require 'spec_helper_acceptance'
describe "purge tests:" do
- before(:all) do
- iptables_flush_all_tables
+ context('resources purge') do
+ before(:all) do
+ iptables_flush_all_tables
- shell('/sbin/iptables -A INPUT -s 1.2.1.2')
- shell('/sbin/iptables -A INPUT -s 1.2.1.2')
- end
+ shell('/sbin/iptables -A INPUT -s 1.2.1.2')
+ shell('/sbin/iptables -A INPUT -s 1.2.1.2')
+ end
- it 'make sure duplicate existing rules get purged' do
+ it 'make sure duplicate existing rules get purged' do
- pp = <<-EOS
- class { 'firewall': }
- resources { 'firewall':
- purge => true,
- }
- EOS
+ pp = <<-EOS
+ class { 'firewall': }
+ resources { 'firewall':
+ purge => true,
+ }
+ EOS
- expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(2)
- end
+ expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(2)
+ end
- it 'saves' do
- shell('/sbin/iptables-save') do |r|
- r.stdout.should_not =~ /1\.2\.1\.2/
- r.stderr.should be_empty
+ it 'saves' do
+ shell('/sbin/iptables-save') do |r|
+ r.stdout.should_not =~ /1\.2\.1\.2/
+ r.stderr.should be_empty
+ end
end
end
+ context('chain purge') do
+ before(:each) do
+ iptables_flush_all_tables
+
+ shell('/sbin/iptables -A INPUT -s 1.2.1.1')
+ shell('/sbin/iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
+ end
+
+ it 'purges only the specified chain' do
+ pp = <<-EOS
+ class { 'firewall': }
+ firewallchain { 'INPUT:filter:IPv4':
+ purge => true,
+ }
+ EOS
+
+ expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(2)
+
+ shell('/sbin/iptables-save') do |r|
+ r.stdout.should =~ /010 output-1\.2\.1\.2/
+ r.stderr.should be_empty
+ end
+ end
+
+ it 'ignores managed rules' do
+ pp = <<-EOS
+ class { 'firewall': }
+ firewallchain { 'OUTPUT:filter:IPv4':
+ purge => true,
+ }
+ firewall { '010 output-1.2.1.2':
+ source => '1.2.1.2',
+ }
+ EOS
+
+ expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(0)
+ end
+
+ it 'ignores specified rules' do
+ pp = <<-EOS
+ class { 'firewall': }
+ firewallchain { 'INPUT:filter:IPv4':
+ purge => true,
+ ignore => [
+ '-s 1\.2\.1\.1',
+ ],
+ }
+ EOS
+
+ expect(apply_manifest(pp, :catch_failures => true).exit_code).to eq(0)
+ end
+ end
end
end
end
end
+
+ describe 'purge iptables rules' do
+ before(:each) do
+ allow(Puppet::Type.type(:firewall).provider(:iptables)).to receive(:iptables_save).and_return(<<EOS
+# Completed on Sun Jan 5 19:30:21 2014
+# Generated by iptables-save v1.4.12 on Sun Jan 5 19:30:21 2014
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:LOCAL_FORWARD - [0:0]
+:LOCAL_FORWARD_PRE - [0:0]
+:LOCAL_INPUT - [0:0]
+:LOCAL_INPUT_PRE - [0:0]
+:fail2ban-ssh - [0:0]
+-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
+-A INPUT -i lo -m comment --comment "012 accept loopback" -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "020 ssh" -j ACCEPT
+-A OUTPUT -d 1.2.1.2 -j DROP
+-A fail2ban-ssh -j RETURN
+COMMIT
+# Completed on Sun Jan 5 19:30:21 2014
+EOS
+)
+ end
+
+ it 'should generate iptables resources' do
+ resource = Puppet::Type::Firewallchain.new(:name => 'INPUT:filter:IPv4', :purge => true)
+
+ expect(resource.generate.size).to eq(3)
+ end
+
+ it 'should not generate ignored iptables rules' do
+ resource = Puppet::Type::Firewallchain.new(:name => 'INPUT:filter:IPv4', :purge => true, :ignore => ['-j fail2ban-ssh'])
+
+ expect(resource.generate.size).to eq(2)
+ end
+
+ it 'should not generate iptables resources when not enabled' do
+ resource = Puppet::Type::Firewallchain.new(:name => 'INPUT:filter:IPv4')
+
+ expect(resource.generate.size).to eq(0)
+ end
+ end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff