Fix handling of chain names that contain -f

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 27c0b362e04997b5b7c461ada810ab09e4d2989d..5835dea3e97e795d83a9142bd914fc685a6ff13e 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -356,7 +356,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
         # -f requires special matching:
         # only replace those -f that are not followed by an l to
         # distinguish between -f and the '-f' inside of --tcp-flags.
-        values = values.sub(/-f(?!l)(?=.*--comment)/, '-f true')
+        values = values.sub(/\s-f(?!l)(?=.*--comment)/, ' -f true')
       else
         values = values.sub(/#{resource_map[bool]}/, "#{resource_map[bool]} true")
       end

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index ac9ba9a9647bf811d25b24b6971bf7be2809047a..bbdff8cc8786e7cadaffe7c098d197b66678759d 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -573,6 +573,14 @@ ARGS_TO_HASH = {
       :clamp_mss_to_pmtu => true,
     },
   },
+  'mangled_chain_name_with_-f' => {
+    :line => '-A foo-filter -p tcp -m comment --comment "068 chain name containing -f" -j ACCEPT',
+    :params => {
+      :name              => '068 chain name containing -f',
+      :action            => 'accept',
+      :chain             => 'foo-filter',
+    },
+  },
 }
 
 # This hash is for testing converting a hash to an argument line.