firewall { '555 - test':
ensure => present,
proto => tcp,
- port => '555',
+ dport => '555',
action => accept,
}
PUPPETCODE
it 'contains the rule' do
run_shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 555 -m comment --comment "555 - test" -j ACCEPT})
+ expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 555 -m comment --comment "555 - test" -j ACCEPT})
end
end
end
firewall { '555 - test':
ensure => absent,
proto => tcp,
- port => '555',
+ dport => '555',
action => accept,
}
PUPPETCODE
it 'does not contain the rule' do
run_shell('iptables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 555 -m comment --comment "555 - test" -j ACCEPT})
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 555 -m comment --comment "555 - test" -j ACCEPT})
end
end
end
end
end
- describe 'port' do
- context 'when invalid ports' do
+ describe 'dport' do
+ context 'when invalid dports' do
pp25 = <<-PUPPETCODE
class { '::firewall': }
firewall { '562 - test':
proto => tcp,
- port => '9999562-563',
+ dport => '9999562-563',
action => accept,
}
PUPPETCODE
it 'contains the rule' do
run_shell('iptables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 9999562-563 -m comment --comment "562 - test" -j ACCEPT})
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 9999562-563 -m comment --comment "562 - test" -j ACCEPT})
end
end
end
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
- port => '101',
+ dport => '101',
action => accept,
source => '8.0.0.1',
}
firewall { '100 test source static':
proto => tcp,
- port => '100',
+ dport => '100',
action => accept,
source => '8.0.0.2',
}
end
it 'adds a unmanaged rule without a comment' do
- run_shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT')
- expect(run_shell('iptables-save').stdout).to match(%r{-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT})
+ run_shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --dports 102 -j ACCEPT')
+ expect(run_shell('iptables-save').stdout).to match(%r{-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --dports 102 -j ACCEPT})
end
it 'contains the changable 8.0.0.1 rule' do
run_shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT})
+ expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --dports 101 -m comment --comment "101 test source changes" -j ACCEPT})
end
end
it 'contains the static 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ
run_shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT})
+ expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --dports 100 -m comment --comment "100 test source static" -j ACCEPT})
end
end
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
- port => '101',
+ dport => '101',
action => accept,
source => '8.0.0.4',
}
end
it 'contains the staic 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ
run_shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT})
+ expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --dports 100 -m comment --comment "100 test source static" -j ACCEPT})
end
end
it 'contains the changing new 8.0.0.4 rule' do
run_shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT})
+ expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --dports 101 -m comment --comment "101 test source changes" -j ACCEPT})
end
end
end
firewall { '585 - test':
ensure => present,
proto => tcp,
- port => '585',
+ dport => '585',
action => accept,
chain => 'PREROUTING',
table => 'nat',
it 'contains the rule' do
run_shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT})
+ expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --dports 585 -m socket -m comment --comment "585 - test" -j ACCEPT})
end
end
end
firewall { '586 - test':
ensure => present,
proto => tcp,
- port => '586',
+ dport => '586',
action => accept,
chain => 'PREROUTING',
table => 'nat',
it 'contains the rule' do
run_shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT})
+ expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --dports 586 -m comment --comment "586 - test" -j ACCEPT})
end
end
end
ensure => present,
chain => 'OUTPUT',
proto => tcp,
- port => '580',
+ dport => '580',
jump => 'MARK',
table => 'mangle',
set_mark => '0x3e8/0xffffffff',
it 'contains the rule' do
run_shell('iptables-save -t mangle') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff})
+ expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff})
end
end
end
}
firewall { '550 - destination':
proto => tcp,
- port => '550',
+ dport => '550',
action => accept,
destination => '192.168.2.0/24',
}
firewall { '551 - destination negated':
proto => tcp,
- port => '551',
+ dport => '551',
