White" <ygor@comcast.net>
    To: puppet-users@googlegroups.com
    Sent: Wednesday, November 14, 2012 12:09:48 PM
    Subject: Re: [Puppet Users] firewallchain issues w/ 1.0.0 release

    I believe this is to implement user defined chain-names.
    It is a way to group firewall rules.

    Try this for explanation:
    http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5

    “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- Original Message -----
    From: "oogs" <oogs@merit.edu>
    To: puppet-users@googlegroups.com
    Sent: Wednesday, November 14, 2012 11:55:25 AM
    Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release

    Hi,

    First, some software versions, just to get them out of the way:

    - CentOS 5.x through Centos 6.2
    - Ruby 1.8.5 - 1.8.7
    - Puppet 2.7.19
    - Facter 1.6.11

    Just a note - we're working from the EPEL repos almost exclusively.

    I am working with the firewall module, and so far I am unable to use
    firewallchain. Some digging suggests that it's not completely user error
    (though I know I should never rule that out...). Here's my code:

    firewallchain { "SSH:FILTER:IPv4" :
    ensure => present,
    }

    That block of code results in this error:

    puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
    Inbuilt chains must be in the form {chain}:{table}:{protocol} where
    {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
    (alias for filter), chain can be anything without colons or one of
    PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
    inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
    bridging) got 'SSH:FILTER:IPv4' table:'' chain:'' protocol:''

    That error code is produced in lib/puppet/type/firewallchain.rb , by
    this snippet of code:

    validate do |value|
    if value !~ Nameformat then
    (error message)
    else
    (more stuff)
    end
    end

    After poking at this a bit, it turns out that Nameformat is blank when
    that if statement is run, instead of containing what is defined in
    lib/puppet/provider/firewallchain/iptables_chain.rb .

    I know very little about Ruby right now, so I'm not in a good position
    to trouble shoot the ruby code. I was wondering if someone else had run
    in to this issue, and if so, how did you solve it?

    I would appreciate any help I can get on this, as I'm stumped.

    -Chris B.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Robin Lee Powell at Oct 2, 2013 at 5:32 am
    It turns out that it has to be ":filter:", not ":FILTER:" as the
    docs state.

    -Robin
    On Wed, Nov 14, 2012 at 01:23:36PM -0500, oogs wrote:
    Hi,

    Yes, I did! I can create rules at will, the problem is that I can't
    create chains using firewallchain. Here's another snippet from my
    class:

    firewallchain { ['SMTP:FILTER:IPV4','HTTP:FILTER:IPV4','POP3:FILTER:IPV4','IMAP:FILTER:IPV4']:
    ensure => present,
    }

    (This results in 4 copies of the error message I pasted)

    Rules are created like this:

    firewall { '008 SMTP Jump':
    chain => 'INPUT',
    proto => 'tcp',
    dport => ['25','465','587','1025'],
    jump => 'SMTP',
    }->

    (...)

    firewall { '040 SMTP Allowed':
    chain => 'SMTP',
    action => 'accept',
    }->

    (...)

    This should, in theory, create 4 chains (SMTP, HTTP, POP3, and
    IMAP), and then go ahead and create the appropriate rules. It
    follows the same syntax as the example, however, it produces the
    same error message that I mentioned in my original email.

    This isn't a syntax error, as far as I can tell. The error I get
    stems from an if/else statement that I believe is doing something
    odd. I mention this in the bottom half of my original email.

    When I replace the firewallchains call with a custom define that
    executes "iptables -N ${name}", I am able to create all my chains
    and rules assuming I start with a blank iptables. However, this
    starts to get tricky when I have some chains that already exist, and
    no easy/clean mechanism to check for their existence. I am trying to
    avoid this scenario, and would rather use firewallchains to manage
    my chains.

    -Chris B.

    On 11/14/12 12:25 PM, Dan White wrote:
    Also, did you see the example in the firewall module README.markdown ?


    Creating a new rule that forwards to a chain, then adding a rule to this chain:

    firewall { '100 forward to MY_CHAIN':
    chain => 'INPUT',
    jump => 'MY_CHAIN',
    }
    # The namevar here is in the format chain_name:table:protocol
    firewallchain { 'MY_CHAIN:filter:IPv4':
    ensure => present,
    }
    firewall { '100 my rule':
    chain => 'MY_CHAIN',
    action => 'accept',
    proto => 'tcp',
    dport => 5000,
    }



    ----- Original Message -----
    From: "Dan White" <ygor@comcast.net>
    To: puppet-users@googlegroups.com
    Sent: Wednesday, November 14, 2012 12:09:48 PM
    Subject: Re: [Puppet Users] firewallchain issues w/ 1.0.0 release

    I believe this is to implement user defined chain-names.
    It is a way to group firewall rules.

    Try this for explanation:
    http://my.safaribooksonline.com/book/operating-systems-and-server-administration/linux/0596004613/networking/linuxsvrhack-chp-4-sect-5

    “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- Original Message -----
    From: "oogs" <oogs@merit.edu>
    To: puppet-users@googlegroups.com
    Sent: Wednesday, November 14, 2012 11:55:25 AM
    Subject: [Puppet Users] firewallchain issues w/ 1.0.0 release

    Hi,

    First, some software versions, just to get them out of the way:

    - CentOS 5.x through Centos 6.2
    - Ruby 1.8.5 - 1.8.7
    - Puppet 2.7.19
    - Facter 1.6.11

    Just a note - we're working from the EPEL repos almost exclusively.

    I am working with the firewall module, and so far I am unable to use
    firewallchain. Some digging suggests that it's not completely user error
    (though I know I should never rule that out...). Here's my code:

    firewallchain { "SSH:FILTER:IPv4" :
    ensure => present,
    }

    That block of code results in this error:

    puppet-agent[22035]: Failed to apply catalog: Parameter name failed:
    Inbuilt chains must be in the form {chain}:{table}:{protocol} where
    {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty
    (alias for filter), chain can be anything without colons or one of
    PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the
    inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet
    bridging) got 'SSH:FILTER:IPv4' table:'' chain:'' protocol:''

    That error code is produced in lib/puppet/type/firewallchain.rb , by
    this snippet of code:

    validate do |value|
    if value !~ Nameformat then
    (error message)
    else
    (more stuff)
    end
    end

    After poking at this a bit, it turns out that Nameformat is blank when
    that if statement is run, instead of containing what is defined in
    lib/puppet/provider/firewallchain/iptables_chain.rb .

    I know very little about Ruby right now, so I'm not in a good position
    to trouble shoot the ruby code. I was wondering if someone else had run
    in to this issue, and if so, how did you solve it?

    I would appreciate any help I can get on this, as I'm stumped.

    -Chris B.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
    --
    http://intelligence.org/ : Our last, best hope for a fantastic future.
    .i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go'i li'u .e
    lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
    lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedNov 14, '12 at 4:58p
activeOct 2, '13 at 5:32a
posts5
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase