end
end
- describe 'todest' do
- context 'when 192.168.1.1' do
- pp36 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '569 - test':
- proto => tcp,
- table => 'nat',
- chain => 'PREROUTING',
- jump => 'DNAT',
- source => '200.200.200.200',
- todest => '192.168.1.1',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp36, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(%r{-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j DNAT --to-destination 192.168.1.1})
- end
- end
- end
- end
-
- describe 'toports' do
- context 'when 192.168.1.1' do
- pp37 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '570 - test':
- proto => icmp,
- table => 'nat',
- chain => 'PREROUTING',
- jump => 'REDIRECT',
- toports => '2222',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp37, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(%r{-A PREROUTING -p icmp -m comment --comment "570 - test" -j REDIRECT --to-ports 2222})
- end
- end
- end
- end
-
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles}
describe 'checksum_fill' do
context 'when virbr' do
end
- describe 'limit' do
- context 'when 500/sec' do
- pp68 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '572 - test':
- ensure => present,
- proto => tcp,
- port => '572',
- action => accept,
- limit => '500/sec',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp68, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 572 -m limit --limit 500\/sec -m comment --comment "572 - test" -j ACCEPT})
- end
- end
- end
- end
-
describe 'burst' do
- context 'when 500' do
- pp69 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '573 - test':
- ensure => present,
- proto => tcp,
- port => '573',
- action => accept,
- limit => '500/sec',
- burst => '1500',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp69, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 573 -m limit --limit 500\/sec --limit-burst 1500 -m comment --comment "573 - test" -j ACCEPT})
- end
- end
- end
-
context 'when invalid' do
pp70 = <<-PUPPETCODE
class { '::firewall': }
end
describe 'pkttype' do
- context 'when multicast' do
- pp74 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '581 - test':
- ensure => present,
- proto => tcp,
- port => '581',
- action => accept,
- pkttype => 'multicast',
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp74, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 581 -m pkttype --pkt-type multicast -m comment --comment "581 - test" -j ACCEPT})
- end
- end
- end
-
context 'when test' do
pp75 = <<-PUPPETCODE
class { '::firewall': }
end
end
- describe 'isfragment' do
- context 'when true' do
- pp76 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '583 - test':
- ensure => present,
- proto => tcp,
- port => '583',
- action => accept,
- isfragment => true,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp76, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --ports 583 -m comment --comment "583 - test" -j ACCEPT})
- end
- end
- end
-
- context 'when false' do
- pp77 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '584 - test':
- ensure => present,
- proto => tcp,
- port => '584',
- action => accept,
- isfragment => false,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp77, catch_failures: true)
- end
-
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 584 -m comment --comment "584 - test" -j ACCEPT})
- end
- end
- end
- end
-
# RHEL5/SLES does not support -m socket
describe 'socket', unless: (default['platform'] =~ %r{el-5} || fact('operatingsystem') == 'SLES') do
context 'when true' do
jump => 'SNAT',
tosource => '192.168.1.1',
}
+ firewall { '569 - todest':
+ proto => tcp,
+ table => 'nat',
+ chain => 'PREROUTING',
+ jump => 'DNAT',
+ source => '200.200.200.200',
+ todest => '192.168.1.1',
+ }
+ firewall { '570 - toports':
+ proto => icmp,
+ table => 'nat',
+ chain => 'PREROUTING',
+ jump => 'REDIRECT',
+ toports => '2222',
+ }
+ firewall { '572 - limit':
+ ensure => present,
+ proto => tcp,
+ port => '572',
+ action => accept,
+ limit => '500/sec',
+ }
+ firewall { '573 - burst':
+ ensure => present,
+ proto => tcp,
+ port => '573',
+ action => accept,
+ limit => '500/sec',
+ burst => '1500',
+ }
+ firewall { '581 - pkttype':
+ ensure => present,
+ proto => tcp,
+ port => '581',
+ action => accept,
+ pkttype => 'multicast',
+ }
+ firewall { '583 - isfragment':
+ ensure => present,
+ proto => tcp,
+ port => '583',
+ action => accept,
+ isfragment => true,
+ }
firewall { '801 - gid root':
chain => 'OUTPUT',
action => accept,
it 'tosource is set' do
expect(result.stdout).to match(%r{A POSTROUTING -p tcp -m comment --comment "568 - tosource" -j SNAT --to-source 192.168.1.1})
end
+ it 'todest is set' do
+ expect(result.stdout).to match(%r{-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - todest" -j DNAT --to-destination 192.168.1.1})
+ end
+ it 'toports is set' do
+ expect(result.stdout).to match(%r{-A PREROUTING -p icmp -m comment --comment "570 - toports" -j REDIRECT --to-ports 2222})
+ end
+ it 'limit is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT})
+ end
+ it 'burst is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 573 -m limit --limit 500\/sec --limit-burst 1500 -m comment --comment "573 - burst" -j ACCEPT})
+ end
+ it 'pkttype is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 581 -m pkttype --pkt-type multicast -m comment --comment "581 - pkttype" -j ACCEPT})
+ end
+ it 'isfragment is set' do
+ expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --ports 583 -m comment --comment "583 - isfragment" -j ACCEPT})
+ end
it 'gid set to root' do
expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT})
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff