Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nftables::bridges creates invalid rule names when bridge devices have multiple IP addresses #143

Closed
kienanstewart opened this issue Aug 23, 2022 · 0 comments · Fixed by #144
Closed

nftables::bridges creates invalid rule names when bridge devices have multiple IP addresses #143

kienanstewart opened this issue Aug 23, 2022 · 0 comments · Fixed by #144

Comments

@kienanstewart
Copy link
Contributor

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5.5.22
  • Ruby: 2.7.4p191
  • Distribution: Debian Bullseye
  • Module version: 2.2.1 (with a small patch to work with puppet 5.5)
  • Facter: 3.14.12

How to reproduce (e.g Puppet code you use)

Add a bridge interface with two ip addresses, eg.

ip link add dev br1 type bridge
ip link set dev eth1 master br1
ip a add 172.16.1.11/24 dev br1
ip a add 172.16.1.10/32 dev br1

For the puppet code:

# @summary Configures nftables                                                                                                                                                                                       
#                                                                                                                                                                                                                    
class profile::nftables (
  Hash[String, Hash] $rules = {},
) {
  include nftables

  $rules.each | $n, $d | {
    nftables::rule { $n:
      * => $d,
    }
  }
  Nftables::Rule <| |>
}

What are you seeing

Puppet runs fail with the following error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Nftables::Rule[default_fwd-bridge_br1:0_br1:0]: parameter 'rulename' expects a match for Nftables::RuleName = Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/], got 'default_fwd-bridge_br1:0_br1:0' (file: /etc/puppet/code/environments/production/modules/nftables/manifests/bridges.pp, line: 14) on node x.test

The root cause of this appears to be $facts['networking']['interfaces'] having multiple entries for the bridge device: br1, and br1:0. I understand this to be related to the multiple assigned IP addresses.

What behaviour did you expect instead

I expect the puppet run to succeed, and based what I think the intention of nftables::bridges is that default_fwd rules be added for the bridge device br1, but not br1:0. Please see attached output of facter networking.interfaces.

Any additional information you'd like to impart

facter-networking.interfaces.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly escape bridge in rulename duritong/puppet-nftables
1 participant
@kienanstewart