Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set_mark not usable in Filter table #1239

Open
ba0f3 opened this issue Oct 22, 2024 · 0 comments
Open

set_mark not usable in Filter table #1239

ba0f3 opened this issue Oct 22, 2024 · 0 comments

Comments

@ba0f3
Copy link

ba0f3 commented Oct 22, 2024

Describe the Bug

While attempting to translate Tailscale iptables rules into puppetlabs-firewall code, I encountered an issue using the set_mark parameter within the filter table's FORWARD chain. The original iptables rule that works is as follows:

-A ts-forward -i tailscale0 -j MARK --set-xmark 0x40000/0xff0000

This rule was translated into Puppet code:

firewall { '011 MARK traffic for Tailscale':
  chain   => 'ts-forward',
  iniface => 'tailscale0',
  jump  => 'mark',
  set_mark => '0x40000/0xff0000',
}

However, this results in the following runtime error:

 /tmp/d20241022-4294-1o88qvo/modules/firewall/lib/puppet/type/firewall.rb:2409:in `block (2 levels) in <top (required)>': Parameter set_mark only applies to the mangle table and when jump => MARK (RuntimeError)
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2300:in `block in validate'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2405:in `validate_resource'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/type.rb:2391:in `initialize'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:512:in `new'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource.rb:512:in `to_ral'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:610:in `block in to_catalog'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:602:in `each'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:602:in `to_catalog'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:495:in `to_ral'
        from /tmp/1ef13f46-3dc8-4e48-877c-8af603999b9c/apply_catalog.rb:101:in `block in <main>'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:62:in `override'
        from /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:289:in `override'
        from /tmp/1ef13f46-3dc8-4e48-877c-8af603999b9c/apply_catalog.rb:93:in `<main>'

The problem seems to stem from puppetlabs-firewall restricting the set_mark parameter to the mangle table, even though marking traffic is valid in the filter table (as demonstrated in the original iptables rule).

Expected Behavior

The set_mark parameter should be allowed in the filter table (specifically within the FORWARD chain) when marking traffic, similar to how iptables allows the --set-xmark flag in a filter chain.

Steps to Reproduce

Steps to reproduce the behavior:
describe a firewall rule as above

Environment

  • firewall 5.0.0
@ba0f3 ba0f3 changed the title set_mark not isable in Filter table set_mark not usable in Filter table Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ba0f3