From: Hunter Haugen <hunter@puppetlabs.com>
Date: Thu, 6 Feb 2014 00:02:56 +0000 (-0800)
Subject: (MODULES-451) Match extension protocol for multiport
X-Git-Tag: 0.5.0~3^2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=11ed5582bba17784ced2388b02b91efac6eae622;p=puppet-modules%2Fpuppetlabs-firewall.git

(MODULES-451) Match extension protocol for multiport

The `-m (tcp|udp)` match extension flag before multiport `--sport` and
`--dport` flags is considered optional, but may be present on some
rules. This patches the provides recognition of those rules.
---

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 3095a12..5be4fab 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -50,7 +50,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :destination => "-d",
     :dst_type => "-m addrtype --dst-type",
     :dst_range => "-m iprange --dst-range",
-    :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
+    :dport => ["-m (udp|tcp) -m multiport --dports", "-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
     :gid => "-m owner --gid-owner",
     :icmp => "-m icmp --icmp-type",
     :iniface => "-i",
@@ -77,7 +77,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :source => "-s",
     :src_type => "-m addrtype --src-type",
     :src_range => "-m iprange --src-range",
-    :sport => ["-m multiport --sports", "-m (udp|tcp) --sport", "--sport"],
+    :sport => ["-m (udp|tcp) -m multiport --sports", "-m multiport --sports", "-m (udp|tcp) --sport", "--sport"],
     :state => "-m state --state",
     :table => "-t",
     :tcp_flags => "-m tcp --tcp-flags",
diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb
index 575fa8c..8334b6c 100644
--- a/spec/acceptance/resource_cmd_spec.rb
+++ b/spec/acceptance/resource_cmd_spec.rb
@@ -75,4 +75,19 @@ describe 'puppet resource firewall command:' do
       end
     end
   end
+
+  context 'accepts rules with match extension tcp flag' do
+    before :all do
+      iptables_flush_all_tables
+      shell('/sbin/iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42')
+    end
+
+    it do
+      shell('puppet resource firewall') do |r|
+        r.exit_code.should be_zero
+        # don't check stdout, testing preexisting rules, output is normal
+        r.stderr.should be_empty
+      end
+    end
+  end
 end