Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

package "iptables" has been replaced by "iptables-nft" on EL9 #1085

Merged
merged 1 commit into from
Dec 6, 2022
Merged

package "iptables" has been replaced by "iptables-nft" on EL9 #1085

merged 1 commit into from
Dec 6, 2022

Conversation

kjetilho
Copy link
Contributor

@kjetilho kjetilho commented Nov 6, 2022

There are some pointers given by dnf about "iptables", but these confuse Puppet into aborting with the error message:

Error: /Stage[main]/Firewall::Linux/Package[iptables]: Could not evaluate: no implicit conversion of Array into Hash

Fedora had a similar patch in commit 486e4b5 which I think fixed the bug https://tickets.puppetlabs.com/browse/MODULES-11147 but the same issue rared its head here on AlmaLinux 9.0.

The RPM for iptables-legacy states:

This package contains the legacy tools which are obsoleted by
nft-variants in iptables-nft package for backwards compatibility reasons.
If you need to set up firewalls and/or IP masquerading, you should not install
this package but either nftables or iptables-nft instead.

@kjetilho kjetilho requested a review from a team as a code owner November 6, 2022 16:10
@puppet-community-rangefinder
Copy link

firewall::params is a class

that may have no external impact to Forge modules.

This module is declared in 106 of 580 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@jordanbreen28 jordanbreen28 reopened this Dec 2, 2022
@puppet-community-rangefinder
Copy link

firewall::params is a class

that may have no external impact to Forge modules.

This module is declared in 106 of 580 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@kjetilho
Copy link
Contributor Author

kjetilho commented Dec 5, 2022

Thanks for triggering the jobs. Now, this is interesting, the tests fail on EL9 in the nflog-range test

From my test server:

[root@test-alma9 ~]# iptables -A BLOCKOUT -j NFLOG --nflog-range 16 
warn: --nflog-range has never worked and is no longer supported, please use --nflog-size insted

However, the module does not currently support --nflog-size. I feel a fix for this is off-topic for my patch?

@jordanbreen28
Copy link
Contributor

Hi @kjetilho
Thanks for taking a further look into the test failures!
We are aware that this module has began to fail on el9 and are actively looking into this.
If you feel you may have a suitable fix please do feel free to open a seperate PR. :-)
We appreciate all your work with this!

@kjetilho
Copy link
Contributor Author

kjetilho commented Dec 5, 2022

EL6 and EL7 do not support --nflog-size:

       --nflog-range size
              The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this  option
              overrides it.

@kjetilho kjetilho closed this Dec 5, 2022
@kjetilho kjetilho reopened this Dec 5, 2022
@puppet-community-rangefinder
Copy link

firewall::params is a class

that may have no external impact to Forge modules.

This module is declared in 106 of 580 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@kjetilho
Copy link
Contributor Author

kjetilho commented Dec 5, 2022

(There must be a keyboard shortcut to close issues inardvertantly?)

I opened PR #1096 for this issue so we can apply the PR's cleanly.

@jordanbreen28
Copy link
Contributor

Hi @kjetilho - could you rebase with the current main so the tests rekick & pass, so I can approve :)

@kjetilho
package "iptables" has been replaced by "iptables-nft" on EL9
371cbfe 
There are some pointers given by dnf about "iptables", but these confuse
Puppet into aborting with the error message:

```console
Error: /Stage[main]/Firewall::Linux/Package[iptables]: Could not evaluate: no implicit conversion of Array into Hash
```

Fedora had a similar patch in commit 486e4b5 which I think
fixed the bug https://tickets.puppetlabs.com/browse/MODULES-11147 but
the same issue rared its head here on AlmaLinux 9.0.

The RPM for iptables-legacy states:

> This package contains the legacy tools which are obsoleted by
> nft-variants in iptables-nft package for backwards compatibility reasons.
> If you need to set up firewalls and/or IP masquerading, you should not install
> this package but either nftables or iptables-nft instead.
@jordanbreen28
Copy link
Contributor

Closing & Re-opening to rekick tests

@jordanbreen28 jordanbreen28 reopened this Dec 6, 2022
@puppet-community-rangefinder
Copy link

firewall::params is a class

that may have no external impact to Forge modules.

This module is declared in 106 of 580 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

jordanbreen28
jordanbreen28 approved these changes Dec 6, 2022
View reviewed changes
Copy link
Contributor

@jordanbreen28 jordanbreen28 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved - thanks again for your hard work @kjetilho. :-)

@jordanbreen28 jordanbreen28 merged commit e7efae5 into puppetlabs:main Dec 6, 2022
@kjetilho kjetilho deleted the fix/iptables-el9 branch February 14, 2023 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jordanbreen28 jordanbreen28 jordanbreen28 approved these changes

Assignees
No one assigned
Labels
bugfix community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kjetilho @jordanbreen28 @ia-content