Merge branch 'master' of git://github.com/puppetlabs/puppetlabs-firewall

cegeka · Jul 14, 2015 · 72d5af9 · 72d5af9
2 parents 271fce1 + 5427d80
commit 72d5af9
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 12 deletions.
diff --git a/README.markdown b/README.markdown
@@ -134,15 +134,15 @@ Rules are persisted automatically between reboots, although there are known issu
 
   ~~~puppet
   resources { 'firewall':
-    purge => true
+    purge => true,
   }
   ~~~
 
   To purge unmanaged firewall chains, also add:
 
   ~~~puppet
   resources { 'firewallchain':
-    purge => true
+    purge => true,
   }
   ~~~
 
@@ -196,17 +196,17 @@ In iptables, the title of the rule is stored using the comment feature of the un
 Basic accept ICMP request example:
 
 ~~~puppet
-firewall { "000 accept all icmp requests":
-  proto  => "icmp",
-  action => "accept",
+firewall { '000 accept all icmp requests':
+  proto  => 'icmp',
+  action => 'accept',
 }
 ~~~
 
 Drop all:
 
 ~~~puppet
-firewall { "999 drop all other requests":
-  action => "drop",
+firewall { '999 drop all other requests':
+  action => 'drop',
 }
 ~~~
 
@@ -215,7 +215,7 @@ firewall { "999 drop all other requests":
 IPv6 rules can be specified using the _ip6tables_ provider:
 
 ~~~puppet
-firewall { "006 Allow inbound SSH (v6)":
+firewall { '006 Allow inbound SSH (v6)':
   port     => 22,
   proto    => tcp,
   action   => accept,
@@ -277,7 +277,7 @@ You can apply firewall rules to specific nodes. Usually, you will want to put th
 ~~~puppet
 node 'some.node.com' {
   firewall { '111 open port 111':
-    dport => 111
+    dport => 111,
   }
 }
 ~~~
@@ -289,7 +289,7 @@ firewall { '100 snat for network foo2':
   chain    => 'POSTROUTING',
   jump     => 'MASQUERADE',
   proto    => 'all',
-  outiface => "eth0",
+  outiface => 'eth0',
   source   => '10.1.2.0/24',
   table    => 'nat',
 }
@@ -810,7 +810,7 @@ firewallchain { 'INPUT:filter:IPv4':
 
 ~~~puppet
 resources { 'firewallchain':
-  purge => true
+  purge => true,
 }
 ~~~
 

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -535,7 +535,7 @@ def update_args
 
   def delete_args
     # Split into arguments
-    line = properties[:line].gsub(/\-A /, '-D ').split(/\s(?=(?:[^"]|"[^"]*")*$)/).map{|v| v.gsub(/"/, '')}
+    line = properties[:line].gsub(/^\-A /, '-D ').split(/\s(?=(?:[^"]|"[^"]*")*$)/).map{|v| v.gsub(/"/, '')}
     line.unshift("-t", properties[:table])
   end
 

diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
@@ -2330,4 +2330,44 @@ class { '::firewall': }
     end
   end
 
+  context 'comment containing "-A "' do
+    it 'adds the rule' do
+      pp = <<-EOS
+      class { '::firewall': }
+      firewall { '700 - blah-A Test Rule':
+        jump       => 'LOG',
+        log_prefix => 'FW-A-INPUT: ',
+      }
+      EOS
+
+      apply_manifest(pp, :catch_failures => true)
+    end
+
+    it 'should contain the rule' do
+      shell('iptables-save') do |r|
+        expect(r.stdout).to match(/-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "/)
+      end
+    end
+
+    it 'removes the rule' do
+      pp = <<-EOS
+      class { '::firewall': }
+      firewall { '700 - blah-A Test Rule':
+        ensure     => absent,
+        jump       => 'LOG',
+        log_prefix => 'FW-A-INPUT: ',
+      }
+      EOS
+
+      apply_manifest(pp, :catch_failures => true)
+    end
+
+    it 'should not contain the rule' do
+      shell('iptables-save') do |r|
+        expect(r.stdout).to_not match(/-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "/)
+      end
+    end
+  end
+
+
 end