The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #14755

firewall: iptables 1.4 changes how MARK works

Added by Sharif Nassar almost 2 years ago. Updated almost 2 years ago.

Status:Merged - Pending ReleaseStart date:05/30/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:firewallSpent time:-
Target version:firewall 1.0.0
Keywords:firewall mark set-mark set-xmark Branch:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

In iptables 1.3.x and earlier, --set-mark 0x1 will result in a rule that looks just like that. In iptables 1.4.x, --set-mark is merely an alias to --set-xmark

Which means:

The firewall provider will not recognize rules added like so:

        firewall { "0100 Mark VIP foo":
            chain       => 'PREROUTING',
            jump        => 'MARK',
            table       => 'mangle',
            destination => $vip,
            set_mark    => $mark,
        }

So each run of puppet will add another rule.

patch forthcoming


Related issues

Duplicated by Puppet Labs Modules - Bug #12982: set_mark not working Duplicate 03/06/2012
Blocks Puppet Labs Modules - Refactor #14941: Release 1.0.0 Closed 06/10/2012 06/12/2012

History

#1 Updated by Sharif Nassar almost 2 years ago

https://github.com/puppetlabs/puppetlabs-firewall/pull/83

Tests pending..

#2 Updated by Ken Barber almost 2 years ago

  • Status changed from Unreviewed to In Topic Branch Pending Review
  • Target version set to firewall 1.0.0

I’m adding this as a target for the next release.

#3 Updated by Ken Barber almost 2 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release

Also available in: Atom PDF