Treat tcpmss match extension as a match extension

greatflyingsteve · greatflyingsteve · commit 18f575b71e1b · 2023-05-26T01:41:45.000-07:00
The ip[6]tables providers understand handling extension modules; treat
tcpmss as an extension module, rather than mangling its matcher
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -142,7 +142,7 @@ def self.iptables_save(*args)
     match_mark: '-m mark --mark',
     name: '-m comment --comment',
     mac_source: ['-m mac --mac-source', '--mac-source'],
-    mss: '-m tcpmss --mss',
+    mss: '--mss',
     nflog_group: '--nflog-group',
     nflog_prefix: '--nflog-prefix',
     nflog_range: '--nflog-range',
@@ -276,6 +276,7 @@ def self.iptables_save(*args)
     iprange: [:src_range, :dst_range],
     owner: [:uid, :gid],
     condition: [:condition],
+    tcpmss: [:mss],
     conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
                 :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir],
     time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
@@ -357,8 +358,8 @@ def self.iptables_save(*args)
       context_start: '-j SYNPROXY',
     },
     mss: {
-      # Extra starting space because the matcher for :mss includes '-m tcpmss',
-      # and the search for it prefixes the matcher with a space
+      # Extra starting space because '-m tcpmss' gets prepended to the matcher for :mss before parse,
+      # and the search for it while building the parser list prefixes the matcher with a space
       context_start: ' -m tcpmss',
       context_end: %r{ -[mgj] },
     },
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -130,7 +130,7 @@
     mac_source: ['-m mac --mac-source', '--mac-source'],
     mask: '--mask',
     match_mark: '-m mark --mark',
-    mss: '-m tcpmss --mss',
+    mss: '--mss',
     name: '-m comment --comment',
     nflog_group: '--nflog-group',
     nflog_prefix: '--nflog-prefix',
@@ -276,6 +276,7 @@
     iprange: [:src_range, :dst_range],
     owner: [:uid, :gid],
     condition: [:condition],
+    tcpmss: [:mss],
     conntrack: [:ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
                 :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir],
     time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
@@ -393,8 +394,8 @@ def munge_resource_map_from_resource(resource_map_original, compare)
       context_start: '-j SYNPROXY',
     },
     mss: {
-      # Extra starting space because the matcher for :mss includes '-m tcpmss',
-      # and the search for it prefixes the matcher with a space
+      # Extra starting space because '-m tcpmss' gets prepended to the matcher for :mss before parse,
+      # and the search for it while building the parser list prefixes the matcher with a space
       context_start: ' -m tcpmss',
       context_end: %r{ -[mgj] },
     },
