end
end
- describe 'ipsec_policy' do
- context 'when ipsec' do
- pp80 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '593 - test':
- ensure => 'present',
- action => 'reject',
- chain => 'OUTPUT',
- destination => '20.0.0.0/8',
- ipsec_dir => 'out',
- ipsec_policy => 'ipsec',
- proto => 'all',
- reject => 'icmp-net-unreachable',
- table => 'filter',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp80, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "593 - test" -j REJECT --reject-with icmp-net-unreachable})
- end
- end
- end
-
- context 'when none' do
- pp81 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '594 - test':
- ensure => 'present',
- action => 'reject',
- chain => 'OUTPUT',
- destination => '20.0.0.0/8',
- ipsec_dir => 'out',
- ipsec_policy => 'none',
- proto => 'all',
- reject => 'icmp-net-unreachable',
- table => 'filter',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp81, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol none -m comment --comment "594 - test" -j REJECT --reject-with icmp-net-unreachable})
- end
- end
- end
- end
-
- describe 'ipsec_dir' do
- context 'when out' do
- pp82 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '595 - test':
- ensure => 'present',
- action => 'reject',
- chain => 'OUTPUT',
- destination => '20.0.0.0/8',
- ipsec_dir => 'out',
- ipsec_policy => 'ipsec',
- proto => 'all',
- reject => 'icmp-net-unreachable',
- table => 'filter',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp82, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - test" -j REJECT --reject-with icmp-net-unreachable})
- end
- end
- end
-
- context 'when in' do
- pp83 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '596 - test':
- ensure => 'present',
- action => 'reject',
- chain => 'INPUT',
- destination => '20.0.0.0/8',
- ipsec_dir => 'in',
- ipsec_policy => 'none',
- proto => 'all',
- reject => 'icmp-net-unreachable',
- table => 'filter',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp83, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - test" -j REJECT --reject-with icmp-net-unreachable})
- end
- end
- end
- end
-
describe 'recent' do
context 'when set' do
pp84 = <<-PUPPETCODE
end
end
end
-
- context 'when log_prefix containing -A' do
- pp91 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '700 - test':
- jump => 'LOG',
- log_prefix => 'FW-A-INPUT: ',
- }
- PUPPETCODE
- it 'adds the rule' do
- apply_manifest(pp91, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - test" -j LOG --log-prefix "FW-A-INPUT: "})
- end
- end
-
- pp92 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '700 - test':
- ensure => absent,
- jump => 'LOG',
- log_prefix => 'FW-A-INPUT: ',
- }
- PUPPETCODE
- it 'removes the rule' do
- apply_manifest(pp92, catch_failures: true)
- end
-
- it 'does not contain the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m comment --comment "700 - test" -j LOG --log-prefix "FW-A-INPUT: "})
- end
- end
- end
-
- context 'when log_uid is true' do
- pp93 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '700 - test log_uid':
- chain => 'OUTPUT',
- jump => 'LOG',
- log_uid => true,
- }
- PUPPETCODE
- it 'adds the rule' do
- apply_manifest(pp93, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j LOG --log-uid})
- end
- end
-
- pp94 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '700 - test log_uid':
- chain => 'OUTPUT',
- jump => 'LOG',
- log_uid => false,
- ensure => absent,
- }
- PUPPETCODE
- it 'removes the rule' do
- apply_manifest(pp94, catch_failures: true)
- end
-
- it 'does not contain the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).not_to match(%r{-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j --log-uid})
- end
- end
- end
-
- context 'when comment containing "-A "' do
- pp95 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '700 - blah-A Test Rule':
- jump => 'LOG',
- log_prefix => 'FW-A-INPUT: ',
- }
- PUPPETCODE
- it 'adds the rule' do
- apply_manifest(pp95, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "})
- end
- end
-
- pp96 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '700 - blah-A Test Rule':
- ensure => absent,
- jump => 'LOG',
- log_prefix => 'FW-A-INPUT: ',
- }
- PUPPETCODE
- it 'removes the rule' do
- apply_manifest(pp96, catch_failures: true)
- end
-
- it 'does not contain the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "})
- end
- end
- end
end
action => accept,
isfragment => true,
}
+ firewall { '595 - ipsec_policy ipsec and out':
+ ensure => 'present',
+ action => 'reject',
+ chain => 'OUTPUT',
+ destination => '20.0.0.0/8',
+ ipsec_dir => 'out',
+ ipsec_policy => 'ipsec',
+ proto => 'all',
+ reject => 'icmp-net-unreachable',
+ table => 'filter',
+ }
+ firewall { '596 - ipsec_policy none and in':
+ ensure => 'present',
+ action => 'reject',
+ chain => 'INPUT',
+ destination => '20.0.0.0/8',
+ ipsec_dir => 'in',
+ ipsec_policy => 'none',
+ proto => 'all',
+ reject => 'icmp-net-unreachable',
+ table => 'filter',
+ }
+ firewall { '700 - blah-A Test Rule':
+ jump => 'LOG',
+ log_prefix => 'FW-A-INPUT: ',
+ }
+ firewall { '701 - log_uid':
+ chain => 'OUTPUT',
+ jump => 'LOG',
+ log_uid => true,
+ }
firewall { '801 - gid root':
chain => 'OUTPUT',
action => accept,
it 'isfragment is set' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --ports 583 -m comment --comment "583 - isfragment" -j ACCEPT})
end
+ it 'ipsec_policy ipsec and dir out' do
+ expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength
+ end
+ it 'ipsec_policy none and dir in' do
+ expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength
+ end
+ it 'comment containing "-A "' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "})
+ end
+ it 'set log_uid' do
+ expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid})
+ end
it 'gid set to root' do
expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT})
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff