* `ip6tables`: Ip6tables type provider
* Required binaries: `ip6tables-save`, `ip6tables`.
- * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
has_feature :socket
has_feature :address_type
has_feature :iprange
+ has_feature :ipsec_dir
+ has_feature :ipsec_policy
optional_commands({
:ip6tables => 'ip6tables',
:hop_limit => "-m hl --hl-eq",
:icmp => "-m icmp6 --icmpv6-type",
:iniface => "-i",
+ :ipsec_dir => "-m policy --dir",
+ :ipsec_policy => "--pol",
:isfirstfrag => "-m frag --fragid 0 --fragfirst",
:ishasmorefrags => "-m frag --fragid 0 --fragmore",
:islastfrag => "-m frag --fragid 0 --fraglast",
@resource_list = [:table, :source, :destination, :iniface, :outiface,
:proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
:tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type,
- :src_type, :socket, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit,
- :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname,
- :rsource, :rdest, :jump, :todest, :tosource, :toports, :log_level,
- :log_prefix, :reject, :connlimit_above, :connlimit_mask, :connmark]
+ :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
+ :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
+ :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
+ :toports, :log_level, :log_prefix, :reject, :connlimit_above,
+ :connlimit_mask, :connmark]
end
end
end
+ describe 'ipsec_policy' do
+ context 'ipsec' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '607 - test':
+ ensure => 'present',
+ action => 'reject',
+ chain => 'OUTPUT',
+ destination => '2001:db8::1/128',
+ ipsec_dir => 'out',
+ ipsec_policy => 'ipsec',
+ proto => 'all',
+ reject => 'icmp6-adm-prohibited',
+ table => 'filter',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "607 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp6-adm-prohibited/)
+ end
+ end
+ end
+
+ context 'none' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '608 - test':
+ ensure => 'present',
+ action => 'reject',
+ chain => 'OUTPUT',
+ destination => '2001:db8::1/128',
+ ipsec_dir => 'out',
+ ipsec_policy => 'none',
+ proto => 'all',
+ reject => 'icmp6-adm-prohibited',
+ table => 'filter',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "608 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp6-adm-prohibited/)
+ end
+ end
+ end
+ end
+
+ describe 'ipsec_dir' do
+ context 'out' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '609 - test':
+ ensure => 'present',
+ action => 'reject',
+ chain => 'OUTPUT',
+ destination => '2001:db8::1/128',
+ ipsec_dir => 'out',
+ ipsec_policy => 'ipsec',
+ proto => 'all',
+ reject => 'icmp6-adm-prohibited',
+ table => 'filter',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "609 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp6-adm-prohibited/)
+ end
+ end
+ end
+
+ context 'in' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '610 - test':
+ ensure => 'present',
+ action => 'reject',
+ chain => 'INPUT',
+ destination => '2001:db8::1/128',
+ ipsec_dir => 'in',
+ ipsec_policy => 'none',
+ proto => 'all',
+ reject => 'icmp6-adm-prohibited',
+ table => 'filter',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "610 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp6-adm-prohibited/)
+ end
+ end
+ end
+ end
+
# ip6tables only support addrtype on a limited set of platforms
if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
['dst_type', 'src_type'].each do |type|
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff