(MODULES-689) connlimit and connmark acceptance tests

diff --git a/spec/acceptance/connlimit_spec.rb b/spec/acceptance/connlimit_spec.rb
new file mode 100644 (file)
index 0000000..3f0268f
--- /dev/null
+++ b/spec/acceptance/connlimit_spec.rb
@@ -0,0 +1,53 @@
+require 'spec_helper_acceptance'
+
+describe 'firewall type' do
+
+  describe 'connlimit_above' do
+    context '10' do
+      it 'applies' do
+        pp = <<-EOS
+          class { '::firewall': }
+          firewall { '500 - test':
+            proto           => tcp,
+           dport           => '22',
+           connlimit_above => '10',
+            action          => reject,
+          }
+        EOS
+
+        apply_manifest(pp, :catch_failures => true)
+      end
+
+      it 'should contain the rule' do
+        shell('iptables-save') do |r|
+          expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "500 - test" -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable/)
+        end
+      end
+    end
+  end
+
+  describe 'connlimit_mask' do
+    context '24' do
+      it 'applies' do
+        pp = <<-EOS
+          class { '::firewall': }
+          firewall { '501 - test':
+            proto           => tcp,
+           dport           => '22',
+           connlimit_above => '10',
+           connlimit_mask  => '24',
+            action          => reject,
+          }
+        EOS
+
+        apply_manifest(pp, :catch_failures => true)
+      end
+
+      it 'should contain the rule' do
+        shell('iptables-save') do |r|
+          expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "501 - test" -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable/)
+        end
+      end
+    end
+  end
+end

diff --git a/spec/acceptance/connmark_spec.rb b/spec/acceptance/connmark_spec.rb
new file mode 100644 (file)
index 0000000..959efbd
--- /dev/null
+++ b/spec/acceptance/connmark_spec.rb
@@ -0,0 +1,27 @@
+require 'spec_helper_acceptance'
+
+describe 'firewall type' do
+
+  describe 'connmark' do
+    context '50' do
+      it 'applies' do
+        pp = <<-EOS
+          class { '::firewall': }
+          firewall { '502 - test':
+            proto    => 'all',
+           connmark => '0x1',
+            action   => reject,
+          }
+        EOS
+
+        apply_manifest(pp, :catch_failures => true)
+      end
+
+      it 'should contain the rule' do
+        shell('iptables-save') do |r|
+          expect(r.stdout).to match(/-A INPUT -m comment --comment "502 - test" -m connmark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable/)
+        end
+      end
+    end
+  end
+end

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 042e8bbf3a6c0d104a8aceff203d95e669f6110e..105d27fb6b2f4498d0512ced7d7b23277a530957 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -434,6 +434,36 @@ ARGS_TO_HASH = {
       :dport => ["20443"],
     },
   },
+  'connlimit_above' => {
+    :line => '-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "061 REJECT connlimit_above 10" -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable',
+    :table => 'filter',
+    :params => {
+      :proto => 'tcp',
+      :dport => ["22"],
+      :connlimit_above => '10',
+      :action => 'reject',
+    },
+  },
+  'connlimit_above_with_connlimit_mask' => {
+    :line => '-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "061 REJECT connlimit_above 10 with mask 24" -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable',
+    :table => 'filter',
+    :params => {
+      :proto => 'tcp',
+      :dport => ["22"],
+      :connlimit_above => '10',
+      :connlimit_mask => '24',
+      :action => 'reject',
+    },
+  },
+  'connmark' => {
+    :line => '-A INPUT -m comment --comment "062 REJECT connmark" -m connmark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable',
+    :table => 'filter',
+    :params => {
+      :proto => 'all',
+      :connmark => '0x1',
+      :action => 'reject',
+    },
+  },
 }
 
 # This hash is for testing converting a hash to an argument line.
@@ -868,4 +898,37 @@ HASH_TO_ARGS = {
     },
     :args => ['-t', :filter, '-p', :all, '-m', 'comment', '--comment', '050 testcomment-with-fdashf', '-j', 'ACCEPT'],
   },
+  'connlimit_above' => {
+    :params => {
+      :name => '061 REJECT connlimit_above 10',
+      :table => 'filter',
+      :proto => 'tcp',
+      :dport => ["22"],
+      :connlimit_above => '10',
+      :action => 'reject',
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "22", "-m", "comment", "--comment", "061 REJECT connlimit_above 10", "-j", "REJECT", "-m", "connlimit", "--connlimit-above", "10"],
+  },
+  'connlimit_above_with_connlimit_mask' => {
+    :params => {
+      :name => '061 REJECT connlimit_above 10 with mask 24',
+      :table => 'filter',
+      :proto => 'tcp',
+      :dport => ["22"],
+      :connlimit_above => '10',
+      :connlimit_mask => '24',
+      :action => 'reject',
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "22", "-m", "comment", "--comment", "061 REJECT connlimit_above 10 with mask 24", "-j", "REJECT", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "24"],
+  },
+  'connmark' => {
+    :params => {
+      :name => '062 REJECT connmark',
+      :table => 'filter',
+      :proto => 'all',
+      :connmark => '0x1',
+      :action => 'reject',
+    },
+    :args => ["-t", :filter, "-p", :all, "-m", "comment", "--comment", "062 REJECT connmark", "-j", "REJECT", "-m", "connmark", "--mark", "0x1"],
+  },
 }