before(:all) do
pp = <<-PUPPETCODE
class { '::firewall': }
+ firewall { '004 - log_level and log_prefix':
+ chain => 'INPUT',
+ proto => 'all',
+ ctstate => 'INVALID',
+ jump => 'LOG',
+ log_level => '3',
+ log_prefix => 'IPTABLES dropped invalid: ',
+ }
+
firewall { '501 - connlimit':
proto => tcp,
dport => '2222',
reject => 'icmp-net-unreachable',
table => 'filter',
}
+ firewall {
+ '600 - set_mss':
+ proto => 'tcp',
+ tcp_flags => 'SYN,RST SYN',
+ jump => 'TCPMSS',
+ set_mss => '1360',
+ mss => '1361:1541',
+ chain => 'FORWARD',
+ table => 'mangle',
+ }
+ firewall {
+ '601 - clamp_mss_to_pmtu':
+ proto => 'tcp',
+ chain => 'FORWARD',
+ tcp_flags => 'SYN,RST SYN',
+ jump => 'TCPMSS',
+ clamp_mss_to_pmtu => true,
+ }
firewall { '700 - blah-A Test Rule':
jump => 'LOG',
log_prefix => 'FW-A-INPUT: ',
end
let(:result) { shell('iptables-save') }
+ it 'log_level and log_prefix' do
+ expect(result.stdout).to match(%r{A INPUT -m conntrack --ctstate INVALID -m comment --comment "004 - log_level and log_prefix" -j LOG --log-prefix "IPTABLES dropped invalid: " --log-level 3})
+ end
it 'contains the connlimit and connlimit_mask rule' do
expect(result.stdout).to match(
%r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - connlimit" -j REJECT --reject-with icmp-port-unreachable}, # rubocop:disable Metrics/LineLength
it 'ipsec_policy none and dir in' do
expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength
end
+ it 'set_mss is set' do
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "600 - set_mss" -j TCPMSS --set-mss 1360})
+ end
+ it 'clamp_mss_to_pmtu is set' do
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "601 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
+ end
it 'comment containing "-A "' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "})
end
+++ /dev/null
-require 'spec_helper_acceptance'
-
-describe 'log based tests' do
- before :all do
- iptables_flush_all_tables
- ip6tables_flush_all_tables
- end
-
- ppm2 = <<-PUPPETCODE
- firewall { '998 log all':
- proto => 'all',
- jump => 'LOG',
- log_level => 'debug',
- }
- PUPPETCODE
- values = [2, 0]
- it 'test log rule' do
- iptables_flush_all_tables
-
- values.each do |value|
- expect(apply_manifest(ppm2, catch_failures: true).exit_code).to eq(value)
- end
- end
-
- ppm3 = <<-PUPPETCODE
- firewall { '004 log all INVALID packets':
- chain => 'INPUT',
- proto => 'all',
- ctstate => 'INVALID',
- jump => 'LOG',
- log_level => '3',
- log_prefix => 'IPTABLES dropped invalid: ',
- }
- PUPPETCODE
- ppm4 = <<-PUPPETCODE
- firewall { '003 log all INVALID packets':
- chain => 'INPUT',
- proto => 'all',
- ctstate => 'INVALID',
- jump => 'LOG',
- log_level => '3',
- log_prefix => 'IPTABLES dropped invalid: ',
- }
- PUPPETCODE
- ppm5 = <<-PUPPETCODE + "\n" + ppm4
- resources { 'firewall':
- purge => true,
- }
- PUPPETCODE
- it 'test log rule - changing names' do
- iptables_flush_all_tables
-
- expect(apply_manifest(ppm3, catch_failures: true).exit_code).to eq(2)
- expect(apply_manifest(ppm5, catch_failures: true).exit_code).to eq(2)
- end
-
- ppm9 = <<-PUPPETCODE
- firewall { '004 log all INVALID packets':
- chain => 'INPUT',
- proto => 'all',
- ctstate => 'INVALID',
- jump => 'LOG',
- log_level => '3',
- log_prefix => 'IPTABLES dropped invalid: ',
- }
- PUPPETCODE
- values = [2, 0]
- it 'test log rule - idempotent' do
- iptables_flush_all_tables
-
- values.each do |value|
- expect(apply_manifest(ppm9, catch_failures: true).exit_code).to eq(value)
- end
- end
-end
ip6tables_flush_all_tables
end
- describe 'mss ipv4 tests' do
- context 'when 1360' do
- pp1 = <<-PUPPETCODE
- class { '::firewall': }
- firewall {
- '502 - set_mss':
- proto => 'tcp',
- tcp_flags => 'SYN,RST SYN',
- jump => 'TCPMSS',
- set_mss => '1360',
- mss => '1361:1541',
- chain => 'FORWARD',
- table => 'mangle',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp1, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save -t mangle') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360})
- end
- end
- end
-
- context 'when clamp_mss_to_pmtu' do
- pp2 = <<-PUPPETCODE
- class { '::firewall': }
- firewall {
- '503 - clamp_mss_to_pmtu':
- proto => 'tcp',
- chain => 'FORWARD',
- tcp_flags => 'SYN,RST SYN',
- jump => 'TCPMSS',
- clamp_mss_to_pmtu => true,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp2, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
- end
- end
- end
- end
-
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'mss ipv6 tests' do
context 'when 1360' do
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff