(#14590) Fix for when iptables-save spews out "FATAL" errors.

On some broken Virtuozzo containers, /lib/modules/$(uname -r)/modules.dep is
absent. This causes iptables-save to give some "FATAL" errors.  This patch
fixes the parser to ignore them instead of generating garbage rules that make
for errors in the puppet agent run.

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index e5f3afe69b60208da80ddf4db3f039c5bb02f610..f4de3544b7a13f0884a2254dfcde112ce4456b07 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -96,7 +96,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     # String#lines would be nice, but we need to support Ruby 1.8.5
     iptables_save.split("\n").each do |line|
-      unless line =~ /^\#\s+|^\:\S+|^COMMIT/
+      unless line =~ /^\#\s+|^\:\S+|^COMMIT|^FATAL/
         if line =~ /^\*/
           table = line.sub(/\*/, "")
         else

diff --git a/spec/unit/puppet/provider/iptables_spec.rb b/spec/unit/puppet/provider/iptables_spec.rb
index e01dab60a79a575a35e4c418a44df6e72b7940b5..b06d2144f47894747dbf37c6b5a3c6cf645dcff7 100644 (file)
--- a/spec/unit/puppet/provider/iptables_spec.rb
+++ b/spec/unit/puppet/provider/iptables_spec.rb
@@ -68,6 +68,12 @@ describe 'iptables provider' do
     end
   end
 
+  it 'should ignore lines with fatal errors' do
+    provider.expects(:execute).with(['/sbin/iptables-save']).returns("FATAL: Could not load /lib/modules/2.6.18-028stab095.1/modules.dep: No such file or directory")
+
+    provider.instances.length.should == 0
+  end
+
   # Load in ruby hash for test fixtures.
   load 'spec/fixtures/iptables/conversion_hash.rb'