Fix parsing of rules and generating the command line to set the rule

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index b69af917e5870af52b6aa86e1c6f9f08abddcc95..147c728c809dae0ca448cf4b9b35c728a0a9e7df 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -166,10 +166,13 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     # --tcp-flags takes two values; we cheat by adding " around it
     # so it behaves like --comment
-    # we do a simular thing for negated address masks (source and destination).
     values = values.sub(/--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1 \2"')
+    # we do a simular thing for negated address masks (source and destination).
     values = values.sub(/-s (!)\s?(\S*)/, '-s "\1 \2"')
     values = values.sub(/-d (!)\s?(\S*)/,'-d "\1 \2"')
+    # the actual rule will have the ! mark before the option.
+    values = values.sub(/(!)\s*-s\s*(\S*)/, '-s "\1 \2"')
+    values = values.sub(/(!)\s*-d\s*(\S*)/, '-d "\1 \2"')
 
     # Trick the system for booleans
     @known_booleans.each do |bool|
@@ -371,6 +374,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
         one, two = resource_value.split(' ')
         args << one
         args << two
+      elsif res == :source or res == :destination
+        one, two = resource_value.split(' ')
+        args << one
+        args << two unless two == nil
       elsif resource_value.is_a?(Array)
         args << resource_value.join(',')
       elsif !resource_value.nil?