From f5e79481880752810f7ac38b754ba4ea66ec7de8 Mon Sep 17 00:00:00 2001
From: Jan Vansteenkiste <jan@vstone.eu>
Date: Wed, 22 Aug 2012 18:00:57 +0200
Subject: [PATCH] Fix parsing negated values

---
 lib/puppet/provider/firewall/iptables.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index d284568..b69af91 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -166,7 +166,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     # --tcp-flags takes two values; we cheat by adding " around it
     # so it behaves like --comment
+    # we do a simular thing for negated address masks (source and destination).
     values = values.sub(/--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1 \2"')
+    values = values.sub(/-s (!)\s?(\S*)/, '-s "\1 \2"')
+    values = values.sub(/-d (!)\s?(\S*)/,'-d "\1 \2"')
 
     # Trick the system for booleans
     @known_booleans.each do |bool|
@@ -224,7 +227,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     # Normalise all rules to CIDR notation.
     [:source, :destination].each do |prop|
-      hash[prop] = Puppet::Util::IPCidr.new(hash[prop]).cidr unless hash[prop].nil?
+      next if hash[prop].nil?
+      m = hash[prop].match(/(!?)\s?(.*)/)
+      neg = "! " if m[1] == "!"
+      hash[prop] = "#{neg}#{Puppet::Util::IPCidr.new(m[2]).cidr}"
     end
 
     [:dport, :sport, :port, :state, :ctstate].each do |prop|
-- 
2.45.2