action => accept,
destination => '! 192.168.2.0/24',
}
firewall { '556 - source':
proto => tcp,
- port => '556',
+ dport => '556',
action => accept,
source => '192.168.2.0/24',
}
firewall { '557 - source negated':
proto => tcp,
- port => '557',
+ dport => '557',
action => accept,
source => '! 192.168.2.0/24',
}
firewall { '558 - src_range':
proto => tcp,
- port => '558',
+ dport => '558',
action => accept,
src_range => '192.168.1.1-192.168.1.10',
}
firewall { '559 - dst_range':
proto => tcp,
- port => '559',
+ dport => '559',
action => accept,
dst_range => '192.168.1.1-192.168.1.10',
}
dport => '561-562',
action => accept,
}
- firewall { '562 - port range':
- proto => tcp,
- port => '562-563',
- action => accept,
- }
firewall { '563 - dst_type':
proto => tcp,
action => accept,
firewall { '572 - limit':
ensure => present,
proto => tcp,
- port => '572',
+ dport => '572',
action => accept,
limit => '500/sec',
}
firewall { '573 - burst':
ensure => present,
proto => tcp,
- port => '573',
+ dport => '573',
action => accept,
limit => '500/sec',
burst => '1500',
firewall { '581 - pkttype':
ensure => present,
proto => tcp,
- port => '581',
+ dport => '581',
action => accept,
pkttype => 'multicast',
}
firewall { '583 - isfragment':
ensure => present,
proto => tcp,
- port => '583',
+ dport => '583',
action => accept,
isfragment => true,
}
firewall { '711 - physdev_in':
chain => 'FORWARD',
proto => tcp,
- port => '711',
+ dport => '711',
action => accept,
physdev_in => 'eth0',
}
firewall { '712 - physdev_out':
chain => 'FORWARD',
proto => tcp,
- port => '712',
+ dport => '712',
action => accept,
physdev_out => 'eth1',
}
firewall { '713 - physdev_in physdev_out physdev_is_bridged':
chain => 'FORWARD',
proto => tcp,
- port => '713',
+ dport => '713',
action => accept,
physdev_in => 'eth0',
physdev_out => 'eth1',
proto => 'tcp',
jump => 'DSCP',
set_dscp => '0x01',
- port => '997',
+ dport => '997',
chain => 'OUTPUT',
table => 'mangle',
}
firewall { '1001 EF - set_dscp_class':
proto => 'tcp',
jump => 'DSCP',
- port => '997',
+ dport => '997',
set_dscp_class => 'EF',
chain => 'OUTPUT',
table => 'mangle',
expect(result.stdout).to match(%r{-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - connmark" -j REJECT --reject-with icmp-port-unreachable})
end
it 'destination is set' do
- expect(result.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 550 -m comment --comment "550 - destination" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 550 -m comment --comment "550 - destination" -j ACCEPT})
end
it 'destination is negated' do
- expect(result.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 551 -m comment --comment "551 - destination negated" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 551 -m comment --comment "551 - destination negated" -j ACCEPT})
end
it 'source is set' do
- expect(result.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - source" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 556 -m comment --comment "556 - source" -j ACCEPT})
end
it 'source is negated' do
- expect(result.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 557 -m comment --comment "557 - source negated" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 557 -m comment --comment "557 - source negated" -j ACCEPT})
end
it 'src_range is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --ports 558 -m comment --comment "558 - src_range" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --dports 558 -m comment --comment "558 - src_range" -j ACCEPT})
end
it 'dst_range is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --ports 559 -m comment --comment "559 - dst_range" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --dports 559 -m comment --comment "559 - dst_range" -j ACCEPT})
end
it 'sport range is set' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560:561 -m comment --comment "560 - sport range" -j ACCEPT})
it 'dport range is set' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561:562 -m comment --comment "561 - dport range" -j ACCEPT})
end
- it 'port range is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562:563 -m comment --comment "562 - port range" -j ACCEPT})
- end
it 'dst_type is set' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype --dst-type MULTICAST -m comment --comment "563 - dst_type" -j ACCEPT})
end
expect(result.stdout).to match(%r{-A PREROUTING -p icmp -m comment --comment "574 - toports" -j REDIRECT --to-ports 2222})
end
it 'limit is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT})
end
