From 9d9b61ae38c23e8b6efa824cbc3a096058d876cd Mon Sep 17 00:00:00 2001 From: lionce Date: Wed, 18 Sep 2019 16:22:24 +0300 Subject: [PATCH] fix negated physdev --- lib/puppet/provider/firewall/iptables.rb | 4 +++- spec/fixtures/iptables/conversion_hash.rb | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index f3a334bde..47d4115a2 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -439,7 +439,7 @@ def self.rule_to_hash(line, table, counter) values.insert(ind, "-m addrtype --dst-type \"#{types.join(';')}\" ") end # the actual rule will have the ! mark before the option. - values = values.gsub(%r{(!)\s*(-\S+)\s*(\S*)}, '\2 "\1 \3"') + values = values.gsub(%r{(!)\s*(-\S+)\s*(\S*)}, '\2 "\1 \3"') unless values.include?('--physdev') # we do a similar thing for negated address masks (source and destination). values = values.gsub(%r{(?<=\s)(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"') # fix negated physdev rules @@ -473,6 +473,8 @@ def self.rule_to_hash(line, table, counter) # only replace those -f that are not followed by an l to # distinguish between -f and the '-f' inside of --tcp-flags. values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true') + elsif resource_map[bool].eql?(%r{'--physdev-is-\S+'}) + values.sub(%r{'#{resource_map[bool]} "! "'}, "#{resource_map[bool]} true") else # append `true` to booleans that are not already negated (followed by "!") values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true") diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 0b4920a73..62d4db86b 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -392,6 +392,17 @@ src_type: ['! LOCAL'], }, }, + 'physdev_negated' => { + line: '-A cali-POSTROUTING -o tunl0 -m comment --comment "010 cali:JHlpT-eSqR1TvyYm" -m physdev ! --physdev-is-in -j MASQUERADE', + table: 'filter', + params: { + chain: 'cali-POSTROUTING', + outiface: 'tunl0', + name: '010 cali:JHlpT-eSqR1TvyYm', + jump: 'MASQUERADE', + physdev_is_in: '! ', + }, + }, 'addrtype_multiple' => { line: '-A cali-POSTROUTING -o tunl0 -m comment --comment "000 cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE', table: 'filter',