# This configuration was generated by
# `rubocop --auto-gen-config`
-# on 2017-12-06 15:37:07 +0000 using RuboCop version 0.51.0.
+# on 2017-12-06 17:50:51 +0000 using RuboCop version 0.51.0.
# The point is for the user to remove these configuration records
# one by one as the offenses are removed from the code base.
# Note that changes in the inspected code, or installation of new
# versions of RuboCop, may require this file to be generated again.
-# Offense count: 46
+# Offense count: 43
+# Causes errors
Lint/BooleanSymbol:
Exclude:
- 'lib/puppet/provider/firewall/ip6tables.rb'
- 'lib/puppet/provider/firewall/iptables.rb'
- 'lib/puppet/type/firewall.rb'
- - 'lib/puppet/type/firewallchain.rb'
# Offense count: 2
Lint/RescueWithoutErrorClass:
Exclude:
- 'lib/puppet/util/firewall.rb'
-
-# Offense count: 320
-# Configuration parameters: Blacklist.
-# Blacklist: END, (?-mix:EO[A-Z]{1})
-Naming/HeredocDelimiterNaming:
- Enabled: false
-
-# Offense count: 192
-# Configuration parameters: Prefixes.
-# Prefixes: when, with, without
-RSpec/ContextWording:
- Enabled: false
-
-# Offense count: 4
-Style/CommentedKeyword:
- Exclude:
- - 'spec/unit/puppet/type/firewallchain_spec.rb'
Puppet::Type.newtype(:firewall) do
include Puppet::Util::Firewall
- @doc = <<-EOS
+ @doc = <<-PUPPETCODE
This type provides the capability to manage firewall rules within
puppet.
and the provider is iptables or ip6tables, the firewall resource will
autorequire those packages to ensure that any required binaries are
installed.
- EOS
+ PUPPETCODE
feature :connection_limiting, 'Connection limiting features.'
feature :hop_limiting, 'Hop limiting features.'
feature :iptables, 'The provider provides iptables features.'
ensurable do
- desc <<-EOS
+ desc <<-PUPPETCODE
Manage the state of this rule. The default action is *present*.
- EOS
+ PUPPETCODE
newvalue(:present) do
provider.insert
end
newparam(:name) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The canonical name of the rule. This name is also used for ordering
so make sure you prefix the rule with a number:
Depending on the provider, the name of the rule can be stored using
the comment feature of the underlying firewall subsystem.
- EOS
+ PUPPETCODE
isnamevar
# Keep rule names simple - they must start with a number
end
newproperty(:action) do
- desc <<-EOS
+ desc <<-PUPPETCODE
This is the action to perform on a match. Can be one of:
* accept - the packet is accepted
If you specify no value it will simply match the rule but perform no
action unless you provide a provider specific parameter (such as *jump*).
- EOS
+ PUPPETCODE
newvalues(:accept, :reject, :drop)
end
# Generic matching properties
newproperty(:source) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The source address. For example:
source => '192.168.2.0/24'
source => '! 192.168.2.0/24'
The source can also be an IPv6 address if your provider supports it.
- EOS
+ PUPPETCODE
munge do |value|
case @resource[:provider]
# Source IP range
newproperty(:src_range, required_features: :iprange) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The source IP range. For example:
src_range => '192.168.1.1-192.168.1.10'
The source IP range must be in 'IP1-IP2' format.
- EOS
+ PUPPETCODE
validate do |value|
matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(value)
end
newproperty(:destination) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The destination address to match. For example:
destination => '192.168.1.0/24'
destination => '! 192.168.2.0/24'
The destination can also be an IPv6 address if your provider supports it.
- EOS
+ PUPPETCODE
munge do |value|
case @resource[:provider]
# Destination IP range
newproperty(:dst_range, required_features: :iprange) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The destination IP range. For example:
dst_range => '192.168.1.1-192.168.1.10'
The destination IP range must be in 'IP1-IP2' format.
- EOS
+ PUPPETCODE
validate do |value|
matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(value)
end
newproperty(:sport, array_matching: :all) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The source port to match for this filter (if the protocol supports
ports). Will accept a single element or an array.
1-1024
This would cover ports 1 to 1024.
- EOS
+ PUPPETCODE
munge do |value|
@resource.string_to_port(value, :proto)
end
newproperty(:dport, array_matching: :all) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The destination port to match for this filter (if the protocol supports
ports). Will accept a single element or an array.
1-1024
This would cover ports 1 to 1024.
- EOS
+ PUPPETCODE
munge do |value|
@resource.string_to_port(value, :proto)
end
newproperty(:port, array_matching: :all) do
- desc <<-EOS
+ desc <<-PUPPETCODE
DEPRECATED
The destination or source port to match for this filter (if the protocol
1-1024
This would cover ports 1 to 1024.
- EOS
+ PUPPETCODE
validate do |_value|
Puppet.warning('Passing port to firewall is deprecated and will be removed. Use dport and/or sport instead.')
end
newproperty(:dst_type, required_features: :address_type) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The destination address type. For example:
dst_type => 'LOCAL'
* THROW - undocumented
* NAT - undocumented
* XRESOLVE - undocumented
- EOS
+ PUPPETCODE
newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
:BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
end
newproperty(:src_type, required_features: :address_type) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The source address type. For example:
src_type => 'LOCAL'
* THROW - undocumented
* NAT - undocumented
* XRESOLVE - undocumented
- EOS
+ PUPPETCODE
newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
:BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type|
end
newproperty(:proto) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The specific protocol to match for this rule. By default this is
*tcp*.
- EOS
+ PUPPETCODE
newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
[proto, "! #{proto}".to_sym]
# tcp-specific
newproperty(:mss) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match a given TCP MSS value or range.
- EOS
+ PUPPETCODE
end
# tcp-specific
newproperty(:tcp_flags, required_features: :tcp_flags) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match when the TCP flags are as specified.
Is a string with a list of comma-separated flag names for the mask,
then a space, then a comma-separated list of flags that should be set.
Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
ACK,RST and FIN bits cleared. Such packets are used to request
TCP connection initiation.
- EOS
+ PUPPETCODE
end
# Iptables specific
newproperty(:chain, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Name of the chain to use. Can be one of the built-ins:
* INPUT
Or you can provide a user-based chain.
The default value is 'INPUT'.
- EOS
+ PUPPETCODE
defaultto 'INPUT'
newvalue(%r{^[a-zA-Z0-9\-_]+$})
end
newproperty(:table, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Table to use. Can be one of:
* nat
* rawpost
By default the setting is 'filter'.
- EOS
+ PUPPETCODE
newvalues(:nat, :mangle, :filter, :raw, :rawpost)
defaultto 'filter'
end
newproperty(:jump, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The value for the iptables --jump parameter. Normal values are:
* QUEUE
If you set both 'accept' and 'jump' parameters, you will get an error as
only one of the options should be set.
- EOS
+ PUPPETCODE
validate do |value|
unless value =~ %r{^[a-zA-Z0-9\-_]+$}
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
Jump destination must consist of alphanumeric characters, an
underscore or a yphen.
- EOS
+ PUPPETCODE
end
if %w[accept reject drop].include?(value.downcase)
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
Jump destination should not be one of ACCEPT, REJECT or DROP. Use
the action property instead.
- EOS
+ PUPPETCODE
end
end
end
newproperty(:goto, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The value for the iptables --goto parameter. Normal values are:
* QUEUE
* MARK
But any valid chain name is allowed.
- EOS
+ PUPPETCODE
validate do |value|
unless value =~ %r{^[a-zA-Z0-9\-_]+$}
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
Goto destination must consist of alphanumeric characters, an
underscore or a yphen.
- EOS
+ PUPPETCODE
end
if %w[accept reject drop].include?(value.downcase)
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
Goto destination should not be one of ACCEPT, REJECT or DROP. Use
the action property instead.
- EOS
+ PUPPETCODE
end
end
end
# Interface specific matching properties
newproperty(:iniface, required_features: :interface_match) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Input interface to filter on. Supports interface alias like eth0:0.
To negate the match try this:
iniface => '! lo',
- EOS
+ PUPPETCODE
newvalues(%r{^!?\s?[a-zA-Z0-9\-\._\+\:]+$})
end
newproperty(:outiface, required_features: :interface_match) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Output interface to filter on. Supports interface alias like eth0:0.
To negate the match try this:
outiface => '! lo',
- EOS
+ PUPPETCODE
newvalues(%r{^!?\s?[a-zA-Z0-9\-\._\+\:]+$})
end
# NAT specific properties
newproperty(:tosource, required_features: :snat) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When using jump => "SNAT" you can specify the new source address using
this parameter.
- EOS
+ PUPPETCODE
end
newproperty(:todest, required_features: :dnat) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When using jump => "DNAT" you can specify the new destination address
using this paramter.
- EOS
+ PUPPETCODE
end
newproperty(:toports, required_features: :dnat) do
- desc <<-EOS
+ desc <<-PUPPETCODE
For DNAT this is the port that will replace the destination port.
- EOS
+ PUPPETCODE
end
newproperty(:to, required_features: :netmap) do
- desc <<-EOS
+ desc <<-PUPPETCODE
For NETMAP this will replace the destination IP
- EOS
+ PUPPETCODE
end
newproperty(:random, required_features: :dnat) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
this boolean will enable randomized port mapping.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
# Reject ICMP type
newproperty(:reject, required_features: :reject_type) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When combined with jump => "REJECT" you can specify a different icmp
response to be sent back to the packet sender.
- EOS
+ PUPPETCODE
end
# Logging properties
newproperty(:log_level, required_features: :log_level) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When combined with jump => "LOG" specifies the system log level to log
to.
- EOS
+ PUPPETCODE
munge do |value|
if value.is_a?(String)
end
newproperty(:log_prefix, required_features: :log_prefix) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When combined with jump => "LOG" specifies the log prefix to use when
logging.
- EOS
+ PUPPETCODE
end
newproperty(:log_uid, required_features: :log_uid) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When combined with jump => "LOG" specifies the uid of the process making
the connection.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:nflog_group, required_features: :nflog_group) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the jump target NFLOG.
The netlink group (0 - 2^16-1) to which packets are (only applicable
for nfnetlink_log). Defaults to 0.
- EOS
+ PUPPETCODE
validate do |value|
if value.to_i > (2**16) - 1 || value.to_i < 0
end
newproperty(:nflog_prefix, required_features: :nflog_prefix) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the jump target NFLOG.
A prefix string to include in the log message, up to 64 characters long,
useful for distinguishing messages in the logs.
- EOS
+ PUPPETCODE
validate do |value|
if value.length > 64
end
newproperty(:nflog_range, required_features: :nflog_range) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the jump target NFLOG.
The number of bytes to be copied to userspace (only applicable for nfnetlink_log).
nfnetlink_log instances may specify their own range, this option overrides it.
