Fix error parsing rules with dashes in the chain name

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index bc918b981f97e905d9d70dc9909525ce46fe9117..00655ea44d33d460fe0a0b46ea57415fe81a4e93 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -394,7 +394,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
       values.insert(ind, "-m set --match-set \"#{sets.join(';')}\" ")
     end
     # we do a similar thing for negated address masks (source and destination).
-    values = values.gsub(%r{(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"')
+    values = values.gsub(%r{(?<=\s)(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"')
     # fix negated physdev rules
     values = values.gsub(%r{-m physdev ! (--physdev-is-\S+)}, '-m physdev \1 "!"')
     # the actual rule will have the ! mark before the option.

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 3dba7e7f48f577736c6e731915614b78b1950ebc..42172fbca8226ef7b33485b63b91de8a1cc2d99e 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -365,6 +365,15 @@ ARGS_TO_HASH = {
       :iniface => '! eth0',
     },
   },
+  'iniface_2_negated' => {
+    :line => '-A CHAIN-WITH-DASH ! -i eth0 -p tcp -m comment --comment "005 iniface 2" -j DROP',
+    :table => 'filter',
+    :params => {
+      :action => 'drop',
+      :chain => 'CHAIN-WITH-DASH',
+      :iniface => '! eth0',
+    },
+  },
   'iniface_1_aliased' => {
     :line => '-A INPUT -i eth0:1 -j DROP -m comment --comment "060 iniface"',
     :table => 'filter',