Merge pull request #858 from lionce/MODULES-9801

MODULES-9801 - fix negated physdev
puppetlabs · Sep 18, 2019 · 996b454 · 996b454
2 parents ff2a6af + 9d9b61a
commit 996b454
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -439,7 +439,7 @@ def self.rule_to_hash(line, table, counter)
       values.insert(ind, "-m addrtype --dst-type \"#{types.join(';')}\" ")
     end
     # the actual rule will have the ! mark before the option.
-    values = values.gsub(%r{(!)\s*(-\S+)\s*(\S*)}, '\2 "\1 \3"')
+    values = values.gsub(%r{(!)\s*(-\S+)\s*(\S*)}, '\2 "\1 \3"') unless values.include?('--physdev')
     # we do a similar thing for negated address masks (source and destination).
     values = values.gsub(%r{(?<=\s)(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"')
     # fix negated physdev rules
@@ -473,6 +473,8 @@ def self.rule_to_hash(line, table, counter)
                  # only replace those -f that are not followed by an l to
                  # distinguish between -f and the '-f' inside of --tcp-flags.
                  values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true')
+               elsif resource_map[bool].eql?(%r{'--physdev-is-\S+'})
+                 values.sub(%r{'#{resource_map[bool]} "! "'}, "#{resource_map[bool]} true")
                else
                  # append `true` to booleans that are not already negated (followed by "!")
                  values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true")

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
@@ -392,6 +392,17 @@
       src_type: ['! LOCAL'],
     },
   },
+  'physdev_negated' => {
+    line: '-A cali-POSTROUTING -o tunl0 -m comment --comment "010 cali:JHlpT-eSqR1TvyYm" -m physdev ! --physdev-is-in -j MASQUERADE',
+    table: 'filter',
+    params: {
+      chain: 'cali-POSTROUTING',
+      outiface: 'tunl0',
+      name: '010 cali:JHlpT-eSqR1TvyYm',
+      jump: 'MASQUERADE',
+      physdev_is_in: '! ',
+    },
+  },
   'addrtype_multiple' => {
     line: '-A cali-POSTROUTING -o tunl0 -m comment --comment "000 cali:JHlpT-eSqR1TvyYm" -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE',
     table: 'filter',