From 1f5f6523cdb1bc0b133237ce49403e42c6ab60cb Mon Sep 17 00:00:00 2001
From: Kjetil Torgrim Homme <kjetil.homme@redpill-linpro.com>
Date: Wed, 1 Dec 2021 21:53:26 +0100
Subject: [PATCH] fix service port number lookup to use protocol

The existing code passes `:proto`, which `string_to_port` casts to a
string, gets "proto", compares that to the possibilities "udp" or "tcp",
and when neither, falls back to using "tcp".

This patch passes the actual proto value to the function, in case there is
a UDP specific service in your /etc/services (uncommon, but it happens).
It looks like Puppet will evaluate the properties in declared order,
so I had to move `newproperty(:proto)` up so `@resource[:proto]` was
available in the code for `sport`, `dport` and `port`.
---
 lib/puppet/type/firewall.rb | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 6509c1c..d19c3d4 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -382,6 +382,17 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:proto) do
+    desc <<-PUPPETCODE
+      The specific protocol to match for this rule.
+    PUPPETCODE
+
+    newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :carp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
+      [proto, "! #{proto}".to_sym]
+    }.flatten)
+    defaultto 'tcp'
+  end
+
   newproperty(:sport, array_matching: :all) do
     desc <<-PUPPETCODE
       The source port to match for this filter (if the protocol supports
@@ -399,7 +410,7 @@ Puppet::Type.newtype(:firewall) do
     PUPPETCODE
 
     munge do |value|
-      @resource.string_to_port(value, :proto)
+      @resource.string_to_port(value, @resource[:proto])
     end
 
     def to_s?(value)
@@ -429,7 +440,7 @@ Puppet::Type.newtype(:firewall) do
     PUPPETCODE
 
     munge do |value|
-      @resource.string_to_port(value, :proto)
+      @resource.string_to_port(value, @resource[:proto])
     end
 
     def to_s?(value)
@@ -465,7 +476,7 @@ Puppet::Type.newtype(:firewall) do
     end
 
     munge do |value|
-      @resource.string_to_port(value, :proto)
+      @resource.string_to_port(value, @resource[:proto])
     end
 
     def to_s?(value)
@@ -568,17 +579,6 @@ Puppet::Type.newtype(:firewall) do
               }.flatten)
   end
 
-  newproperty(:proto) do
-    desc <<-PUPPETCODE
-      The specific protocol to match for this rule.
-    PUPPETCODE
-
-    newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :carp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
-      [proto, "! #{proto}".to_sym]
-    }.flatten)
-    defaultto 'tcp'
-  end
-
   # tcp-specific
   newproperty(:mss) do
     desc <<-PUPPETCODE
-- 
2.45.2