Fix #188: -f in comment leads to puppet resource firewall failing.

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index a9855e0d0d0dc1c07aff4158bccac036ea85b714..43ae55689cc0c66c0ee49030088bcb1bd14b780f 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -166,7 +166,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
       if bool == :isfragment then
         # only replace those -f that are not followed by an l to
         # distinguish between -f and the '-f' inside of --tcp-flags.
-        values = values.sub(/-f(?=[^l])/, '-f true')
+        values = values.sub(/-f(?!l)(?=.*--comment)/, '-f true')
       end
     end
 

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 7c509d89adb13011c42da005f0365fe8376576d8..870a9784fd99424998383cd6b805b2a94181edca 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -299,9 +299,10 @@ ARGS_TO_HASH = {
     },
   },
   'isfragment_option' => {
-    :line => '-A INPUT -f -j ACCEPT',
+    :line => '-A INPUT -f -m comment --comment "010 a-f comment with dashf" -j ACCEPT',
     :table => 'filter',
     :params => {
+      :name => '010 a-f comment with dashf',
       :action => 'accept',
       :isfragment => true,
     },
@@ -724,4 +725,13 @@ HASH_TO_ARGS = {
     },
     :args => ['-t', :filter, '-p', :all, '-f', '-m', 'comment', '--comment', '050 isfragment option', '-j', 'ACCEPT'],
   },
+  'isfragment_option not changing -f in comment' => {
+    :params => {
+      :name => '050 testcomment-with-fdashf',
+      :table => 'filter',
+      :proto => :all,
+      :action => 'accept',
+    },
+    :args => ['-t', :filter, '-p', :all, '-m', 'comment', '--comment', '050 testcomment-with-fdashf', '-j', 'ACCEPT'],
+  },
 }