From: Alexey Lapitsky <alexey@spotify.com>
Date: Fri, 19 Sep 2014 19:19:49 +0000 (-0400)
Subject: add negation support for ipset
X-Git-Tag: 1.3.0~1^2~2^2~1
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=e55d4ecf7becf8853ba15f028317ee16ee9a39dd;p=puppet-modules%2Fpuppetlabs-firewall.git

add negation support for ipset
---

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index c8e3080..300d525 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -225,7 +225,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     # so it behaves like --comment
     values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"')
     # ditto for --match-set
-    values = values.sub(/--match-set (\S*) (\S*)/, '--match-set "\1 \2"')
+    values = values.sub(/(!\s+)?--match-set (\S*) (\S*)/, '--match-set "\1\2 \3"')
     # we do a similar thing for negated address masks (source and destination).
     values = values.gsub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"')
     # the actual rule will have the ! mark before the option.
@@ -331,6 +331,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
       :dport,
       :dst_range,
       :dst_type,
+      :ipset,
       :port,
       :proto,
       :source,