end
describe 'src_range' do
- context 'when 192.168.1.1-192.168.1.10' do
- pp10 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '557 - test':
- proto => tcp,
- port => '557',
- action => accept,
- src_range => '192.168.1.1-192.168.1.10',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp10, catch_failures: true)
- apply_manifest(pp10, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --ports 557 -m comment --comment "557 - test" -j ACCEPT})
- end
- end
- end
-
# Invalid IP
context 'when 392.168.1.1-192.168.1.10' do
pp11 = <<-PUPPETCODE
end
describe 'destination' do
- context 'when 192.168.2.0/24' do
- pp12 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '558 - test':
- proto => tcp,
- port => '558',
- action => accept,
- destination => '192.168.2.0/24',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp12, catch_failures: true)
- apply_manifest(pp12, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT})
- end
- end
- end
-
- context 'when ! 192.168.2.0/24' do
- pp13 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '558 - test':
- proto => tcp,
- port => '558',
- action => accept,
- destination => '! 192.168.2.0/24',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp13, catch_failures: true)
- apply_manifest(pp13, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT})
- end
- end
- end
-
# Invalid address
context 'when 256.168.2.0/24' do
pp14 = <<-PUPPETCODE
end
describe 'dst_range' do
- context 'when 192.168.1.1-192.168.1.10' do
- pp15 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '559 - test':
- proto => tcp,
- port => '559',
- action => accept,
- dst_range => '192.168.1.1-192.168.1.10',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp15, catch_failures: true)
- apply_manifest(pp15, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --ports 559 -m comment --comment "559 - test" -j ACCEPT})
- end
- end
- end
-
# Invalid IP
context 'when 392.168.1.1-192.168.1.10' do
pp16 = <<-PUPPETCODE
end
describe 'sport' do
- context 'when single port' do
- pp17 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '560 - test':
- proto => tcp,
- sport => '560',
- action => accept,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp17, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560 -m comment --comment "560 - test" -j ACCEPT})
- end
- end
- end
-
- context 'when multiple ports' do
- pp18 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '560 - test':
- proto => tcp,
- sport => '560-561',
- action => accept,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp18, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560:561 -m comment --comment "560 - test" -j ACCEPT})
- end
- end
- end
-
context 'when invalid ports' do
pp19 = <<-PUPPETCODE
class { '::firewall': }
end
describe 'dport' do
- context 'when single port' do
- pp20 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '561 - test':
- proto => tcp,
- dport => '561',
- action => accept,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp20, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561 -m comment --comment "561 - test" -j ACCEPT})
- end
- end
- end
-
- context 'when multiple ports' do
- pp21 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '561 - test':
- proto => tcp,
- dport => '561-562',
- action => accept,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp21, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561:562 -m comment --comment "561 - test" -j ACCEPT})
- end
- end
- end
-
context 'when invalid ports' do
pp22 = <<-PUPPETCODE
class { '::firewall': }
end
describe 'port' do
- context 'when single port' do
- pp23 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '562 - test':
- proto => tcp,
- port => '562',
- action => accept,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp23, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562 -m comment --comment "562 - test" -j ACCEPT})
- end
- end
- end
-
- context 'when multiple ports' do
- pp24 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '562 - test':
- proto => tcp,
- port => '562-563',
- action => accept,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp24, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562:563 -m comment --comment "562 - test" -j ACCEPT})
- end
- end
- end
-
context 'when invalid ports' do
pp25 = <<-PUPPETCODE
class { '::firewall': }
connmark => '0x1',
action => reject,
}
+ firewall { '550 - destination':
+ proto => tcp,
+ port => '550',
+ action => accept,
+ destination => '192.168.2.0/24',
+ }
+ firewall { '551 - destination negated':
+ proto => tcp,
+ port => '551',
+ action => accept,
+ destination => '! 192.168.2.0/24',
+ }
firewall { '556 - source':
proto => tcp,
port => '556',
action => accept,
source => '! 192.168.2.0/24',
}
+ firewall { '558 - src_range':
+ proto => tcp,
+ port => '558',
+ action => accept,
+ src_range => '192.168.1.1-192.168.1.10',
+ }
+ firewall { '559 - dst_range':
+ proto => tcp,
+ port => '559',
+ action => accept,
+ dst_range => '192.168.1.1-192.168.1.10',
+ }
+ firewall { '560 - sport range':
+ proto => tcp,
+ sport => '560-561',
+ action => accept,
+ }
+ firewall { '561 - dport range':
+ proto => tcp,
+ dport => '561-562',
+ action => accept,
+ }
+ firewall { '562 - port range':
+ proto => tcp,
+ port => '562-563',
+ action => accept,
+ }
firewall { '801 - gid root':
chain => 'OUTPUT',
action => accept,
it 'contains connmark' do
expect(result.stdout).to match(%r{-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - connmark" -j REJECT --reject-with icmp-port-unreachable})
end
+ it 'destination is set' do
+ expect(result.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 550 -m comment --comment "550 - destination" -j ACCEPT})
+ end
+ it 'destination is negated' do
+ expect(result.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 551 -m comment --comment "551 - destination negated" -j ACCEPT})
+ end
it 'source is set' do
expect(result.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - source" -j ACCEPT})
end
it 'source is negated' do
expect(result.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 557 -m comment --comment "557 - source negated" -j ACCEPT})
end
+ it 'src_range is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --ports 558 -m comment --comment "558 - src_range" -j ACCEPT})
+ end
+ it 'dst_range is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --ports 559 -m comment --comment "559 - dst_range" -j ACCEPT})
+ end
+ it 'sport range is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560:561 -m comment --comment "560 - sport range" -j ACCEPT})
+ end
+ it 'dport range is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561:562 -m comment --comment "561 - dport range" -j ACCEPT})
+ end
+ it 'port range is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562:563 -m comment --comment "562 - port range" -j ACCEPT})
+ end
it 'gid set to root' do
expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT})
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff