From a7fa78d0afe8a19548cfa74d1546c75762f287c0 Mon Sep 17 00:00:00 2001
From: EC2 Default User <ec2-user@ip-172-31-7-234.us-east-2.compute.internal>
Date: Thu, 7 Dec 2017 20:43:47 +0000
Subject: [PATCH] Fix error parsing rules with dashes in the chain name

---
 lib/puppet/provider/firewall/iptables.rb  | 2 +-
 spec/fixtures/iptables/conversion_hash.rb | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index bc918b9..00655ea 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -394,7 +394,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
       values.insert(ind, "-m set --match-set \"#{sets.join(';')}\" ")
     end
     # we do a similar thing for negated address masks (source and destination).
-    values = values.gsub(%r{(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"')
+    values = values.gsub(%r{(?<=\s)(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"')
     # fix negated physdev rules
     values = values.gsub(%r{-m physdev ! (--physdev-is-\S+)}, '-m physdev \1 "!"')
     # the actual rule will have the ! mark before the option.
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 3dba7e7..42172fb 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -365,6 +365,15 @@ ARGS_TO_HASH = {
       :iniface => '! eth0',
     },
   },
+  'iniface_2_negated' => {
+    :line => '-A CHAIN-WITH-DASH ! -i eth0 -p tcp -m comment --comment "005 iniface 2" -j DROP',
+    :table => 'filter',
+    :params => {
+      :action => 'drop',
+      :chain => 'CHAIN-WITH-DASH',
+      :iniface => '! eth0',
+    },
+  },
   'iniface_1_aliased' => {
     :line => '-A INPUT -i eth0:1 -j DROP -m comment --comment "060 iniface"',
     :table => 'filter',
-- 
2.45.2