From 06cf2eeed850f3a04732ab53048e5b1f8d0956b8 Mon Sep 17 00:00:00 2001
From: Andjelko Horvat <andjelko.horvat.comel@gmail.com>
Date: Thu, 8 Dec 2016 23:28:04 +0100
Subject: [PATCH] Add sanity check for rule to hash parser

Parser fails in some cases with combined arguments e.g. if some other argument
is set between match name and match option, like dport in this example:

-m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN

If the parsed keys and values count is not the same, the error is raised with
the problematic rule line.
---
 lib/puppet/provider/firewall/iptables.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index f599faa..cb1d1d3 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -438,10 +438,16 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     values.slice!('-A')
     keys << :chain
 
+    valrev = values.scan(/("([^"\\]|\\.)*"|\S+)/).transpose[0].reverse
+
+    if keys.length != valrev.length then
+      raise "Parser error: keys (#{keys.length}) and values (#{valrev.length}) count mismatch on line: #{line}"
+    end
+
     # Here we generate the main hash by scanning arguments off the values
     # string, handling any quoted characters present in the value, and then
     # zipping the values with the array of keys.
-    keys.zip(values.scan(/("([^"\\]|\\.)*"|\S+)/).transpose[0].reverse) do |f, v|
+    keys.zip(valrev) do |f, v|
       if v =~ /^".*"$/ then
         hash[f] = v.sub(/^"(.*)"$/, '\1').gsub(/\\(\\|'|")/, '\1')
       else
-- 
2.45.2