Firewall chains can't have "-A" in their names or the firewall rule regex gets confused

[minorOffense]

Describe the Bug

When debugging the upgrade to the v7 of puppetlabs-firewall our rules stopped working. We were getting

Creating: Failed after 0.012428 seconds: undefined method `[]' for nil:NilClass
Error: /Stage[main]/Coldfront::Firewall/Firewall_multi[006 Blocked IPs (tcp)]/Firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Could not evaluate: Execution encountered an error

After a lot of debugging, I found that the regex in def self.rule_to_name was getting confused with the -A in our firewall chain named COLDFRONT-ACCESS.

See the debug output I had added here:

Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: List command execute result "# Generated by iptables-save v1.8.8 (nf_tables) on Tue Oct 24 18:06:03 2023\n*filter\n:INPUT ACCEPT [40051:14954037]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [270851:177330168]\n:COLDFRONT-ACCESS - [0:0]\n:DROPFORT-ACCESS - [0:0]\n:DROPFORT-DENY - [0:0]\n:DROPFORT-SMURF-PROTECTION - [0:0]\n:DROPFORT-SYN-FLOOD - [0:0]\n:DROPFORT-TCP-DDOS - [0:0]\n:DROPFORT-UNMANAGED - [0:0]\n:ZABBIX-AGENT - [0:0]\n-A INPUT -p icmp -j ACCEPT\nCOMMIT\n# Completed on Tue Oct 24 18:06:03 2023\n"
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Listing for table *filter
:INPUT ACCEPT [40051:14954037]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [270851:177330168]
:COLDFRONT-ACCESS - [0:0]
:DROPFORT-ACCESS - [0:0]
:DROPFORT-DENY - [0:0]
:DROPFORT-SMURF-PROTECTION - [0:0]
:DROPFORT-SYN-FLOOD - [0:0]
:DROPFORT-TCP-DDOS - [0:0]
:DROPFORT-UNMANAGED - [0:0]
:ZABBIX-AGENT - [0:0]
-A INPUT -p icmp -j ACCEPT
COMMIT
# Completed on Tue Oct 24 18:06:03 2023

Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: This is a Rule ["-ACCESS - [0:0]"]
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: is a name
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: past resource map
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Name Value is
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Rule hash is {:ensure=>"present", :table=>"filter", :protocol=>"IPv4"}
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Resource map is -A
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Chain regex (?-mix:-A\s(\S+))
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: this is the rule -ACCESS - [0:0]
Notice: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Chain scan layers []
Error: firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Creating: Failed after 0.012428 seconds: undefined method `[]' for nil:NilClass
Error: /Stage[main]/Coldfront::Firewall/Firewall_multi[006 Blocked IPs (tcp)]/Firewall[006 Blocked IPs (tcp) from 50.63.2.0]: Could not evaluate: Execution encountered an error

You can see it thought the name of the chain was a firewall rule.

Expected Behavior

Allow any valid string to be used as a firewall chain name.

Steps to Reproduce

1. Create a firewall chain named SOMETHING-ACCESS
2. Try to add a firewall rule that jumps to that chain

Environment

• Version 7.0.2
• Platform Rocky 9

Additional Context

It also matches on the ":ZABBIX-AGENT - [0:0]" string too.

These firewall chain names worked in earlier versions just fine as well.

[minorOffense]

And I guess one last note, this bug is present event with non-puppet generated chains. So if someone is manually maintaining part of a firewall and they have a chain with a -A in the name they can't run puppet firewall. Doesn't matter if you reference it or not, the fact that it is in the firewall causes the bug.

[linuxdaemon]

Can confirm this is affecting my environment as well. I am using puppet to manage nodes for a kubernetes cluster and the cluster generates chains such as KUBE-SEP-A3JRT2JPMZOSOL3K by default, resulting in this same issue. This is still an issue on v8.0.2, on Ubuntu 22.04.

[chrisongthb]

#1210 works in our environment on Ubuntu 22.04 & 20.04 k8s nodes.

[EnigmaticCypher]

This can be closed, the MR above fixes the issue.