end
it 'adds a unmanaged rule without a comment' do
- shell('/sbin/iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT')
+ shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT')
expect(shell('iptables-save').stdout).to match(/-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT/)
end
context 'when unset or false' do
before :each do
ip6tables_flush_all_tables
- shell('/sbin/ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
+ shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
end
context 'and current value is false' do
it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
context 'when set to true' do
before :each do
ip6tables_flush_all_tables
- shell('/sbin/ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
+ shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
end
context 'and current value is false' do
it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
context 'when unset or false' do
before :each do
iptables_flush_all_tables
- shell('/sbin/iptables -A INPUT -p tcp -m comment --comment "597 - test"')
+ shell('iptables -A INPUT -p tcp -m comment --comment "597 - test"')
end
context 'and current value is false' do
it_behaves_like "doesn't change", 'isfragment => false,', /-A INPUT -p tcp -m comment --comment "597 - test"/
context 'when set to true' do
before :each do
iptables_flush_all_tables
- shell('/sbin/iptables -A INPUT -p tcp -f -m comment --comment "597 - test"')
+ shell('iptables -A INPUT -p tcp -f -m comment --comment "597 - test"')
end
context 'and current value is false' do
it_behaves_like "is idempotent", 'isfragment => false,', /-A INPUT -p tcp -m comment --comment "597 - test"/
--- /dev/null
+HOSTS:
+ centos-59-x64:
+ roles:
+ - master
+ - database
+ - console
+ platform: el-5-x86_64
+ box : centos-59-x64-vbox4210-nocm
+ box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-59-x64-vbox4210-nocm.box
+ hypervisor : vagrant
+CONFIG:
+ type: pe
before(:all) do
iptables_flush_all_tables
- shell('/sbin/iptables -A INPUT -s 1.2.1.2')
- shell('/sbin/iptables -A INPUT -s 1.2.1.2')
+ shell('iptables -A INPUT -s 1.2.1.2')
+ shell('iptables -A INPUT -s 1.2.1.2')
end
it 'make sure duplicate existing rules get purged' do
end
it 'saves' do
- shell('/sbin/iptables-save') do |r|
+ shell('iptables-save') do |r|
expect(r.stdout).to_not match(/1\.2\.1\.2/)
expect(r.stderr).to eq("")
end
before(:each) do
iptables_flush_all_tables
- shell('/sbin/iptables -A INPUT -p tcp -s 1.2.1.1')
- shell('/sbin/iptables -A INPUT -p udp -s 1.2.1.1')
- shell('/sbin/iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
+ shell('iptables -A INPUT -p tcp -s 1.2.1.1')
+ shell('iptables -A INPUT -p udp -s 1.2.1.1')
+ shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
end
it 'purges only the specified chain' do
apply_manifest(pp, :expect_changes => true)
- shell('/sbin/iptables-save') do |r|
+ shell('iptables-save') do |r|
expect(r.stdout).to match(/010 output-1\.2\.1\.2/)
expect(r.stdout).to_not match(/1\.2\.1\.1/)
expect(r.stderr).to eq("")
apply_manifest(pp, :catch_failures => true)
- expect(shell('/sbin/iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
+ expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
end
end
end
context 'accepts rules without comments' do
before(:all) do
iptables_flush_all_tables
- shell('/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 80')
+ shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80')
end
it do
context 'accepts rules with invalid comments' do
before(:all) do
iptables_flush_all_tables
- shell('/sbin/iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"')
+ shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"')
end
it do
context 'accepts rules with negation' do
before :all do
iptables_flush_all_tables
- shell('/sbin/iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535')
- shell('/sbin/iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535')
- shell('/sbin/iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE')
+ shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535')
+ shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535')
+ shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE')
end
it do
context 'accepts rules with match extension tcp flag' do
before :all do
iptables_flush_all_tables
- shell('/sbin/iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42')
+ shell('iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42')
end
it do
context 'when unset or false' do
before :each do
iptables_flush_all_tables
- shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
+ shell('iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
end
context 'and current value is false' do
it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
context 'when set to true' do
before :each do
iptables_flush_all_tables
- shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
+ shell('iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
end
context 'and current value is false' do
it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
def iptables_flush_all_tables
['filter', 'nat', 'mangle', 'raw'].each do |t|
- expect(shell("/sbin/iptables -t #{t} -F").stderr).to eq("")
+ expect(shell("iptables -t #{t} -F").stderr).to eq("")
end
end
def ip6tables_flush_all_tables
['filter'].each do |t|
- expect(shell("/sbin/ip6tables -t #{t} -F").stderr).to eq("")
+ expect(shell("ip6tables -t #{t} -F").stderr).to eq("")
end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff