From 4366fa8b1411c57e0c37a86f078e958d05fc8b51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Harald=20Jens=C3=A5s?= <hjensas@redhat.com>
Date: Mon, 14 May 2018 20:51:12 +0200
Subject: [PATCH] Fix duplicate entries in /etc/sysconfig/iptables

Commit e49688be9844b9ae32e14747ad95a07be0fa142c
introduced filters for ephemeral firewall rules
managed by Ironic Inspectors iptables PXE filter.
These new filters cause duplicate entries in the
persisted firewall rules.

sed expression '/-m comment --comment/p' was used
to ensure the ironic-inspector api port is not
accidentally removed. But the expression also
matches several other entries causing duplicates
to be written.

This change enhances the expression to check for
'-m comment --comment' and 'ironic-inspector'.

Related-Bug: #1771128
Change-Id: I6ac397e786f66e33c523edb94613181040c15f19
---
 .../post-configure.d/80-seedstack-masquerade                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade b/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade
index 4e49b23ab..e414a927a 100755
--- a/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade
+++ b/elements/undercloud-install/os-refresh-config/post-configure.d/80-seedstack-masquerade
@@ -32,10 +32,10 @@ fi
 # https://bugs.launchpad.net/tripleo/+bug/1765700
 if /bin/test -f /etc/sysconfig/iptables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/iptables | /bin/grep -q ironic-inspector
 then
-    /bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/iptables
+    /bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/iptables
 fi
 
 if /bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v "\-m comment \--comment" /etc/sysconfig/ip6tables | /bin/grep -q ironic-inspector
 then
-    /bin/sed -i "/-m comment --comment/p;/ironic-inspector/d" /etc/sysconfig/ip6tables
+    /bin/sed -i "/-m comment --comment.*ironic-inspector/p;/ironic-inspector/d" /etc/sysconfig/ip6tables
 fi