From b52b0eb96209b29c349d79a4fc8ca5d5acbf2eb2 Mon Sep 17 00:00:00 2001
From: Max Vozeler <max.vozeler@amadeus.com>
Date: Mon, 16 Nov 2015 14:01:35 +0100
Subject: [PATCH] Fix handling of chain names that contain -f

---
 lib/puppet/provider/firewall/iptables.rb  | 2 +-
 spec/fixtures/iptables/conversion_hash.rb | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 27c0b362e..5835dea3e 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -356,7 +356,7 @@ def self.rule_to_hash(line, table, counter)
         # -f requires special matching:
         # only replace those -f that are not followed by an l to
         # distinguish between -f and the '-f' inside of --tcp-flags.
-        values = values.sub(/-f(?!l)(?=.*--comment)/, '-f true')
+        values = values.sub(/\s-f(?!l)(?=.*--comment)/, ' -f true')
       else
         values = values.sub(/#{resource_map[bool]}/, "#{resource_map[bool]} true")
       end
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index ac9ba9a96..bbdff8cc8 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -573,6 +573,14 @@
       :clamp_mss_to_pmtu => true,
     },
   },
+  'mangled_chain_name_with_-f' => {
+    :line => '-A foo-filter -p tcp -m comment --comment "068 chain name containing -f" -j ACCEPT',
+    :params => {
+      :name              => '068 chain name containing -f',
+      :action            => 'accept',
+      :chain             => 'foo-filter',
+    },
+  },
 }
 
 # This hash is for testing converting a hash to an argument line.