pupplet-labs/firewall module errors

1,601 views
Skip to first unread message

Amol Kedar

unread,
Aug 29, 2013, 12:57:09 AM8/29/13
to puppet...@googlegroups.com

I am using the puppetlabs firewall module and i get the following error on the agent

once i downloaded the puppet module i created another module called myfw for pre and post.pp files myfw/manifests/pre.pp my_fw/manifests/post.pp

and in my site.pp i included these lines

resources { "firewall":
  purge => true
}
Firewall {
  before  => Class['my_fw::post'],
  require => Class['my_fw::pre'],
}
class { ['my_fw::pre', 'my_fw::post']: }
class { 'firewall': }

i see this error on the daemon.log of the agent machine

Aug 28 17:11:07 dev2-db puppet-agent[5154]: (/Stage[main]//Node[dev2-db]/Resources[firewall]) Failed to generate additional resources using 'generate': Invalid address from IPAddr.new: !
Aug 28 17:11:08 dev2-db puppet-agent[5154]: Could not prefetch firewall provider 'iptables': Invalid address from IPAddr.new: !
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[000 accept all icmp]) Could not evaluate: Invalid address from IPAddr.new: !
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[001 accept all to lo interface]) Dependency Firewall[000 accept all icmp] has failures: true
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[001 accept all to lo interface]) Skipping because of failed dependencies
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[002 accept related established rules]) Dependency Firewall[000 accept all icmp] has failures: true
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[002 accept related established rules]) Skipping because of failed dependencies
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[999 drop all]) Dependency Firewall[000 accept all icmp] has failures: true
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[999 drop all]) Skipping because of failed dependencies
Aug 28 17:11:08 dev2-db puppet-agent[5154]: Finished catalog run in 1.19 seconds

if anyone has any prior experience with this, please let me know





Ashley Penney

unread,
Aug 29, 2013, 8:34:34 AM8/29/13
to puppet...@googlegroups.com
On Thu, Aug 29, 2013 at 12:57 AM, Amol Kedar <ajk...@gmail.com> wrote:

i see this error on the daemon.log of the agent machine

Aug 28 17:11:07 dev2-db puppet-agent[5154]: (/Stage[main]//Node[dev2-db]/Resources[firewall]) Failed to generate additional resources using 'generate': Invalid address from IPAddr.new: !
Aug 28 17:11:08 dev2-db puppet-agent[5154]: Could not prefetch firewall provider 'iptables': Invalid address from IPAddr.new: !
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[000 accept all icmp]) Could not evaluate: Invalid address from IPAddr.new: !
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[001 accept all to lo interface]) Dependency Firewall[000 accept all icmp] has failures: true
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[001 accept all to lo interface]) Skipping because of failed dependencies
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[002 accept related established rules]) Dependency Firewall[000 accept all icmp] has failures: true
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[002 accept related established rules]) Skipping because of failed dependencies
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[999 drop all]) Dependency Firewall[000 accept all icmp] has failures: true
Aug 28 17:11:08 dev2-db puppet-agent[5154]: (/Firewall[999 drop all]) Skipping because of failed dependencies
Aug 28 17:11:08 dev2-db puppet-agent[5154]: Finished catalog run in 1.19 seconds

if anyone has any prior experience with this, please let me know

I haven't seen this before but - can you show me a full iptables from an existing client, a full ifconfig, and maybe even the result of:

$ irb
irb(main):002:0> require 'ipaddr'
=> true
irb(main):003:0> IPAddr.new
=> #<IPAddr: IPv6:0000:0000:0000:0000:0000:0000:0000:0000/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff>

That's what I get for a plain call to IPAddr.new, I'm wondering what you're getting.
 
--
Ashley Penney
Module Engineer

Join us at PuppetConf 2014September 23-24 in San Francisco

James Loosli

unread,
Nov 5, 2013, 3:42:26 PM11/5/13
to puppet...@googlegroups.com
I'm getting this same error, but for me it shows up from a basic puppet resource firewall;

root@drawer:/etc/puppet/environments/development/modules# puppet resource firewall

Error: Could not run: Invalid address from IPAddr.new: !

root@drawer:/etc/puppet/environments/development/modules# irb

irb(main):001:0> require 'ipaddr'

=> true

irb(main):002:0> IPAddr.new

=> #<IPAddr: IPv6:0000:0000:0000:0000:0000:0000:0000:0000/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff>

My ip config;

root@drawer:/etc/puppet/environments/development/modules# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:25:90:a7:98:79 brd ff:ff:ff:ff:ff:ff

    inet 208.115.208.242/29 brd 208.115.208.247 scope global eth0

    inet6 fe80::225:90ff:fea7:9879/64 scope link 

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:25:90:a7:98:78 brd ff:ff:ff:ff:ff:ff

    inet 10.4.16.194/30 brd 10.4.16.195 scope global eth1

    inet6 fe80::225:90ff:fea7:9878/64 scope link 

       valid_lft forever preferred_lft forever

Tomas Barton

unread,
Dec 12, 2013, 9:26:37 AM12/12/13
to puppet...@googlegroups.com
I'm getting the same error. Any progress on this?

Thanks,
Tomas

Zane Williamson

unread,
Dec 31, 2013, 1:14:32 AM12/31/13
to puppet...@googlegroups.com
I am having the same issue described here. 

Zane Williamson

unread,
Dec 31, 2013, 2:19:04 AM12/31/13
to puppet...@googlegroups.com
All of my other servers seem fine, but this is a new virtual server on a Xen host.  I wonder if it could be related to the virutalization and network bridging. 

$ puppet resource firewall --debug --verbose
Debug: Puppet::Type::Firewall::ProviderIptables: [instances]
Debug: Executing '/sbin/iptables-save'

Zane Williamson

unread,
Dec 31, 2013, 2:39:39 AM12/31/13
to puppet...@googlegroups.com
My issue is related to 

-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE

The "!" mark is breaking the parsing method.

Appears to be related to 

and
Reply all
Reply to author
Forward
0 new messages