(MODULES-41) Change source for ip6tables provider

This will allow purging of ipv6 rules

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 2ed90a8fc43e638b59c1a26c2cc0e30b9ded215d..bc8004e69a79fdc7c1612d56c6c86c4511f9d494 100644 (file)
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -1,4 +1,4 @@
-Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :iptables do
+Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :ip6tables do
   @doc = "Ip6tables type provider"
 
   has_feature :iptables

diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb
index c005515c9074564ebfc59c1e8b81ef818919e31f..e255489330e3b272e4212122530c4a00ace49dd4 100644 (file)
--- a/spec/acceptance/purge_spec.rb
+++ b/spec/acceptance/purge_spec.rb
@@ -29,7 +29,10 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil
     end
   end
 
-  context('chain purge') do
+  context('ipv4 chain purge') do
+    after(:all) do
+      iptables_flush_all_tables
+    end
     before(:each) do
       iptables_flush_all_tables
 
@@ -127,4 +130,109 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil
       expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
     end
   end
+  context('ipv6 chain purge') do
+    after(:all) do
+      ip6tables_flush_all_tables
+    end
+    before(:each) do
+      ip6tables_flush_all_tables
+
+      shell('ip6tables -A INPUT -p tcp -s 1::42')
+      shell('ip6tables -A INPUT -p udp -s 1::42')
+      shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
+    end
+
+    it 'purges only the specified chain' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv6':
+          purge => true,
+        }
+      EOS
+
+      apply_manifest(pp, :expect_changes => true)
+
+      shell('ip6tables-save') do |r|
+        expect(r.stdout).to match(/010 output-1::50/)
+        expect(r.stdout).to_not match(/1::42/)
+        expect(r.stderr).to eq("")
+      end
+    end
+
+    it 'ignores managed rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'OUTPUT:filter:IPv6':
+          purge => true,
+        }
+        firewall { '010 output-1::50':
+          chain  => 'OUTPUT',
+          proto  => 'all',
+          source => '1::50',
+        }
+      EOS
+
+      unless fact('selinux') == 'true'
+        apply_manifest(pp, :catch_changes => true)
+      end
+    end
+
+    it 'ignores specified rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv6':
+          purge => true,
+          ignore => [
+            '-s 1::42',
+          ],
+        }
+      EOS
+
+      if fact('selinux') == 'true'
+        apply_manifest(pp, :catch_failures => true)
+      else
+        apply_manifest(pp, :catch_changes => true)
+      end
+    end
+
+    it 'adds managed rules with ignored rules' do
+      pp = <<-EOS
+        class { 'firewall': }
+        firewallchain { 'INPUT:filter:IPv6':
+          purge => true,
+          ignore => [
+            '-s 1::42',
+          ],
+        }
+        firewall { '014 input-1::46':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::46',
+          provider => 'ip6tables',
+        }
+        -> firewall { '013 input-1::45':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::45',
+          provider => 'ip6tables',
+        }
+        -> firewall { '012 input-1::44':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::44',
+          provider => 'ip6tables',
+        }
+        -> firewall { '011 input-1::43':
+          chain    => 'INPUT',
+          proto    => 'all',
+          source   => '1::43',
+          provider => 'ip6tables',
+        }
+      EOS
+
+      apply_manifest(pp, :catch_failures => true)
+
+      expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/)
+    end
+  end
 end