From: Paul Seward <ispms@bris.ac.uk>
Date: Mon, 1 Feb 2016 12:05:39 +0000 (+0000)
Subject: (MODULES-2159) ignore the --connlimit-saddr switch when parsing rules
X-Git-Tag: 1.8.0~3^2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=b85faedb0ac2c2b7844dcca3da0efbc7b460a10f;p=puppet-modules%2Fpuppetlabs-firewall.git

(MODULES-2159) ignore the --connlimit-saddr switch when parsing rules

Workaround for https://tickets.puppetlabs.com/browse/MODULES-2159 (as described by Greg Murphy in that ticket)

On some distributions (notably on Ubuntu 14.04 and above, and Centos7 and above) the --connlimit-saddr switch is added after the rule is applied causing rule_to_hash to ignore the rule.  Puppet then attempts (and failes) to re-create the rule every time it runs.
---

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 1b7beb3..1d7aec5 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -364,6 +364,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
         (\s--next)?/x,
         '--pol "ipsec\1\2\3\4\5\6\7\8" '
     )
+    # on some iptables versions, --connlimit-saddr switch is added after the rule is applied
+    values = values.gsub(/--connlimit-saddr/, '')
 
     resource_map = munge_resource_map_from_existing_values(@resource_map, values)