From: Simon Martin Date: Thu, 3 Apr 2014 09:33:09 +0000 (+0100) Subject: In lib/puppet/provider/firewall/iptables.rb we test on boolean flags when building... X-Git-Tag: 1.1.0~9^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=a237ef983718ea7483ff4fe17382fa7350b71cdf;p=puppet-modules%2Fpuppetlabs-firewall.git In lib/puppet/provider/firewall/iptables.rb we test on boolean flags when building iptables args: # If socket is true then do not add the value as -m socket is standalone if known_booleans.include?(res) then if resource[res] == :true then resource_value = nil else # If the property is not :true then we don't want to add the value # to the args list next end end This evaluates to false on the reap flag in a definition like this: firewall { '001 rate limit ssh attempts': port => [22], proto => tcp, tcp_flags => "FIN,SYN,RST,ACK SYN", recent => 'rcheck', rsource => true, rname => 'ssh-syn4', rseconds => 30, rhitcount => 3, reap => true, jump => drop, } This is because the value is not defined as a string, so the reap flag is not added to the args. This patch defines reap as a string true or false to match others like rsource. --- diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 4701e27..b2068f4 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -777,6 +777,8 @@ Puppet::Type.newtype(:firewall) do attribute. When used, this will cause entries older than 'seconds' to be purged. Must be boolean true. EOS + + newvalues(:true, :false) end newproperty(:rhitcount, :required_features => :recent_limiting) do