From d73eea6ab99129d2f40280d7fa76fee05dcfe1b9 Mon Sep 17 00:00:00 2001 From: Nacho Barrientos Date: Thu, 27 Jul 2017 10:55:33 +0200 Subject: [PATCH] (MODULES-5340) Understand negated match sets This patch allows the provider to understand rules that contain negated match sets when parsing the ruleset. --- lib/puppet/provider/firewall/iptables.rb | 2 +- spec/fixtures/iptables/conversion_hash.rb | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index b05ba43..e761259 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -375,7 +375,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # so it behaves like --comment values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"') # --match-set can have multiple values with weird iptables format - if values =~ /-m set --match-set/ + if values =~ /-m set (!\s+)?--match-set/ values = values.gsub(/(!\s+)?--match-set (\S*) (\S*)/, '--match-set \1\2 \3') ind = values.index('-m set --match-set') sets = values.scan(/-m set --match-set ((?:!\s+)?\S* \S*)/) diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 78dfee9..d404308 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -344,6 +344,18 @@ ARGS_TO_HASH = { :iniface => 'eth0', }, }, + 'ipset_negated' => { + :line => '-A PREROUTING -p tcp -m multiport --dports 1094 -m comment --comment "060 ipset" -m state --state NEW -m set ! --match-set setname1 src -j DROP', + :table => 'filter', + :params => { + :chain => 'PREROUTING', + :proto => "tcp", + :dport => ['1094'], + :state => ['NEW'], + :ipset => ['! setname1 src'], + :action => 'drop', + }, + }, 'iniface_1_negated' => { :line => '-A INPUT ! -i eth0 -j DROP -m comment --comment "060 iniface"', :table => 'filter', -- 2.45.2