# iptables-save and user supplied resources is consistent.
hash[:state] = hash[:state].sort unless hash[:state].nil?
- # This forces all existing, commentless rules to be moved to the bottom of the stack.
- # Puppet-firewall requires that all rules have comments (resource names) and will fail if
- # a rule in iptables does not have a comment. We get around this by appending a high level
+ # This forces all existing, commentless rules or rules with invalid comments to be moved
+ # to the bottom of the stack.
+ # Puppet-firewall requires that all rules have comments (resource names) and match this
+ # regex and will fail if a rule in iptables does not have a comment. We get around this
+ # by appending a high level
+ if not /^\d+[[:alpha:][:digit:][:punct:][:space:]]+$/ =~ hash[:name]
+ num = 9000 + counter
+ hash[:name] = "#{num} #{/([[:alpha:][:digit:][:punct:][:space:]]+)/.match(hash[:name])[1]}"
+ end
if ! hash[:name]
num = 9000 + counter
hash[:name] = "#{num} #{Digest::MD5.hexdigest(line)}"
r[:stdout].should == "\n"
end
end
+
+ it 'accepts rules without comments' do
+ iptables_flush_all_tables
+ system_run('/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 80')
+
+ puppet_resource('firewall') do |r|
+ r[:exit_code].should == 0
+ # don't check stdout, testing preexisting rules, output is normal
+ r[:stderr].should == ''
+ end
+ end
+
+ it 'accepts rules with invalid comments' do
+ iptables_flush_all_tables
+ system_run('/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"')
+
+ puppet_resource('firewall') do |r|
+ r[:exit_code].should == 0
+ # don't check stdout, testing preexisting rules, output is normal
+ r[:stderr].should == ''
+ end
+ end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff