From 9540124ff7fb4fff9c112f46ad7e2f6df4045a8d Mon Sep 17 00:00:00 2001 From: Pavel Pulec Date: Thu, 3 Mar 2016 17:08:43 +0100 Subject: [PATCH] match rules with -m ttl --- lib/puppet/provider/firewall/iptables.rb | 2 ++ spec/acceptance/resource_cmd_spec.rb | 15 +++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index ac01613..dd92362 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -339,6 +339,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # PRE-PARSE CLUDGING #################### + # The match for ttl + values = values.gsub(/(!\s+)?-m ttl (!\s+)?--ttl-(eq|lt|gt) [0-9]+/, '') # --tcp-flags takes two values; we cheat by adding " around it # so it behaves like --comment values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"') diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index 76a106e..19fd3af 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -150,6 +150,21 @@ describe 'puppet resource firewall command:', :unless => UNSUPPORTED_PLATFORMS.i end end + context 'accepts rules with -m ttl' do + before :all do + iptables_flush_all_tables + shell('iptables -t nat -A OUTPUT -s 10.0.0.0/8 -p tcp -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12299') + end + + it do + shell('puppet resource firewall') do |r| + r.exit_code.should be_zero + # don't check stdout, testing preexisting rules, output is normal + r.stderr.should be_empty + end + end + end + # version of iptables that ships with el5 doesn't work with the # ip6tables provider if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ -- 2.45.2