The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #14755

firewall: iptables 1.4 changes how MARK works

Added by Sharif Nassar over 3 years ago. Updated over 3 years ago.

Status:Merged - Pending ReleaseStart date:05/30/2012
Priority:NormalDue date:
Assignee:-% Done:


Category:firewallSpent time:-
Target version:firewall 1.0.0
Keywords:firewall mark set-mark set-xmark Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


In iptables 1.3.x and earlier, --set-mark 0x1 will result in a rule that looks just like that. In iptables 1.4.x, --set-mark is merely an alias to --set-xmark

Which means:

The firewall provider will not recognize rules added like so:

        firewall { "0100 Mark VIP foo":
            chain       => 'PREROUTING',
            jump        => 'MARK',
            table       => 'mangle',
            destination => $vip,
            set_mark    => $mark,

So each run of puppet will add another rule.

patch forthcoming

Related issues

Duplicated by Puppet Labs Modules - Bug #12982: set_mark not working Duplicate 03/06/2012
Blocks Puppet Labs Modules - Refactor #14941: Release 1.0.0 Closed 06/10/2012 06/12/2012


#1 Updated by Sharif Nassar over 3 years ago

Tests pending..

#2 Updated by Ken Barber over 3 years ago

  • Status changed from Unreviewed to In Topic Branch Pending Review
  • Target version set to firewall 1.0.0

I’m adding this as a target for the next release.

#3 Updated by Ken Barber over 3 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release

Also available in: Atom PDF