From a237ef983718ea7483ff4fe17382fa7350b71cdf Mon Sep 17 00:00:00 2001
From: Simon Martin <git@simon-martin.co.uk>
Date: Thu, 3 Apr 2014 10:33:09 +0100
Subject: [PATCH] In lib/puppet/provider/firewall/iptables.rb we test on
 boolean flags when building iptables args:

        # If socket is true then do not add the value as -m socket is standalone
        if known_booleans.include?(res) then
          if resource[res] == :true then
            resource_value = nil
          else
            # If the property is not :true then we don't want to add the value
            # to the args list
            next
          end
        end

This evaluates to false on the reap flag in a definition like this:
    firewall { '001 rate limit ssh attempts':
        port   => [22],
        proto  => tcp,
        tcp_flags => "FIN,SYN,RST,ACK SYN",
        recent => 'rcheck',
        rsource => true,
        rname => 'ssh-syn4',
        rseconds => 30,
        rhitcount => 3,
        reap => true,
        jump => drop,
    }

This is because the value is not defined as a string, so the reap flag is not added to the args. This patch defines reap as a string true or false to match others like rsource.
---
 lib/puppet/type/firewall.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 4701e27..b2068f4 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -777,6 +777,8 @@ Puppet::Type.newtype(:firewall) do
       attribute. When used, this will cause entries older than 'seconds' to be
       purged.  Must be boolean true.
     EOS
+
+    newvalues(:true, :false)
   end
 
   newproperty(:rhitcount, :required_features => :recent_limiting) do
-- 
2.45.2