From: Thomas Sturm <ths@nerdli.ch>
Date: Thu, 1 May 2014 08:20:36 +0000 (+0200)
Subject: fixes MODULES-796
X-Git-Tag: 1.3.0~1^2~35^2~1
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=2d046877ace3edbbacedeb2e4d051e4bd9099dc8;p=puppet-modules%2Fpuppetlabs-firewall.git

fixes MODULES-796
Cheat by adding quotes around policy ipsec and all following options
belonging to ipsec. Otherwise the line cannot be parsed correctly.
The list of options is taken from [1] and the output ordering was
experimentally verified with iptables-v1.4.21 on Ubuntu 14.04.

[1] http://ipset.netfilter.org/iptables-extensions.man.html
---

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 5ad1012..4a1a70c 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -221,6 +221,19 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     values = values.sub(/(!)\s*(-\S+)\s*(\S*)/, '\2 "\1 \3"')
     # The match extension for tcp & udp are optional and throws off the @resource_map.
     values = values.sub(/-m (tcp|udp) (--(s|d)port|-m multiport)/, '\2')
+    # '--pol ipsec' takes many optional arguments; we cheat again by adding " around them
+    values = values.sub(/
+        --pol\sipsec
+        (\s--strict)?
+        (\s--reqid\s\S+)?
+        (\s--spi\s\S+)?
+        (\s--proto\s\S+)?
+        (\s--mode\s\S+)?
+        (\s--tunnel-dst\s\S+)?
+        (\s--tunnel-src\s\S+)?
+        (\s--next)?/x,
+        '--pol "ipsec\1\2\3\4\5\6\7\8" '
+    )
 
     # Trick the system for booleans
     @known_booleans.each do |bool|
@@ -312,10 +325,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     hash[:state]   = hash[:state].sort   unless hash[:state].nil?
     hash[:ctstate] = hash[:ctstate].sort unless hash[:ctstate].nil?
 
-    # This forces all existing, commentless rules or rules with invalid comments to be moved 
+    # This forces all existing, commentless rules or rules with invalid comments to be moved
     # to the bottom of the stack.
-    # Puppet-firewall requires that all rules have comments (resource names) and match this 
-    # regex and will fail if a rule in iptables does not have a comment. We get around this 
+    # Puppet-firewall requires that all rules have comments (resource names) and match this
+    # regex and will fail if a rule in iptables does not have a comment. We get around this
     # by appending a high level
     if ! hash[:name]
       num = 9000 + counter