From 11ed5582bba17784ced2388b02b91efac6eae622 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Wed, 5 Feb 2014 16:02:56 -0800 Subject: [PATCH] (MODULES-451) Match extension protocol for multiport The `-m (tcp|udp)` match extension flag before multiport `--sport` and `--dport` flags is considered optional, but may be present on some rules. This patches the provides recognition of those rules. --- lib/puppet/provider/firewall/iptables.rb | 4 ++-- spec/acceptance/resource_cmd_spec.rb | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 3095a12..5be4fab 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -50,7 +50,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :destination => "-d", :dst_type => "-m addrtype --dst-type", :dst_range => "-m iprange --dst-range", - :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"], + :dport => ["-m (udp|tcp) -m multiport --dports", "-m multiport --dports", "-m (udp|tcp) --dport", "--dport"], :gid => "-m owner --gid-owner", :icmp => "-m icmp --icmp-type", :iniface => "-i", @@ -77,7 +77,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :source => "-s", :src_type => "-m addrtype --src-type", :src_range => "-m iprange --src-range", - :sport => ["-m multiport --sports", "-m (udp|tcp) --sport", "--sport"], + :sport => ["-m (udp|tcp) -m multiport --sports", "-m multiport --sports", "-m (udp|tcp) --sport", "--sport"], :state => "-m state --state", :table => "-t", :tcp_flags => "-m tcp --tcp-flags", diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index 575fa8c..8334b6c 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -75,4 +75,19 @@ describe 'puppet resource firewall command:' do end end end + + context 'accepts rules with match extension tcp flag' do + before :all do + iptables_flush_all_tables + shell('/sbin/iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42') + end + + it do + shell('puppet resource firewall') do |r| + r.exit_code.should be_zero + # don't check stdout, testing preexisting rules, output is normal + r.stderr.should be_empty + end + end + end end -- 2.45.2