end
# RHEL5 does not support --random
- if default['platform'] !~ /el-5/
+ if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
describe 'random' do
context '192.168.1.1' do
it 'applies' do
end
#iptables version 1.3.5 does not support masks on MARK rules
- if default['platform'] !~ /el-5/ or default['platform'] !~ /sles-10/
+ if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
describe 'set_mark' do
context '0x3e8/0xffffffff' do
it 'applies' do
it 'should contain the rule' do
shell('iptables-save') do |r|
- if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5')
+ if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') or (fact('osfamily') == 'SLES' and fact('operatingsystemmajrelease') == '10')
expect(r.stdout).to match(/-A INPUT -s 10.1.5.28 -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"/)
else
expect(r.stdout).to match(/-A INPUT -s 10.1.5.28\/(32|255\.255\.255\.255) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"/)
expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
end
end
- context 'ipv6 chain purge', :unless => (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') do
- after(:all) do
- ip6tables_flush_all_tables
- end
- before(:each) do
- ip6tables_flush_all_tables
-
- shell('ip6tables -A INPUT -p tcp -s 1::42')
- shell('ip6tables -A INPUT -p udp -s 1::42')
- shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
- end
-
- it 'purges only the specified chain' do
- pp = <<-EOS
- class { 'firewall': }
- firewallchain { 'INPUT:filter:IPv6':
- purge => true,
- }
- EOS
-
- apply_manifest(pp, :expect_changes => true)
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/010 output-1::50/)
- expect(r.stdout).to_not match(/1::42/)
- expect(r.stderr).to eq("")
+ if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
+ context 'ipv6 chain purge' do
+ after(:all) do
+ ip6tables_flush_all_tables
end
- end
-
- it 'ignores managed rules' do
- pp = <<-EOS
- class { 'firewall': }
- firewallchain { 'OUTPUT:filter:IPv6':
- purge => true,
- }
- firewall { '010 output-1::50':
- chain => 'OUTPUT',
- proto => 'all',
- source => '1::50',
- provider => 'ip6tables',
- }
- EOS
+ before(:each) do
+ ip6tables_flush_all_tables
- apply_manifest(pp, :catch_changes => do_catch_changes)
- end
-
- it 'ignores specified rules' do
- pp = <<-EOS
- class { 'firewall': }
- firewallchain { 'INPUT:filter:IPv6':
- purge => true,
- ignore => [
- '-s 1::42',
- ],
- }
- EOS
+ shell('ip6tables -A INPUT -p tcp -s 1::42')
+ shell('ip6tables -A INPUT -p udp -s 1::42')
+ shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
+ end
- apply_manifest(pp, :catch_changes => do_catch_changes)
- end
+ it 'purges only the specified chain' do
+ pp = <<-EOS
+ class { 'firewall': }
+ firewallchain { 'INPUT:filter:IPv6':
+ purge => true,
+ }
+ EOS
+
+ apply_manifest(pp, :expect_changes => true)
+
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/010 output-1::50/)
+ expect(r.stdout).to_not match(/1::42/)
+ expect(r.stderr).to eq("")
+ end
+ end
- it 'adds managed rules with ignored rules' do
- pp = <<-EOS
- class { 'firewall': }
- firewallchain { 'INPUT:filter:IPv6':
- purge => true,
- ignore => [
- '-s 1::42',
- ],
- }
- firewall { '014 input-1::46':
- chain => 'INPUT',
- proto => 'all',
- source => '1::46',
- provider => 'ip6tables',
- }
- -> firewall { '013 input-1::45':
- chain => 'INPUT',
- proto => 'all',
- source => '1::45',
- provider => 'ip6tables',
- }
- -> firewall { '012 input-1::44':
- chain => 'INPUT',
- proto => 'all',
- source => '1::44',
- provider => 'ip6tables',
- }
- -> firewall { '011 input-1::43':
- chain => 'INPUT',
- proto => 'all',
- source => '1::43',
- provider => 'ip6tables',
- }
- EOS
+ it 'ignores managed rules' do
+ pp = <<-EOS
+ class { 'firewall': }
+ firewallchain { 'OUTPUT:filter:IPv6':
+ purge => true,
+ }
+ firewall { '010 output-1::50':
+ chain => 'OUTPUT',
+ proto => 'all',
+ source => '1::50',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_changes => do_catch_changes)
+ end
- apply_manifest(pp, :catch_failures => true)
+ it 'ignores specified rules' do
+ pp = <<-EOS
+ class { 'firewall': }
+ firewallchain { 'INPUT:filter:IPv6':
+ purge => true,
+ ignore => [
+ '-s 1::42',
+ ],
+ }
+ EOS
+
+ apply_manifest(pp, :catch_changes => do_catch_changes)
+ end
- expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/)
+ it 'adds managed rules with ignored rules' do
+ pp = <<-EOS
+ class { 'firewall': }
+ firewallchain { 'INPUT:filter:IPv6':
+ purge => true,
+ ignore => [
+ '-s 1::42',
+ ],
+ }
+ firewall { '014 input-1::46':
+ chain => 'INPUT',
+ proto => 'all',
+ source => '1::46',
+ provider => 'ip6tables',
+ }
+ -> firewall { '013 input-1::45':
+ chain => 'INPUT',
+ proto => 'all',
+ source => '1::45',
+ provider => 'ip6tables',
+ }
+ -> firewall { '012 input-1::44':
+ chain => 'INPUT',
+ proto => 'all',
+ source => '1::44',
+ provider => 'ip6tables',
+ }
+ -> firewall { '011 input-1::43':
+ chain => 'INPUT',
+ proto => 'all',
+ source => '1::43',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+
+ expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/)
+ end
end
end
end
end
end
- context 'accepts rules utilizing the statistic module' do
- before :all do
- iptables_flush_all_tables
- # This command doesn't work with all versions/oses, so let it fail
- shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', :acceptable_exit_codes => [0,1,2] )
- shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6')
- shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7')
- end
+ if default['platform'] !~ /sles-10/
+ context 'accepts rules utilizing the statistic module' do
+ before :all do
+ iptables_flush_all_tables
+ # This command doesn't work with all versions/oses, so let it fail
+ shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', :acceptable_exit_codes => [0,1,2] )
+ shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6')
+ shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7')
+ end
- it do
- shell('puppet resource firewall') do |r|
- r.exit_code.should be_zero
- # don't check stdout, testing preexisting rules, output is normal
- r.stderr.should be_empty
+ it do
+ shell('puppet resource firewall') do |r|
+ r.exit_code.should be_zero
+ # don't check stdout, testing preexisting rules, output is normal
+ r.stderr.should be_empty
+ end
end
end
end
# version of iptables that ships with el5 doesn't work with the
# ip6tables provider
- if default['platform'] !~ /el-5/
+ if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
context 'dport/sport with ip6tables' do
before :all do
if fact('osfamily') == 'Debian'
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff