From 3c381b38c08eb6e8c3570fa18d1ee26d4bd1f7ce Mon Sep 17 00:00:00 2001
From: Shubham Shinde <shubham.shinde@perforce.com>
Date: Wed, 6 Aug 2025 12:38:41 +0530
Subject: [PATCH] (MODULES-11580) Do not combine stderr and stdout when
 scanning rules

 - We get the output of 'ip(6)tables-save' and parse the contents to get the iptables rules.
 - When stderr is combined with stdout, the output of the command can be unexpected causing issues when parsing.
 - This commit disables the combination of stdout and stderr for this reason.
 - Setting 'failonfail' makes sure that any error returned by 'ip(6)tables-save' command is reported as failure to the user without attempting to parse its output.
 - Adjust rspecs accordingly.
---
 lib/puppet/provider/firewall/firewall.rb                      | 2 +-
 .../puppet/provider/firewall/firewall_output_parsing_spec.rb  | 4 ++--
 spec/unit/puppet/provider/firewallchain/firewallchain_spec.rb | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/puppet/provider/firewall/firewall.rb b/lib/puppet/provider/firewall/firewall.rb
index 0121693e0..48e5c7e4d 100644
--- a/lib/puppet/provider/firewall/firewall.rb
+++ b/lib/puppet/provider/firewall/firewall.rb
@@ -472,7 +472,7 @@ def self.get_rules(context, basic, protocols = ['IPv4', 'IPv6'])
     # For each protocol
     protocols.each do |protocol|
       # Retrieve String containing all information
-      iptables_list = Puppet::Provider.execute($list_command[protocol])
+      iptables_list = Puppet::Provider.execute($list_command[protocol], combine: false, failonfail: true)
       # Scan String to retrieve all Rules
       iptables_list.scan($table_regex).each do |table|
         table_name = table[0].scan($table_name_regex)[0][0]
diff --git a/spec/unit/puppet/provider/firewall/firewall_output_parsing_spec.rb b/spec/unit/puppet/provider/firewall/firewall_output_parsing_spec.rb
index 6b582c344..d5bbe235c 100644
--- a/spec/unit/puppet/provider/firewall/firewall_output_parsing_spec.rb
+++ b/spec/unit/puppet/provider/firewall/firewall_output_parsing_spec.rb
@@ -344,8 +344,8 @@
       end
 
       it 'processes the resource' do
-        allow(Puppet::Util::Execution).to receive(:execute).with('iptables-save').and_return(iptables)
-        allow(Puppet::Util::Execution).to receive(:execute).with('ip6tables-save').and_return(ip6tables)
+        allow(Puppet::Util::Execution).to receive(:execute).with('iptables-save', { combine: false, failonfail: true }).and_return(iptables)
+        allow(Puppet::Util::Execution).to receive(:execute).with('ip6tables-save', { combine: false, failonfail: true }).and_return(ip6tables)
 
         expect(provider.get(context)).to eq(returned_data)
       end
diff --git a/spec/unit/puppet/provider/firewallchain/firewallchain_spec.rb b/spec/unit/puppet/provider/firewallchain/firewallchain_spec.rb
index eb3d1cc6f..804bfb47f 100644
--- a/spec/unit/puppet/provider/firewallchain/firewallchain_spec.rb
+++ b/spec/unit/puppet/provider/firewallchain/firewallchain_spec.rb
@@ -326,8 +326,8 @@
         },
       ].each do |test|
         before(:each) do
-          allow(Puppet::Util::Execution).to receive(:execute).with('iptables-save').and_return(iptables)
-          allow(Puppet::Util::Execution).to receive(:execute).with('ip6tables-save').and_return(ip6tables)
+          allow(Puppet::Util::Execution).to receive(:execute).with('iptables-save', { combine: false, failonfail: true }).and_return(iptables)
+          allow(Puppet::Util::Execution).to receive(:execute).with('ip6tables-save', { combine: false, failonfail: true }).and_return(ip6tables)
         end
 
         it "purge chain: '#{test[:should]}'" do