]> review.fuel-infra Code Review - puppet-modules/puppetlabs-firewall.git/commitdiff
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 7a230aa)
Add acceptance and unit test for notrack parameter
authoradrianiurca <adrian.iurca@gmail.com>
Thu, 16 Jul 2020 16:10:31 +0000 (19:10 +0300)
committeradrianiurca <adrian.iurca@gmail.com>
Wed, 22 Jul 2020 08:48:14 +0000 (11:48 +0300)
lib/puppet/provider/firewall/iptables.rb patch | blob | history
spec/acceptance/firewall_attributes_happy_path_spec.rb patch | blob | history
spec/fixtures/iptables/conversion_hash.rb patch | blob | history
spec/spec_helper_acceptance_local.rb patch | blob | history

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 90e091047770e329149fd01546496ebcf3edaec5..ee5daaee707c36fb671c4b3d396e8c211f50fe17 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -348,8 +348,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name, :notrack,
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :name, :notrack
   ]
 
   def insert
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index cccc3e3bc863538cd118c8f48f5360b1f467c07d..8bb3a03878ab75298d1547cdb66a8e7262812274 100644 (file)
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -11,6 +11,9 @@ describe 'firewall attribute testing, happy path' do
 
   describe 'attributes test' do
     before(:all) do
+      notrack_manifest = "jump => 'CT', notrack => true"
+      notrack_manifest = "jump => 'NOTRACK'" if os[:family] == 'redhat' && [5, 6].include?(os[:release].to_i)
+
       pp = <<-PUPPETCODE
           class { '::firewall': }
           firewall { '004 - log_level and log_prefix':
@@ -347,6 +350,13 @@ describe 'firewall attribute testing, happy path' do
             chain          => 'OUTPUT',
             table          => 'mangle',
           }
+          firewall { '004 do not track UDP connections to port 53':
+            chain => 'PREROUTING',
+            table => 'raw',
+            proto  => 'udp',
+            dport => 53,
+            #{notrack_manifest}
+          }
       PUPPETCODE
       idempotent_apply(pp)
     end
@@ -487,5 +497,10 @@ describe 'firewall attribute testing, happy path' do
     it 'jump is set' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST})
     end
+    it 'notrack is set' do
+      notrack_rule = '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j CT --notrack'
+      notrack_rule = '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j NOTRACK' if os[:family] == 'redhat' && [5, 6].include?(os[:release].to_i)
+      expect(result.stdout).to match(%r{#{notrack_rule}})
+    end
   end
 end
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index a3cfb87a23a1e9b1930f36917807a17a233b9a74..89ba6852d705b8686c50fbd39177a61974027ec0 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -778,6 +778,17 @@ ARGS_TO_HASH = {
       cgroup: '0x100001',
     },
   },
+  'notrack' => {
+    line: '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j CT --notrack',
+    table: 'raw',
+    params: {
+      chain: 'PREROUTING',
+      proto: 'udp',
+      dport: ['53'],
+      jump: 'CT',
+      notrack: true
+    }
+  },
 }.freeze
 
 # This hash is for testing converting a hash to an argument line.
diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb
index 4add45d1266f7be05bf9c5ee38b5ebfa4ec4c07a..8e7ee523c993b09abf74f2c67cee1beb47803260 100644 (file)
--- a/spec/spec_helper_acceptance_local.rb
+++ b/spec/spec_helper_acceptance_local.rb
@@ -49,10 +49,23 @@ RSpec.configure do |c|
         package { 'iptables':
           ensure   => 'latest',
         }
+<<<<<<< HEAD
         PUPPETCODE
+=======
+      PUPPETCODE
+>>>>>>> 7163c3a... Add acceptance and unit test for notrack parameter
       LitmusHelper.instance.apply_manifest(pp)
       LitmusHelper.instance.run_shell('update-alternatives --set iptables /usr/sbin/iptables-legacy', expect_failures: true)
       LitmusHelper.instance.run_shell('update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy', expect_failures: true)
     end
+<<<<<<< HEAD
+=======
+    pp = <<-PUPPETCODE
+      package { 'conntrack-tools':
+        ensure => 'latest',
+      }
+    PUPPETCODE
+    LitmusHelper.instance.apply_manifest(pp)
+>>>>>>> 7163c3a... Add acceptance and unit test for notrack parameter
   end
 end