Could not evaluate: `proto` must be set to `tcp` for `isfragment` to be true. - Githubissues

puppetlabs / puppetlabs-firewall

Puppet Firewall Module

http://forge.puppetlabs.com/puppetlabs/firewall

Apache License 2.0

269 stars 455 forks source link

Could not evaluate: `proto` must be set to `tcp` for `isfragment` to be true. #1185

Open chrisongthb opened 6 months ago

chrisongthb commented 6 months ago

Describe the Bug

Puppet Module brings an error, when setting up a rule with combination proto => 'ipv6-icmp' and isfragment => true. This is a bug.

Expected Behavior

The puppet module should accept this rule. ICMP packets can be fragmented: http://users.cis.fiu.edu/~vince/cgs4285/class13.html

Steps to Reproduce

firewall { '991 v6 drop outgoing fragmented icmp traffic':
  chain      => 'OUTPUT',
  proto      => 'ipv6-icmp',
  isfragment => true,
  jump       => 'drop',
  protocol   => 'ip6tables',
}

Environment

Module version v7.0.2
Puppet Agent version 7.26.0
Puppet Server version 7.13.0
Platform Ubuntu 20.04, 22.04