Add sanity check for rule to hash parser

Parser fails in some cases with combined arguments e.g. if some other argument
is set between match name and match option, like dport in this example:

-m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN

If the parsed keys and values count is not the same, the error is raised with
the problematic rule line.

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index f599faa253f06275c8b8267d36e1bdac33dd354f..cb1d1d3b136445b80a7614a812dbf23b81b7f607 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -438,10 +438,16 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     values.slice!('-A')
     keys << :chain
 
+    valrev = values.scan(/("([^"\\]|\\.)*"|\S+)/).transpose[0].reverse
+
+    if keys.length != valrev.length then
+      raise "Parser error: keys (#{keys.length}) and values (#{valrev.length}) count mismatch on line: #{line}"
+    end
+
     # Here we generate the main hash by scanning arguments off the values
     # string, handling any quoted characters present in the value, and then
     # zipping the values with the array of keys.
-    keys.zip(values.scan(/("([^"\\]|\\.)*"|\S+)/).transpose[0].reverse) do |f, v|
+    keys.zip(valrev) do |f, v|
       if v =~ /^".*"$/ then
         hash[f] = v.sub(/^"(.*)"$/, '\1').gsub(/\\(\\|'|")/, '\1')
       else