- EOS
+ PUPPETCODE
end
newproperty(:nflog_threshold, required_features: :nflog_threshold) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the jump target NFLOG.
Number of packets to queue inside the kernel before sending them to userspace
(only applicable for nfnetlink_log). Higher values result in less overhead
per packet, but increase delay until the packets reach userspace. Defaults to 1.
- EOS
+ PUPPETCODE
munge do |value|
if value.is_a?(String) && value =~ %r{^[-0-9]+$}
# ICMP matching property
newproperty(:icmp, required_features: :icmp_match) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When matching ICMP packets, this is the type of ICMP packet to match.
A value of "any" is not supported. To achieve this behaviour the
parameter should simply be omitted or undefined.
An array of values is also not supported. To match against multiple ICMP
types, please use separate rules for each ICMP type.
- EOS
+ PUPPETCODE
validate do |value|
if value == 'any'
end
newproperty(:state, array_matching: :all, required_features: :state_match) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Matches a packet based on its state in the firewall stateful inspection
table. Values can be:
* NEW
* RELATED
* UNTRACKED
- EOS
+ PUPPETCODE
newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED)
end
newproperty(:ctstate, array_matching: :all, required_features: :state_match) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Matches a packet based on its state in the firewall stateful inspection
table, using the conntrack module. Values can be:
* NEW
* RELATED
* UNTRACKED
- EOS
+ PUPPETCODE
newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED)
# Connection mark
newproperty(:connmark, required_features: :mark) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match the Netfilter mark value associated with the packet. Accepts either of:
mark/mask or mark. These will be converted to hex if they are not already.
- EOS
+ PUPPETCODE
munge do |value|
int_or_hex = '[a-fA-F0-9x]'
match = value.to_s.match("(#{int_or_hex}+)(/)?(#{int_or_hex}+)?")
# Connection limiting properties
newproperty(:connlimit_above, required_features: :connection_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Connection limiting value for matched connections above n.
- EOS
+ PUPPETCODE
newvalue(%r{^\d+$})
end
newproperty(:connlimit_mask, required_features: :connection_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Connection limiting by subnet mask for matched connections.
IPv4: 0-32
IPv6: 0-128
- EOS
+ PUPPETCODE
newvalue(%r{^\d+$})
end
# Hop limiting properties
newproperty(:hop_limit, required_features: :hop_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Hop limiting value for matched packets.
- EOS
+ PUPPETCODE
newvalue(%r{^\d+$})
end
# Rate limiting properties
newproperty(:limit, required_features: :rate_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Rate limiting value for matched packets. The format is:
rate/[/second/|/minute|/hour|/day].
Example values are: '50/sec', '40/min', '30/hour', '10/day'."
- EOS
+ PUPPETCODE
end
newproperty(:burst, required_features: :rate_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Rate limiting burst value (per second) before limit checks apply.
- EOS
+ PUPPETCODE
newvalue(%r{^\d+$})
end
newproperty(:uid, required_features: :owner) do
- desc <<-EOS
+ desc <<-PUPPETCODE
UID or Username owner matching rule. Accepts a string argument
only, as iptables does not accept multiple uid in a single
statement.
- EOS
+ PUPPETCODE
def insync?(is)
require 'etc'
end
newproperty(:gid, required_features: :owner) do
- desc <<-EOS
+ desc <<-PUPPETCODE
GID or Group owner matching rule. Accepts a string argument
only, as iptables does not accept multiple gid in a single
statement.
- EOS
+ PUPPETCODE
def insync?(is)
require 'etc'
# match mark
newproperty(:match_mark, required_features: :mark) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match the Netfilter mark value associated with the packet. Accepts either of:
mark/mask or mark. These will be converted to hex if they are not already.
- EOS
+ PUPPETCODE
munge do |value|
mark_regex = %r{\A((?:0x)?[0-9A-F]+)(/)?((?:0x)?[0-9A-F]+)?\z}i
match = value.to_s.match(mark_regex)
end
newproperty(:set_mark, required_features: :mark) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Set the Netfilter mark value associated with the packet. Accepts either of:
mark/mask or mark. These will be converted to hex if they are not already.
- EOS
+ PUPPETCODE
munge do |value|
int_or_hex = '[a-fA-F0-9x]'
end
newproperty(:clamp_mss_to_pmtu, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Sets the clamp mss to pmtu flag.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:set_dscp, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Set DSCP Markings.
- EOS
+ PUPPETCODE
end
newproperty(:set_dscp_class, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
This sets the DSCP field according to a predefined DiffServ class.
- EOS
+ PUPPETCODE
# iptables uses the cisco DSCP classes as the basis for this flag. Values may be found here:
# 'http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-packet-marking/10103-dscpvalues.html'
valid_codes = %w[
end
newproperty(:set_mss, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Sets the TCP MSS value for packets.
- EOS
+ PUPPETCODE
end
newproperty(:pkttype, required_features: :pkttype) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Sets the packet type to match.
- EOS
+ PUPPETCODE
newvalues(:unicast, :broadcast, :multicast)
end
newproperty(:isfragment, required_features: :isfragment) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Set to true to match tcp fragments (requires type to be set to tcp)
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:recent, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Enable the recent module. Takes as an argument one of set, update,
rcheck or remove. For example:
action => 'DROP',
chain => 'FORWARD',
}
- EOS
+ PUPPETCODE
newvalues(:set, :update, :rcheck, :remove)
munge do |value|
end
newproperty(:rdest, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Recent module; add the destination IP address to the list.
Must be boolean true.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:rsource, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Recent module; add the source IP address to the list.
Must be boolean true.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:rname, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Recent module; The name of the list. Takes a string argument.
- EOS
+ PUPPETCODE
end
newproperty(:rseconds, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Recent module; used in conjunction with one of `recent => 'rcheck'` or
`recent => 'update'`. When used, this will narrow the match to only
happen when the address is in the list and was seen within the last given
number of seconds.
- EOS
+ PUPPETCODE
end
newproperty(:reap, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Recent module; can only be used in conjunction with the `rseconds`
attribute. When used, this will cause entries older than 'seconds' to be
purged. Must be boolean true.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:rhitcount, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Recent module; used in conjunction with `recent => 'update'` or `recent
=> 'rcheck'. When used, this will narrow the match to only happen when
the address is in the list and packets had been received greater than or
equal to the given value.
- EOS
+ PUPPETCODE
end
newproperty(:rttl, required_features: :recent_limiting) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Recent module; may only be used in conjunction with one of `recent =>
'rcheck'` or `recent => 'update'`. When used, this will narrow the match
to only happen when the address is in the list and the TTL of the current
This may be useful if you have problems with people faking their source
address in order to DoS you via this module by disallowing others access
to your site by sending bogus packets to you. Must be boolean true.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:socket, required_features: :socket) do
- desc <<-EOS
+ desc <<-PUPPETCODE
If true, matches if an open socket can be found by doing a coket lookup
on the packet.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:ishasmorefrags, required_features: :ishasmorefrags) do
- desc <<-EOS
+ desc <<-PUPPETCODE
If true, matches if the packet has it's 'more fragments' bit set. ipv6.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:islastfrag, required_features: :islastfrag) do
- desc <<-EOS
+ desc <<-PUPPETCODE
If true, matches if the packet is the last fragment. ipv6.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:isfirstfrag, required_features: :isfirstfrag) do
- desc <<-EOS
+ desc <<-PUPPETCODE
If true, matches if the packet is the first fragment.
Sadly cannot be negated. ipv6.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:ipsec_policy, required_features: :ipsec_policy) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc.
- EOS
+ PUPPETCODE
newvalues(:none, :ipsec)
end
newproperty(:ipsec_dir, required_features: :ipsec_dir) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Sets the ipsec policy direction
- EOS
+ PUPPETCODE
newvalues(:in, :out)
end
newproperty(:stat_mode) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Set the matching mode for statistic matching. Supported modes are `random` and `nth`.
- EOS
+ PUPPETCODE
newvalues(:nth, :random)
end
newproperty(:stat_every) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match one packet every nth packet. Requires `stat_mode => 'nth'`
- EOS
+ PUPPETCODE
validate do |value|
unless value =~ %r{^\d+$}
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
stat_every value must be a digit
- EOS
+ PUPPETCODE
end
unless value.to_i > 0
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
stat_every value must be larger than 0
- EOS
+ PUPPETCODE
end
end
end
newproperty(:stat_packet) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'`
- EOS
+ PUPPETCODE
newvalues(%r{^\d+$})
end
newproperty(:stat_probability) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`.
- EOS
+ PUPPETCODE
validate do |value|
unless value =~ %r{^([01])\.(\d+)$}
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
stat_probability must be between 0.0 and 1.0
- EOS
+ PUPPETCODE
end
if Regexp.last_match(1).to_i == 1 && Regexp.last_match(2).to_i != 0
- raise ArgumentError, <<-EOS
+ raise ArgumentError, <<-PUPPETCODE
start_probability must be between 0.0 and 1.0
- EOS
+ PUPPETCODE
end
end
end
newproperty(:mask, required_features: :mask) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Sets the mask to use when `recent` is enabled.
- EOS
+ PUPPETCODE
end
newproperty(:gateway, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The TEE target will clone a packet and redirect this clone to another
machine on the local network segment. gateway is the target host's IP.
- EOS
+ PUPPETCODE
end
newproperty(:ipset, required_features: :ipset, array_matching: :all) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Matches against the specified ipset list.
Requires ipset kernel module. Will accept a single element or an array.
The value is the name of the blacklist, followed by a space, and then
'src' and/or 'dst' separated by a comma.
For example: 'blacklist src,dst'
- EOS
+ PUPPETCODE
def to_s?(value)
should_to_s(value)
end
newproperty(:checksum_fill, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Compute and fill missing packet checksums.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newparam(:line) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Read-only property for caching the rule line.
- EOS
+ PUPPETCODE
end
newproperty(:mac_source) do
- desc <<-EOS
+ desc <<-PUPPETCODE
MAC Source
- EOS
+ PUPPETCODE
newvalues(%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i)
end
newproperty(:physdev_in, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match if the packet is entering a bridge from the given interface.
- EOS
+ PUPPETCODE
newvalues(%r{^[a-zA-Z0-9\-\._\+]+$})
end
newproperty(:physdev_out, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match if the packet is leaving a bridge via the given interface.
- EOS
+ PUPPETCODE
newvalues(%r{^[a-zA-Z0-9\-\._\+]+$})
end
newproperty(:physdev_is_bridged, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match if the packet is transversing a bridge.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:physdev_is_in, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Matches if the packet has entered through a bridge interface.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:physdev_is_out, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Matches if the packet will leave through a bridge interface.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:date_start, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Only match during the given time, which must be in ISO 8601 "T" notation.
The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
- EOS
+ PUPPETCODE
end
newproperty(:date_stop, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Only match during the given time, which must be in ISO 8601 "T" notation.
The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
- EOS
+ PUPPETCODE
end
newproperty(:time_start, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
- EOS
+ PUPPETCODE
munge do |value|
if value =~ %r{^([0-9]):}
end
newproperty(:time_stop, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
- EOS
+ PUPPETCODE
munge do |value|
if value =~ %r{^([0-9]):}
end
newproperty(:month_days, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Only match on the given days of the month. Possible values are 1 to 31.
Note that specifying 31 will of course not match on months which do not have a 31st day;
the same goes for 28- or 29-day February.
- EOS
+ PUPPETCODE
validate do |value|
month = value.to_i
end
newproperty(:week_days, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun.
- EOS
+ PUPPETCODE
newvalues(:Mon, :Tue, :Wed, :Thu, :Fri, :Sat, :Sun)
end
newproperty(:time_contiguous, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:kernel_timezone, required_features: :iptables) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:clusterip_new, required_features: :clusterip) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP.
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:clusterip_hashmode, required_features: :clusterip) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
Specify the hashing mode. Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport.
- EOS
+ PUPPETCODE
newvalues(:sourceip, :'sourceip-sourceport', :'sourceip-sourceport-destport')
end
newproperty(:clusterip_clustermac, required_features: :clusterip) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
Specify the ClusterIP MAC address. Has to be a link-layer multicast address.
- EOS
+ PUPPETCODE
newvalues(%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i)
end
newproperty(:clusterip_total_nodes, required_features: :clusterip) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
Number of total nodes within this cluster.
- EOS
+ PUPPETCODE
newvalues(%r{\d+})
end
newproperty(:clusterip_local_node, required_features: :clusterip) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
Specify the random seed used for hash initialization.
- EOS
+ PUPPETCODE
newvalues(%r{\d+})
end
newproperty(:clusterip_hash_init, required_features: :clusterip) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
Specify the random seed used for hash initialization.
- EOS
+ PUPPETCODE
end
newproperty(:length, required_features: :length) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Sets the length of layer-3 payload to match.
- EOS
+ PUPPETCODE
munge do |value|
match = value.to_s.match('^([0-9]+)(-)?([0-9]+)?$')
end
newproperty(:string, required_features: :string_matching) do
- desc <<-EOS
+ desc <<-PUPPETCODE
String matching feature. Matches the packet against the pattern
given as an argument.
- EOS
+ PUPPETCODE
munge do |value|
_value = "'" + value + "'"
end
newproperty(:string_algo, required_features: :string_matching) do
- desc <<-EOS
+ desc <<-PUPPETCODE
String matching feature, pattern matching strategy.
- EOS
+ PUPPETCODE
newvalues(:bm, :kmp)
end
newproperty(:string_from, required_features: :string_matching) do
- desc <<-EOS
+ desc <<-PUPPETCODE
String matching feature, offset from which we start looking for any matching.
- EOS
+ PUPPETCODE
end
newproperty(:string_to, required_features: :string_matching) do
- desc <<-EOS
+ desc <<-PUPPETCODE
String matching feature, offset up to which we should scan.
- EOS
+ PUPPETCODE
end
newproperty(:queue_num, required_features: :queue_num) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with NFQUEUE jump target.
What queue number to send packets to
- EOS
+ PUPPETCODE
munge do |value|
match = value.to_s.match('^([0-9])*$')
if match.nil?
end
newproperty(:queue_bypass, required_features: :queue_bypass) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Used with NFQUEUE jump target
Allow packets to bypass :queue_num if userspace process is not listening
- EOS
+ PUPPETCODE
newvalues(:true, :false)
end
newproperty(:src_cc) do
- desc <<-EOS
+ desc <<-PUPPETCODE
src attribute for the module geoip
- EOS
+ PUPPETCODE
newvalues(%r{^[A-Z]{2}(,[A-Z]{2})*$})
end
newproperty(:dst_cc) do
- desc <<-EOS
+ desc <<-PUPPETCODE
dst attribute for the module geoip
- EOS
+ PUPPETCODE
newvalues(%r{^[A-Z]{2}(,[A-Z]{2})*$})
end
newproperty(:hashlimit_name) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The name for the /proc/net/ipt_hashlimit/foo entry.
This parameter is required.
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_upto) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second).
This parameter or hashlimit_above is required.
Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_above) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Match if the rate is above amount/quantum.
This parameter or hashlimit_upto is required.
Allowed forms are '40','40/second','40/minute','40/hour','40/day'.
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_burst) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too.
- EOS
+ PUPPETCODE
newvalue(%r{^\d+$})
end
newproperty(:hashlimit_mode) do
- desc <<-EOS
+ desc <<-PUPPETCODE
A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping.
Allowed values are: srcip, srcport, dstip, dstport
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_srcmask) do
- desc <<-EOS
+ desc <<-PUPPETCODE
When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_dstmask) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Like --hashlimit-srcmask, but for destination addresses.
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_htable_size) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The number of buckets of the hash table
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_htable_max) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Maximum entries in the hash.
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_htable_expire) do
- desc <<-EOS
+ desc <<-PUPPETCODE
After how many milliseconds do hash entries expire.
- EOS
+ PUPPETCODE
end
newproperty(:hashlimit_htable_gcinterval) do
- desc <<-EOS
+ desc <<-PUPPETCODE
How many milliseconds between garbage collection intervals.
- EOS
+ PUPPETCODE
end
autorequire(:firewallchain) do
Puppet::Type.newtype(:firewallchain) do
include Puppet::Util::Firewall
- @doc = <<-EOS
+ @doc = <<-PUPPETCODE
This type provides the capability to manage rule chains for firewalls.
Currently this supports only iptables, ip6tables and ebtables on Linux. And
If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
and the provider is iptables_chain, the firewall resource will autorequire
those packages to ensure that any required binaries are installed.
- EOS
+ PUPPETCODE
feature :iptables_chain, 'The provider provides iptables chain features.'
feature :policy, 'Default policy (inbuilt chains only)'
end
newparam(:name) do
- desc <<-EOS
+ desc <<-PUPPETCODE
The canonical name of the chain.
For iptables the format must be {chain}:{table}:{protocol}.
- EOS
+ PUPPETCODE
isnamevar
validate do |value|
end
newproperty(:policy) do
- desc <<-EOS
+ desc <<-PUPPETCODE
This is the action to when the end of the chain is reached.
It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,
PREROUTING, POSTROUTING) and can be one of:
* queue - the packet is passed userspace
* return - the packet is returned to calling (jump) queue
or the default of inbuilt chains
- EOS
+ PUPPETCODE
newvalues(:accept, :drop, :queue, :return)
defaultto do
# ethernet chain have an ACCEPT default while other haven't got an
end
newparam(:purge, boolean: true) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Purge unmanaged firewall rules in this chain
- EOS
- newvalues(:false, :true)
- defaultto :false
+ PUPPETCODE
+ newvalues(false, true)
+ defaultto false
end
newparam(:ignore) do
- desc <<-EOS
+ desc <<-PUPPETCODE
Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
This is matched against the output of `iptables-save`.
'--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
],
}
- EOS
+ PUPPETCODE
validate do |value|
unless value.is_a?(Array) || value.is_a?(String) || value == false
end
describe 'when unmanaged rules exist' do
- pp1 = <<-EOS
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
action => accept,
source => '8.0.0.2',
}
- EOS
+ PUPPETCODE
it 'applies with 8.0.0.1 first' do
apply_manifest(pp1, catch_failures: true)
end
end
end
- pp2 = <<-EOS
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
action => accept,
source => '8.0.0.4',
}
- EOS
+ PUPPETCODE
it 'changes to 8.0.0.4 second' do
expect(apply_manifest(pp2, catch_failures: true).stdout)
.to match(%r{Notice: \/Stage\[main\]\/Main\/Firewall\[101 test source changes\]\/source: source changed '8\.0\.0\.1\/32' to '8\.0\.0\.4\/32'})
if default['platform'] !~ %r{sles-10}
describe 'connlimit_above' do
- context '10' do
- pp1 = <<-EOS
+ context 'when 10' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '500 - test':
proto => tcp,
connlimit_above => '10',
action => reject,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
describe 'connlimit_mask' do
- context '24' do
- pp2 = <<-EOS
+ context 'when 24' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '501 - test':
proto => tcp,
connlimit_mask => '24',
action => reject,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
describe 'connmark property' do
describe 'connmark' do
- context '50' do
- pp = <<-EOS
+ context 'when 50' do
+ pp = <<-PUPPETCODE
class { '::firewall': }
firewall { '502 - test':
proto => 'all',
connmark => '0x1',
action => reject,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp, catch_failures: true)
end
end
describe 'iptables physdev tests' do
- context 'physdev_in eth0' do
- pp1 = <<-EOS
+ context 'when physdev_in eth0' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '701 - test':
chain => 'FORWARD',
action => accept,
physdev_in => 'eth0',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
end
- context 'physdev_out eth1' do
- pp2 = <<-EOS
+ context 'when physdev_out eth1' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '702 - test':
chain => 'FORWARD',
action => accept,
physdev_out => 'eth1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end
end
- context 'physdev_in eth0 and physdev_out eth1' do
- pp3 = <<-EOS
+ context 'when physdev_in eth0 and physdev_out eth1' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '703 - test':
chain => 'FORWARD',
physdev_in => 'eth0',
physdev_out => 'eth1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end
end
- context 'physdev_is_bridged' do
- pp4 = <<-EOS
+ context 'when physdev_is_bridged' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '704 - test':
chain => 'FORWARD',
action => accept,
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
end
end
- context 'physdev_in eth0 and physdev_is_bridged' do
- pp5 = <<-EOS
+ context 'when physdev_in eth0 and physdev_is_bridged' do
+ pp5 = <<-PUPPETCODE
class { '::firewall': }
firewall { '705 - test':
chain => 'FORWARD',
physdev_in => 'eth0',
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp5, catch_failures: true)
apply_manifest(pp5, catch_changes: do_catch_changes)
end
end
- context 'physdev_out eth1 and physdev_is_bridged' do
- pp6 = <<-EOS
+ context 'when physdev_out eth1 and physdev_is_bridged' do
+ pp6 = <<-PUPPETCODE
class { '::firewall': }
firewall { '706 - test':
chain => 'FORWARD',
physdev_out => 'eth1',
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp6, catch_failures: true)
apply_manifest(pp6, catch_changes: do_catch_changes)
end
end
- context 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
- pp7 = <<-EOS
+ context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
+ pp7 = <<-PUPPETCODE
class { '::firewall': }
firewall { '707 - test':
chain => 'FORWARD',
physdev_out => 'eth1',
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp7, catch_failures: true)
apply_manifest(pp7, catch_changes: do_catch_changes)
# iptables version 1.3.5 is not suppored by the ip6tables provider
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'ip6tables physdev tests' do
- context 'physdev_in eth0' do
- pp8 = <<-EOS
+ context 'when physdev_in eth0' do
+ pp8 = <<-PUPPETCODE
class { '::firewall': }
firewall { '701 - test':
provider => 'ip6tables',
action => accept,
physdev_in => 'eth0',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp8, catch_failures: true)
apply_manifest(pp8, catch_changes: do_catch_changes)
end
end
- context 'physdev_out eth1' do
- pp9 = <<-EOS
+ context 'when physdev_out eth1' do
+ pp9 = <<-PUPPETCODE
class { '::firewall': }
firewall { '702 - test':
provider => 'ip6tables',
action => accept,
physdev_out => 'eth1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp9, catch_failures: true)
apply_manifest(pp9, catch_changes: do_catch_changes)
end
end
- context 'physdev_in eth0 and physdev_out eth1' do
- pp10 = <<-EOS
+ context 'when physdev_in eth0 and physdev_out eth1' do
+ pp10 = <<-PUPPETCODE
class { '::firewall': }
firewall { '703 - test':
provider => 'ip6tables',
physdev_in => 'eth0',
physdev_out => 'eth1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp10, catch_failures: true)
apply_manifest(pp10, catch_changes: do_catch_changes)
end
end
- context 'physdev_is_bridged' do
- pp11 = <<-EOS
+ context 'when physdev_is_bridged' do
+ pp11 = <<-PUPPETCODE
class { '::firewall': }
firewall { '704 - test':
provider => 'ip6tables',
action => accept,
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp11, catch_failures: true)
apply_manifest(pp11, catch_changes: do_catch_changes)
end
end
- context 'physdev_in eth0 and physdev_is_bridged' do
- pp12 = <<-EOS
+ context 'when physdev_in eth0 and physdev_is_bridged' do
+ pp12 = <<-PUPPETCODE
class { '::firewall': }
firewall { '705 - test':
provider => 'ip6tables',
physdev_in => 'eth0',
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp12, catch_failures: true)
apply_manifest(pp12, catch_changes: do_catch_changes)
end
end
- context 'physdev_out eth1 and physdev_is_bridged' do
- pp13 = <<-EOS
+ context 'when physdev_out eth1 and physdev_is_bridged' do
+ pp13 = <<-PUPPETCODE
class { '::firewall': }
firewall { '706 - test':
provider => 'ip6tables',
physdev_out => 'eth1',
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp13, catch_failures: true)
apply_manifest(pp13, catch_changes: do_catch_changes)
end
end
- context 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
- pp14 = <<-EOS
+ context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
+ pp14 = <<-PUPPETCODE
class { '::firewall': }
firewall { '707 - test':
provider => 'ip6tables',
physdev_out => 'eth1',
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp14, catch_failures: true)
apply_manifest(pp14, catch_changes: do_catch_changes)
end
end
- context 'physdev_is_in' do
- pp15 = <<-EOS
+ context 'when physdev_is_in' do
+ pp15 = <<-PUPPETCODE
class { '::firewall': }
firewall { '708 - test':
provider => 'ip6tables',
action => accept,
physdev_is_in => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp15, catch_failures: true)
apply_manifest(pp15, catch_changes: do_catch_changes)
end
end
- context 'physdev_is_out' do
- pp16 = <<-EOS
+ context 'when physdev_is_out' do
+ pp16 = <<-PUPPETCODE
class { '::firewall': }
firewall { '709 - test':
provider => 'ip6tables',
action => accept,
physdev_is_out => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp16, catch_failures: true)
apply_manifest(pp16, catch_changes: do_catch_changes)
end
describe 'dscp ipv4 tests' do
- context 'set_dscp 0x01' do
- pp1 = <<-EOS
+ context 'when set_dscp 0x01' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1000 - set_dscp':
chain => 'OUTPUT',
table => 'mangle',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
end
end
- context 'set_dscp_class EF' do
- pp2 = <<-EOS
+ context 'when set_dscp_class EF' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1001 EF - set_dscp_class':
chain => 'OUTPUT',
table => 'mangle',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'dscp ipv6 tests' do
- context 'set_dscp 0x01' do
- pp3 = <<-EOS
+ context 'when set_dscp 0x01' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1002 - set_dscp':
table => 'mangle',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
end
end
end
- context 'set_dscp_class EF' do
- pp4 = <<-EOS
+ context 'when set_dscp_class EF' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1003 EF - set_dscp_class':
table => 'mangle',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
end
end
describe 'gid tests' do
- context 'gid set to root' do
- pp1 = <<-EOS
+ context 'when gid set to root' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - test':
chain => 'OUTPUT',
gid => 'root',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
end
- context 'gid set to !root' do
- pp2 = <<-EOS
+ context 'when gid set to !root' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - test':
chain => 'OUTPUT',
gid => '!root',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end
end
- context 'gid set to 0' do
- pp3 = <<-EOS
+ context 'when gid set to 0' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '803 - test':
chain => 'OUTPUT',
gid => '0',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end
end
- context 'gid set to !0' do
- pp4 = <<-EOS
+ context 'when gid set to !0' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '804 - test':
chain => 'OUTPUT',
gid => '!0',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
end
describe 'iptables ipt_modules tests' do
- context 'all the modules with multiple args' do
- pp1 = <<-EOS
+ context 'when all the modules with multiple args' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
physdev_out => "eth1",
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
end
- context 'all the modules with single args' do
- pp2 = <<-EOS
+ context 'when all the modules with single args' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
physdev_out => "eth1",
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
# iptables version 1.3.5 is not suppored by the ip6tables provider
if default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{ubuntu-14\.04}