it 'burst is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 573 -m limit --limit 500\/sec --limit-burst 1500 -m comment --comment "573 - burst" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 573 -m limit --limit 500\/sec --limit-burst 1500 -m comment --comment "573 - burst" -j ACCEPT})
end
it 'pkttype is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 581 -m pkttype --pkt-type multicast -m comment --comment "581 - pkttype" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 581 -m pkttype --pkt-type multicast -m comment --comment "581 - pkttype" -j ACCEPT})
end
it 'isfragment is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --ports 583 -m comment --comment "583 - isfragment" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --dports 583 -m comment --comment "583 - isfragment" -j ACCEPT})
end
it 'ipsec_policy ipsec and dir out' do
expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid})
end
it 'set physdev_in' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 711 -m comment --comment "711 - physdev_in" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 711 -m comment --comment "711 - physdev_in" -j ACCEPT})
end
it 'set physdev_out' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 712 -m comment --comment "712 - physdev_out" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --dports 712 -m comment --comment "712 - physdev_out" -j ACCEPT})
end
it 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Metrics/LineLength
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Metrics/LineLength
end
it 'gid set to root' do
expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT})
expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - uid 0 negated" -j ACCEPT})
end
it 'set_dscp is set' do
- expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01})
+ expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01})
end
it 'set_dscp_class is set' do
- expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
+ expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
end
it 'all the modules with multiple args is set' do
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "807 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength
class { '::firewall': }
firewall { '602 - test':
proto => tcp,
- port => '602',
+ dport => '602',
action => accept,
provider => 'ip6tables',
dst_range => '2001::db8::1-2001:db8::ff',
firewall { '571 - test':
ensure => present,
proto => tcp,
- port => '571',
+ dport => '571',
action => accept,
hop_limit => 'invalid',
provider => 'ip6tables',
it 'does not contain the rule' do
run_shell('ip6tables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT})
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT})
end
end
end
class { '::firewall': }
firewall { '601 - test':
proto => tcp,
- port => '601',
+ dport => '601',
action => accept,
provider => 'ip6tables',
src_range => '2001::db8::1-2001:db8::ff',
it 'does not contain the rule' do
run_shell('ip6tables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - test" -j ACCEPT})
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --dports 601 -m comment --comment "601 - test" -j ACCEPT})
end
end
end
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '701',
+ dport => '701',
action => accept,
physdev_in => 'eth0',
}
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '702',
+ dport => '702',
action => accept,
physdev_out => 'eth1',
}
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '703',
+ dport => '703',
action => accept,
physdev_in => 'eth0',
physdev_out => 'eth1',
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '704',
+ dport => '704',
action => accept,
physdev_is_bridged => true,
}
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '705',
+ dport => '705',
action => accept,
physdev_in => 'eth0',
physdev_is_bridged => true,
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '706',
+ dport => '706',
action => accept,
physdev_out => 'eth1',
physdev_is_bridged => true,
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '707',
+ dport => '707',
action => accept,
physdev_in => 'eth0',
physdev_out => 'eth1',
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '708',
+ dport => '708',
action => accept,
physdev_is_in => true,
}
provider => 'ip6tables',
chain => 'FORWARD',
proto => tcp,
- port => '709',
+ dport => '709',
action => accept,
physdev_is_out => true,
}
proto => 'tcp',
jump => 'DSCP',
set_dscp => '0x01',
- port => '997',
+ dport => '997',
chain => 'OUTPUT',
table => 'mangle',
provider => 'ip6tables',
firewall { '1003 EF - set_dscp_class':
proto => 'tcp',
jump => 'DSCP',
