Make options for '-m rpfilter' work correctly

Parse the trailing arguments to '-m rpfilter' out of existing rules.
Prior behavior included the '--' prefix along with the options
themselves when pulling them out of the rule.

For ip6tables, the provider could not correctly generate an ip6tables
commandline that included '-m rpfilter' at all - its inclusion in the
known booleans array precluded its options being expanded or included at
all.

Additionally:
- Using a comma rather than a space as a separator character in the
  pre-parse munging doesn't require any quotes, nor does it require any
  new post-parse munging when there is already an existing iterator to
  handle splitting of comma-separated multiple elements into arrays
- '-m rpfilter' on its own is supposed to be valid, and in fact is used
  in exactly this style of invocation in the examples included in 'man
  iptables-extensions'; but support for '-m rpfilter' in this module is
  limited to uses that include one or more modifying arguments.  When
  this is eventually fixed (which I do not have time to do right now),
  the updated pre-parse munge logic will work with no further alteration
- Adjusting the regex used by String#scan to capture the arguments to
  treat its capture groups differently SIGNIFICANTLY simplifies the
  logic around substitutions for the pre-parse munge such that no
  additional branching is required, and the operation is still safe

Author: greatflyingsteve

lib/puppet/provider/firewall/ip6tables.rb

@@ -243,7 +243,6 @@ def self.iptables_save(*args)
     :rsource,
     :rdest,
     :reap,
-    :rpfilter,
     :rttl,
     :socket,
     :physdev_is_bridged,

lib/puppet/provider/firewall/iptables.rb

@@ -581,15 +581,9 @@ def self.rule_to_hash(line, table, counter)
         (\s--next)?}x,
                         '--pol "ipsec\1\2\3\4\5\6\7\8" ')
 
-    # rpfilter also takes multiple parameters; use quote trick again
-    rpfilter_opts = values.scan(%r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+})
-    if rpfilter_opts && rpfilter_opts.length == 1 && rpfilter_opts[0]
-      rpfilter_opts = rpfilter_opts[0][1..-1].reject { |x| x.nil? }
-      values = values.sub(
-        %r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+},
-        "-m rpfilter \"#{rpfilter_opts.join(' ')}\"",
-      )
-    end
+    # rpfilter can take multiple parameters; if present, strip and comma-join them.
+    rpfilter_opts = values.scan(%r{-m\srpfilter(?:\s--(loose)|\s--(validmark)|\s--(accept-local)|\s--(invert))+}).flatten.compact
+    values.sub!(%r{-m\srpfilter(?:\s--(?:loose|validmark|accept-local|invert))+}, "-m rpfilter #{rpfilter_opts.join(',')}")
 
     # on some iptables versions, --connlimit-saddr switch is added after the rule is applied
     values = values.gsub(%r{--connlimit-saddr}, '')
@@ -681,16 +675,14 @@ def self.rule_to_hash(line, table, counter)
     # POST PARSE CLUDGING
     #####################
 
-    [:dport, :sport, :port, :state, :ctstate, :ctstatus].each do |prop|
+    [:dport, :sport, :port, :state, :ctstate, :ctstatus, :rpfilter].each do |prop|
       hash[prop] = hash[prop].split(',') unless hash[prop].nil?
     end
 
     [:ipset, :dst_type, :src_type].each do |prop|
       hash[prop] = hash[prop].split(';') unless hash[prop].nil?
     end
 
-    hash[:rpfilter] = hash[:rpfilter].split(' ') unless hash[:rpfilter].nil?
-
     ## clean up DSCP class to HEX mappings
     valid_dscp_classes = {
       '0x0a' => 'af11',