The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #15505

puppetlabs-firewall module - option to use either nf_conntrack or ip_conntrack module

Added by Dumitru Gherman almost 4 years ago. Updated about 3 years ago.

Status:ClosedStart date:07/12/2012
Priority:NormalDue date:
Assignee:-% Done:


Category:firewallSpent time:-
Target version:-
Keywords: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


Looking at line 55, it seems that this module assumes you have loaded the ip_conntrack module. But some use nf_conntrack instead, and this module has a different syntax for some options in iptables. For example, line 55 in the above link becomes:

:state => “-m conntrack —ctstate”,

Would it be possible to add an option to load either nf_conntrack or ip_conntrack, and have the :state resource aware of the different options? Thanks!


#1 Updated by Dustin Mitchell over 3 years ago

In RHEL, depending on how you write your rules, it “figures out” which of the two conntrack modules to use. This request is for the puppet module ( to duplicate that behavior.

#2 Updated by Ken Barber about 3 years ago

  • Status changed from Unreviewed to Closed

Hiya … I’ve fall behind a bit on all this work, also the bug tracker is moving to here: I’ve managed to move what I still think is relevant and merge up items that are related. Consider this a slight declaration of ‘ticket debt’. If you think you’re issue isn’t represented in the new tracker feel free to open a new one.

Apologies for any confusion :–).


#3 Updated by Ken Barber about 3 years ago

Sorry – the new URL is actually: … thanks @Wolfspyre.

Also available in: Atom PDF