- port => '997',
+ dport => '997',
set_dscp_class => 'EF',
chain => 'OUTPUT',
table => 'mangle',
let(:result) { run_shell('ip6tables-save') }
it 'physdev_in is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 701 -m comment --comment "701 - test" -j ACCEPT})
end
it 'physdev_out is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --dports 702 -m comment --comment "702 - test" -j ACCEPT})
end
it 'physdev_in and physdev_out is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --dports 703 -m comment --comment "703 - test" -j ACCEPT})
end
it 'physdev_is_bridged is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --dports 704 -m comment --comment "704 - test" -j ACCEPT})
end
it 'physdev_in and physdev_is_bridged is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --dports 705 -m comment --comment "705 - test" -j ACCEPT})
end
it 'physdev_out and physdev_is_bridged is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --dports 706 -m comment --comment "706 - test" -j ACCEPT})
end
it 'physdev_in and physdev_out and physdev_is_bridged is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 707 -m comment --comment "707 - test" -j ACCEPT})
end
it 'physdev_is_in is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --dports 708 -m comment --comment "708 - test" -j ACCEPT})
end
it 'physdev_is_out is set' do
- expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --dports 709 -m comment --comment "709 - test" -j ACCEPT})
end
it 'set_dscp is set' do
- expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01})
+ expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01})
end
it 'set_dscp_class is set' do
- expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
+ expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
end
it 'set_mss and mss is set' do
expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360})
firewall { '571 - hop_limit':
ensure => present,
proto => tcp,
- port => '571',
+ dport => '571',
action => accept,
hop_limit => '5',
provider => 'ip6tables',
firewall { '587 - ishasmorefrags true':
ensure => present,
proto => tcp,
- port => '587',
+ dport => '587',
action => accept,
ishasmorefrags => true,
provider => 'ip6tables',
firewall { '588 - ishasmorefrags false':
ensure => present,
proto => tcp,
- port => '588',
+ dport => '588',
action => accept,
ishasmorefrags => false,
provider => 'ip6tables',
firewall { '589 - islastfrag true':
ensure => present,
proto => tcp,
- port => '589',
+ dport => '589',
action => accept,
islastfrag => true,
provider => 'ip6tables',
firewall { '590 - islastfrag false':
ensure => present,
proto => tcp,
- port => '590',
+ dport => '590',
action => accept,
islastfrag => false,
provider => 'ip6tables',
firewall { '591 - isfirstfrag true':
ensure => present,
proto => tcp,
- port => '591',
+ dport => '591',
action => accept,
isfirstfrag => true,
provider => 'ip6tables',
firewall { '592 - isfirstfrag false':
ensure => present,
proto => tcp,
- port => '592',
+ dport => '592',
action => accept,
isfirstfrag => false,
provider => 'ip6tables',
}
firewall { '601 - src_range':
proto => tcp,
- port => '601',
+ dport => '601',
action => accept,
src_range => '2001:db8::1-2001:db8::ff',
provider => 'ip6tables',
}
firewall { '602 - dst_range':
proto => tcp,
- port => '602',
+ dport => '602',
action => accept,
dst_range => '2001:db8::1-2001:db8::ff',
provider => 'ip6tables',
firewall { '605 - socket true':
ensure => present,
proto => tcp,
- port => '605',
+ dport => '605',
action => accept,
chain => 'INPUT',
socket => true,
firewall { '606 - socket false':
ensure => present,
proto => tcp,
- port => '606',
+ dport => '606',
action => accept,
chain => 'INPUT',
socket => false,
ensure => present,
chain => 'OUTPUT',
proto => tcp,
- port => '611',
+ dport => '611',
jump => 'MARK',
table => 'mangle',
set_mark => '0x3e8/0xffffffff',
let(:result) { run_shell('ip6tables-save') }
it 'hop_limit is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 571 -m hl --hl-eq 5 -m comment --comment "571 - hop_limit" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 571 -m hl --hl-eq 5 -m comment --comment "571 - hop_limit" -j ACCEPT})
end
it 'checksum_fill is set' do
expect(result.stdout).to match(%r{-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - checksum_fill" -j CHECKSUM --checksum-fill})
end
it 'ishasmorefrags when true' do
- expect(result.stdout).to match(%r{A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --ports 587 -m comment --comment "587 - ishasmorefrags true" -j ACCEPT})
