failing to setup a basic firewall

[anarcat]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.21.0-2
• Ruby: 3.1
• Distribution: Debian bookworm/testing
• Module version: 2.6.0

How to reproduce (e.g Puppet code you use)

node default {
  include nftables::rules::out::all
  include nftables::rules::ssh
}

What are you seeing

no table or ruleset created.

What behaviour did you expect instead

some magic rules allowing outgoing connexions and incoming on port 22.

Output log

anarcat@curie:nftables$ sudo pat
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
[...]
Info: Caching catalog for curie.anarc.at
Info: Applying configuration version '1674770130'
Warning: /Stage[main]/Nftables::Rules::Out::All/Nftables::Rule[default_out-all]/Concat::Fragment[nftables-inet-filter-chain-default_out-rule-all_header]/Concat_fragment[nftables-inet-filter-chain-default_out-rule-all_header]: Target Concat_file with path or title 'nftables-inet-filter-chain-default_out' or tag 'nftables-inet-filter-chain-default_out not found in the catalog
Warning: /Stage[main]/Nftables::Rules::Out::All/Nftables::Rule[default_out-all]/Concat::Fragment[nftables-inet-filter-chain-default_out-rule-all]/Concat_fragment[nftables-inet-filter-chain-default_out-rule-all]: Target Concat_file with path or title 'nftables-inet-filter-chain-default_out' or tag 'nftables-inet-filter-chain-default_out not found in the catalog
Warning: /Stage[main]/Nftables::Rules::Ssh/Nftables::Rule[default_in-ssh]/Concat::Fragment[nftables-inet-filter-chain-default_in-rule-ssh_header]/Concat_fragment[nftables-inet-filter-chain-default_in-rule-ssh_header]: Target Concat_file with path or title 'nftables-inet-filter-chain-default_in' or tag 'nftables-inet-filter-chain-default_in not found in the catalog
Warning: /Stage[main]/Nftables::Rules::Ssh/Nftables::Rule[default_in-ssh]/Concat::Fragment[nftables-inet-filter-chain-default_in-rule-ssh]/Concat_fragment[nftables-inet-filter-chain-default_in-rule-ssh]: Target Concat_file with path or title 'nftables-inet-filter-chain-default_in' or tag 'nftables-inet-filter-chain-default_in not found in the catalog
Notice: Applied catalog in 13.73 seconds

Any additional information you'd like to impart

I guess this is probably me just not understanding how this module (or nftable) works, but maybe a simple EXAMPLES section in the readme could help alleviate this kind of problems.

Alternatively, wth is going on here? :)

[anarcat]

turns out you just need to include nftables, surprised that those classes don't all do that on their own. i wonder if this is a documentation issue or if the rules classes should include nftables as well...

[nbarrientos]

Hi,

I know it's not exactly user-oriented but the acceptance tests could hint on how to use the module.

We can add a note to the README to make it more explicit but I'd say that the fact that users are expected to include nftables will continue to be the case.

[anarcat]

On 2023-01-27 00:40:08, Nacho Barrientos wrote: Are you including the class `nftables`?

No, I wasn't that's the prpoblem here. :) I wonder if the various rules* class should include nftables on their own, or if I should make an examples section.

I know it's not exactly user-oriented but the [acceptance tests](https://github.com/voxpupuli/puppet-nftables/blob/069c9fd2f7d075810ccb26a58237c63b32266658/spec/acceptance/default_spec.rb#L11) could hint on how to use the module.

Seems like I should make an examples section based on that anyway. :) Speaking of which, is "literal programming" a thing here? Could we e.g. run the EXAMPLES section in README.md as an acceptance test? That would be pretty sweet... a. -- My passionate sense of social justice and social responsibility has always contrasted oddly with my pronounced lack of need for direct contact with other human beings and communities. I am truly a "lone traveler" and have never belonged to my country, my home, my friends, or even my immediate family, with my whole heart; in the face of all these ties, I have never lost a sense of distance and a need for solitude. - Albert Einstein