add negation support for ipset

xbezdick · Oct 19, 2014 · e55d4ec · e55d4ec
1 parent 52d8287
commit e55d4ec
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -225,7 +225,7 @@ def self.rule_to_hash(line, table, counter)
     # so it behaves like --comment
     values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"')
     # ditto for --match-set
-    values = values.sub(/--match-set (\S*) (\S*)/, '--match-set "\1 \2"')
+    values = values.sub(/(!\s+)?--match-set (\S*) (\S*)/, '--match-set "\1\2 \3"')
     # we do a similar thing for negated address masks (source and destination).
     values = values.gsub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"')
     # the actual rule will have the ! mark before the option.
@@ -331,6 +331,7 @@ def self.rule_to_hash(line, table, counter)
       :dport,
       :dst_range,
       :dst_type,
+      :ipset,
       :port,
       :proto,
       :source,