From c1da427a5ec678f052fd2cd4885840c4d761946a Mon Sep 17 00:00:00 2001
From: Amin Vakil <info@aminvakil.com>
Date: Mon, 9 Nov 2020 22:10:55 +0330
Subject: [PATCH] iptables: Reorder comment postition (#71496)

* Reorder comment postition

* Add comment unit test

* Fix unit test

* Fix unit test

* Add changelog

* Add paramaters which would be problematic without this fix

* Fix typo

* Fix unit test

* Fix unit test
---
 ...1496-iptables-reorder-comment-position.yml |  2 +
 lib/ansible/modules/iptables.py               |  4 +-
 test/units/modules/test_iptables.py           | 41 +++++++++++++++++++
 3 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/71496-iptables-reorder-comment-position.yml

diff --git a/changelogs/fragments/71496-iptables-reorder-comment-position.yml b/changelogs/fragments/71496-iptables-reorder-comment-position.yml
new file mode 100644
index 00000000000..942edb22a7c
--- /dev/null
+++ b/changelogs/fragments/71496-iptables-reorder-comment-position.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - iptables - reorder comment postition to be at the end (https://github.com/ansible/ansible/issues/71444).
diff --git a/lib/ansible/modules/iptables.py b/lib/ansible/modules/iptables.py
index f0b60ed9584..1d91d183e12 100644
--- a/lib/ansible/modules/iptables.py
+++ b/lib/ansible/modules/iptables.py
@@ -560,8 +560,6 @@ def construct_rule(params):
         '--set-dscp-class',
         False)
     append_match_flag(rule, params['syn'], '--syn', True)
-    append_match(rule, params['comment'], 'comment')
-    append_param(rule, params['comment'], '--comment', False)
     if 'conntrack' in params['match']:
         append_csv(rule, params['ctstate'], '--ctstate')
     elif 'state' in params['match']:
@@ -593,6 +591,8 @@ def construct_rule(params):
         params['icmp_type'],
         ICMP_TYPE_OPTIONS[params['ip_version']],
         False)
+    append_match(rule, params['comment'], 'comment')
+    append_param(rule, params['comment'], '--comment', False)
     return rule
 
 
diff --git a/test/units/modules/test_iptables.py b/test/units/modules/test_iptables.py
index 68a80d20130..25a157e552c 100644
--- a/test/units/modules/test_iptables.py
+++ b/test/units/modules/test_iptables.py
@@ -876,3 +876,44 @@ class TestIptables(ModuleTestCase):
             '-j',
             'ACCEPT'
         ])
+
+    def test_comment_position_at_end(self):
+        """Test flush without parameters"""
+        set_module_args({
+            'chain': 'INPUT',
+            'jump': 'ACCEPT',
+            'action': 'insert',
+            'ctstate': ['NEW'],
+            'comment': 'this is a comment',
+            '_ansible_check_mode': True,
+        })
+
+        commands_results = [
+            (0, '', ''),
+        ]
+
+        with patch.object(basic.AnsibleModule, 'run_command') as run_command:
+            run_command.side_effect = commands_results
+            with self.assertRaises(AnsibleExitJson) as result:
+                iptables.main()
+                self.assertTrue(result.exception.args[0]['changed'])
+
+        self.assertEqual(run_command.call_count, 1)
+        self.assertEqual(run_command.call_args_list[0][0][0], [
+            '/sbin/iptables',
+            '-t',
+            'filter',
+            '-C',
+            'INPUT',
+            '-j',
+            'ACCEPT',
+            '-m',
+            'conntrack',
+            '--ctstate',
+            'NEW',
+            '-m',
+            'comment',
+            '--comment',
+            'this is a comment'
+        ])
+        self.assertEqual(run_command.call_args[0][0][14], 'this is a comment')