+ expect(result.stdout).to match(%r{A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --dports 587 -m comment --comment "587 - ishasmorefrags true" -j ACCEPT})
end
it 'ishasmorefrags when false' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 588 -m comment --comment "588 - ishasmorefrags false" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 588 -m comment --comment "588 - ishasmorefrags false" -j ACCEPT})
end
it 'islastfrag when true' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --ports 589 -m comment --comment "589 - islastfrag true" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --dports 589 -m comment --comment "589 - islastfrag true" -j ACCEPT})
end
it 'islastfrag when false' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 590 -m comment --comment "590 - islastfrag false" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 590 -m comment --comment "590 - islastfrag false" -j ACCEPT})
end
it 'isfirstfrag when true' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --ports 591 -m comment --comment "591 - isfirstfrag true" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --dports 591 -m comment --comment "591 - isfirstfrag true" -j ACCEPT})
end
it 'isfirstfrag when false' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 592 -m comment --comment "592 - isfirstfrag false" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 592 -m comment --comment "592 - isfirstfrag false" -j ACCEPT})
end
it 'tcp_flags is set' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN ACK -m comment --comment "593 - tcpfrags" -j ACCEPT})
end
it 'src_range is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 2001:db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - src_range" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 2001:db8::1-2001:db8::ff -m multiport --dports 601 -m comment --comment "601 - src_range" -j ACCEPT})
end
it 'dst_range is set' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 2001:db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - dst_range" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 2001:db8::1-2001:db8::ff -m multiport --dports 602 -m comment --comment "602 - dst_range" -j ACCEPT})
end
it 'mac_source is set' do
expect(result.stdout).to match(%r{-A INPUT -s 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "604 - mac_source"})
end
it 'socket when true' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 605 -m socket -m comment --comment "605 - socket true" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 605 -m socket -m comment --comment "605 - socket true" -j ACCEPT})
end
it 'socket when false' do
- expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 606 -m comment --comment "606 - socket false" -j ACCEPT})
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 606 -m comment --comment "606 - socket false" -j ACCEPT})
end
it 'ipsec_policy when ipsec' do
expect(result.stdout).to match(
)
end
it 'set_mark is set' do
- expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 611 -m comment --comment "611 - set_mark" -j MARK --set-xmark 0x3e8\/0xffffffff})
+ expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 611 -m comment --comment "611 - set_mark" -j MARK --set-xmark 0x3e8\/0xffffffff})
end
it 'dst_type when MULTICAST' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s--dst-type\sMULTICAST -m comment --comment "613 - dst_type MULTICAST" -j ACCEPT})
destination => '!10.0.0.0/8',
proto => 'tcp',
ctstate => 'NEW',
- port => [80,443,21,20,22,53,123,43,873,25,465],
+ sport => [80,443,21,20,22,53,123,43,873,25,465],
action => 'accept',
}
firewall { '100 forward standard allow udp':
source => '10.0.0.0/8',
destination => '!10.0.0.0/8',
proto => 'udp',
- port => [53,123],
+ sport => [53,123],
action => 'accept',
}
firewall { '100 forward standard allow icmp':
chain => 'PREROUTING',
iniface => 'eth0',
proto => 'tcp',
- dport => '1',
+ sport => '1',
toports => '22',
jump => 'REDIRECT',
}
%r{INPUT ACCEPT}, %r{FORWARD ACCEPT}, %r{OUTPUT ACCEPT},
%r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT},
%r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT},
- %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength
- %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT}
+ %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --sports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength
+ %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --sports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT}
]
it 'contains appropriate rules' do
run_shell('iptables-save') do |r|
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff