Bug 1488492 - fail to use jump with tripleo::firewall::rule
Summary: fail to use jump with tripleo::firewall::rule
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z5
: 10.0 (Newton)
Assignee: Emilien Macchi
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks: 1488631
TreeView+ depends on / blocked
 
Reported: 2017-09-05 14:06 UTC by Cyril Lopez
Modified: 2020-12-14 09:52 UTC (History)
10 users (show)

Fixed In Version: puppet-tripleo-5.6.1-4.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1488631 (view as bug list)
Environment:
Last Closed: 2017-09-28 16:35:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1669763 0 None None None 2017-09-05 14:06:38 UTC
OpenStack gerrit 501014 0 None None None 2017-09-05 22:10:23 UTC
Red Hat Product Errata RHBA-2017:2825 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 director Bug Fix Advisory 2017-09-28 20:33:35 UTC

Description Cyril Lopez 2017-09-05 14:06:39 UTC
Description of problem:
Unable to use jump following https://forge.puppet.com/puppetlabs/firewall

Version-Release number of selected component (if applicable):
puppet-tripleo-5.6.1-2.el7ost.noarch

How reproducible:

try to deploy this rule : 
       '410 allow marking':
          port: 10051
          proto: tcp
          source: 10.0.0.8
          extra: {
            table: mangle,
            jump: dscp,
            set_dscp: 12
          } 

It's fail cause action is by default ACCEPT.

Bug lanchpad : https://bugs.launchpad.net/tripleo/+bug/1669763

Comment 1 Alex Schultz 2017-09-06 03:03:06 UTC
It should be noted that the key is 'extras' not 'extra'.  https://github.com/openstack/puppet-tripleo/blob/stable/newton/manifests/firewall/rule.pp#L62  So in theory we dont' need to backport the jump support as it should be available set the correct key in THT.  The related bug was for first class support of jump so that it didn't need to be passed via 'extras'.  Please have the customer try using 'extras' and let us know if that fixes the issue before we go backporting patches.

Comment 2 Cyril Lopez 2017-09-06 08:09:40 UTC
Alex,
As you can see the example, we test it and also :

       '410 allow marking':
          port: 10051
          proto: tcp
          source: 10.0.0.8
          action: undef
          extra: {
            table: mangle,
            jump: dscp,
            set_dscp: 12
          } 

But it doesn't work.

We try as t(In reply to Alex Schultz from comment #1)
> It should be noted that the key is 'extras' not 'extra'. 
> https://github.com/openstack/puppet-tripleo/blob/stable/newton/manifests/
> firewall/rule.pp#L62  So in theory we dont' need to backport the jump
> support as it should be available set the correct key in THT.  The related
> bug was for first class support of jump so that it didn't need to be passed
> via 'extras'.  Please have the customer try using 'extras' and let us know
> if that fixes the issue before we go backporting patches.

Comment 3 Alex Schultz 2017-09-06 12:21:51 UTC
Your example is wrong.  Please try:


       '410 allow marking':
          port: 10051
          proto: tcp
          source: 10.0.0.8
          action: undef
          extras: {
            table: mangle,
            jump: dscp,
            set_dscp: 12
          }

Comment 4 Guillaume CABALLÉ 2017-09-06 12:42:55 UTC
This configuration has been tested :
  
     '410 allow marking':
          port: 10051
          proto: tcp
          source: 10.0.0.8
          action: undef
          extras: {
            table: mangle,
            jump: dscp,
            set_dscp: 12
          }

But it does not work either. We still have the default action set, not allowing us to use the jump parameter.

Comment 5 Alex Schultz 2017-09-06 16:47:36 UTC
Ah I see, the problem is with the action: undef. You could try 'action: ~'. I'll approve the backport the changes since it adds the jump parameter and adds logic to handle the action. In the mean time you could try using 'action: ~' instead of 'action: undef'

reference: https://tickets.puppetlabs.com/browse/PUP-3992

Comment 6 Alex Schultz 2017-09-06 17:01:41 UTC
When this change is available, the configuration would be:

     '410 allow marking':
          port: 10051
          proto: tcp
          source: 10.0.0.8
          jump: dscp,
          extras: {
            table: mangle,
            set_dscp: 12
          }

Comment 10 errata-xmlrpc 2017-09-28 16:35:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2825


Note You need to log in before you can comment on or make changes to this bug.