Description of problem: Unable to use jump following https://forge.puppet.com/puppetlabs/firewall Version-Release number of selected component (if applicable): puppet-tripleo-5.6.1-2.el7ost.noarch How reproducible: try to deploy this rule : '410 allow marking': port: 10051 proto: tcp source: 10.0.0.8 extra: { table: mangle, jump: dscp, set_dscp: 12 } It's fail cause action is by default ACCEPT. Bug lanchpad : https://bugs.launchpad.net/tripleo/+bug/1669763
It should be noted that the key is 'extras' not 'extra'. https://github.com/openstack/puppet-tripleo/blob/stable/newton/manifests/firewall/rule.pp#L62 So in theory we dont' need to backport the jump support as it should be available set the correct key in THT. The related bug was for first class support of jump so that it didn't need to be passed via 'extras'. Please have the customer try using 'extras' and let us know if that fixes the issue before we go backporting patches.
Alex, As you can see the example, we test it and also : '410 allow marking': port: 10051 proto: tcp source: 10.0.0.8 action: undef extra: { table: mangle, jump: dscp, set_dscp: 12 } But it doesn't work. We try as t(In reply to Alex Schultz from comment #1) > It should be noted that the key is 'extras' not 'extra'. > https://github.com/openstack/puppet-tripleo/blob/stable/newton/manifests/ > firewall/rule.pp#L62 So in theory we dont' need to backport the jump > support as it should be available set the correct key in THT. The related > bug was for first class support of jump so that it didn't need to be passed > via 'extras'. Please have the customer try using 'extras' and let us know > if that fixes the issue before we go backporting patches.
Your example is wrong. Please try: '410 allow marking': port: 10051 proto: tcp source: 10.0.0.8 action: undef extras: { table: mangle, jump: dscp, set_dscp: 12 }
This configuration has been tested : '410 allow marking': port: 10051 proto: tcp source: 10.0.0.8 action: undef extras: { table: mangle, jump: dscp, set_dscp: 12 } But it does not work either. We still have the default action set, not allowing us to use the jump parameter.
Ah I see, the problem is with the action: undef. You could try 'action: ~'. I'll approve the backport the changes since it adds the jump parameter and adds logic to handle the action. In the mean time you could try using 'action: ~' instead of 'action: undef' reference: https://tickets.puppetlabs.com/browse/PUP-3992
When this change is available, the configuration would be: '410 allow marking': port: 10051 proto: tcp source: 10.0.0.8 jump: dscp, extras: { table: mangle, set_dscp: 12 }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2825