Bug #15583
puppetlabs-firewall not working with libvirt default NAT and mangle rules
| Status: | Closed | Start date: | 07/18/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | firewall | Spent time: | - | |
| Target version: | - | |||
| Keywords: | firewall iptables nat mangle flush puppetlabs-firewall | Branch: | ||
Description
I have a CentOS 6.2 server with libvirt and the latest puppetmaster from the puppetlabs official yum repository. I have installed the puppetlabs-firewall module, which otherwise works great, but fails to purge the NAT and mangle tables.
The puppet directive only flushes the usual tables, but not nat and mangle:
resources { “firewall”: purge => true }
Only does:
iptables —flush
So I have to manually run the following commands after server reboot:
iptables —table nat —flush iptables —table mangle —flush
These are the firewall rules, which the puppetlabs-firewall recommended default configuration is ignoring:
Generated by iptables-save v1.4.7 on Wed Jul 18 18:28:40 2012¶
*mangle :PREROUTING ACCEPT [259:90933] :INPUT ACCEPT [259:90933] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [219:95850] :POSTROUTING ACCEPT [219:95850] -A POSTROUTING -o virbr0 -p udp -m udp —dport 68 -j CHECKSUM —checksum-fill COMMIT
Completed on Wed Jul 18 18:28:40 2012¶
Generated by iptables-save v1.4.7 on Wed Jul 18 18:28:40 2012¶
*nat :PREROUTING ACCEPT [5:358] :POSTROUTING ACCEPT [12:824] :OUTPUT ACCEPT [12:824] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE —to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE —to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE COMMIT
Completed on Wed Jul 18 18:28:40 2012¶
Because Puppet fails to purge these rules, it causes the puppet agent run to fail. After manually flushing nat and mangle, puppet will run again.
History
#1
Updated by Ken Barber 11 months ago
- Project changed from Puppet to Puppet Labs Modules
- Category deleted (
modules)
#2
Updated by Ken Barber 11 months ago
- Description updated (diff)
- Category set to firewall
#3
Updated by Frederic Schaer 5 months ago
Hi,
I just faced that issue, in addition to the one descibed in http://projects.puppetlabs.com/issues/15126 . I believe I found a temporary work around, which consists in editing line 110 of iptables.rb and replacing it with the following :
*unless line =~ /#\s+|\:\S+|COMMIT|FATAL|virbr0|192.168.122.0\/24/*
This will just ignore the virbr0 device, and the libvirt nated network – but good thing off course would be to implement the basic libvirt rules using the puppet firewall, and prevent libvirt from inserting rules at startup.
Anyway, it seems libvirt still is going to add some rules on VM startup, so I guess purging the unknown firewall rules would prevent the libvirt hosts from getting a connection, wouldn’t it ?
Regards
#4
Updated by Ken Barber 4 months ago
- Status changed from Unreviewed to Closed
Hiya … I’ve fall behind a bit on all this work, also the bug tracker is moving to here: https://github.com/puppetlabs/puppet-firewall/issues I’ve managed to move what I still think is relevant and merge up items that are related. Consider this a slight declaration of ‘ticket debt’. If you think you’re issue isn’t represented in the new tracker feel free to open a new one.
Apologies for any confusion :–).
Ken.
#5
Updated by Ken Barber 4 months ago
Sorry – the new URL is actually: http://github.com/puppetlabs/puppetlabs-firewall/issues … thanks @Wolfspyre.