describe 'ip6tables ipt_modules tests' do
- context 'all the modules with multiple args' do
- pp3 = <<-EOS
+ context 'when all the modules with multiple args' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
physdev_out => "eth1",
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end
end
- context 'all the modules with single args' do
- pp4 = <<-EOS
+ context 'when all the modules with single args' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
physdev_out => "eth1",
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
# el-5 doesn't support ipv6 by default
elsif default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'ip6tables ipt_modules tests' do
- context 'all the modules with multiple args' do
- pp5 = <<-EOS
+ context 'when all the modules with multiple args' do
+ pp5 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
physdev_out => "eth1",
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp5, catch_failures: true)
apply_manifest(pp5, catch_changes: do_catch_changes)
end
end
- context 'all the modules with single args' do
- pp6 = <<-EOS
+ context 'when all the modules with single args' do
+ pp6 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
physdev_out => "eth1",
physdev_is_bridged => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp6, catch_failures: true)
apply_manifest(pp6, catch_changes: do_catch_changes)
end
describe 'mss ipv4 tests' do
- context '1360' do
- pp1 = <<-EOS
+ context 'when 1360' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'502 - set_mss':
chain => 'FORWARD',
table => 'mangle',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
end
end
- context 'clamp_mss_to_pmtu' do
- pp2 = <<-EOS
+ context 'when clamp_mss_to_pmtu' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
jump => 'TCPMSS',
clamp_mss_to_pmtu => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'mss ipv6 tests' do
- context '1360' do
- pp3 = <<-EOS
+ context 'when 1360' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'502 - set_mss':
table => 'mangle',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
end
end
end
- context 'clamp_mss_to_pmtu' do
- pp4 = <<-EOS
+ context 'when clamp_mss_to_pmtu' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
clamp_mss_to_pmtu => true,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
end
end
describe 'name' do
- context 'valid' do
- pp1 = <<-EOS
+ context 'when valid' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '001 - test': ensure => present }
- EOS
+ PUPPETCODE
it 'applies cleanly' do
apply_manifest(pp1, catch_failures: true)
end
end
- context 'invalid' do
- pp2 = <<-EOS
+ context 'when invalid' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { 'test': ensure => present }
- EOS
+ PUPPETCODE
it 'fails' do
apply_manifest(pp2, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid value "test".})
end
describe 'ensure' do
- context 'default' do
- pp3 = <<-EOS
+ context 'when default' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '555 - test':
proto => tcp,
port => '555',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
end
end
end
- context 'present' do
- pp4 = <<-EOS
+ context 'when present' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '555 - test':
ensure => present,
port => '555',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
end
end
end
- context 'absent' do
- pp5 = <<-EOS
+ context 'when absent' do
+ pp5 = <<-PUPPETCODE
class { '::firewall': }
firewall { '555 - test':
ensure => absent,
port => '555',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp5, catch_failures: true)
end
end
describe 'source' do
- context '192.168.2.0/24' do
- pp7 = <<-EOS
+ context 'when 192.168.2.0/24' do
+ pp7 = <<-PUPPETCODE
class { '::firewall': }
firewall { '556 - test':
proto => tcp,
action => accept,
source => '192.168.2.0/24',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp7, catch_failures: true)
apply_manifest(pp7, catch_changes: do_catch_changes)
end
end
- context '! 192.168.2.0/24' do
- pp8 = <<-EOS
+ context 'when ! 192.168.2.0/24' do
+ pp8 = <<-PUPPETCODE
class { '::firewall': }
firewall { '556 - test':
proto => tcp,
action => accept,
source => '! 192.168.2.0/24',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp8, catch_failures: true)
apply_manifest(pp8, catch_changes: do_catch_changes)
end
# Invalid address
- context '256.168.2.0/24' do
- pp9 = <<-EOS
+ context 'when 256.168.2.0/24' do
+ pp9 = <<-PUPPETCODE
class { '::firewall': }
firewall { '556 - test':
proto => tcp,
action => accept,
source => '256.168.2.0/24',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp9, expect_failures: true) do |r|
expect(r.stderr).to match(%r{host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)})
end
describe 'src_range' do
- context '192.168.1.1-192.168.1.10' do
- pp10 = <<-EOS
+ context 'when 192.168.1.1-192.168.1.10' do
+ pp10 = <<-PUPPETCODE
class { '::firewall': }
firewall { '557 - test':
proto => tcp,
action => accept,
src_range => '192.168.1.1-192.168.1.10',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp10, catch_failures: true)
apply_manifest(pp10, catch_changes: do_catch_changes)
end
# Invalid IP
- context '392.168.1.1-192.168.1.10' do
- pp11 = <<-EOS
+ context 'when 392.168.1.1-192.168.1.10' do
+ pp11 = <<-PUPPETCODE
class { '::firewall': }
firewall { '557 - test':
proto => tcp,
action => accept,
src_range => '392.168.1.1-192.168.1.10',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp11, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid IP address "392.168.1.1" in range "392.168.1.1-192.168.1.10"})
end
describe 'destination' do
- context '192.168.2.0/24' do
- pp12 = <<-EOS
+ context 'when 192.168.2.0/24' do
+ pp12 = <<-PUPPETCODE
class { '::firewall': }
firewall { '558 - test':
proto => tcp,
action => accept,
destination => '192.168.2.0/24',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp12, catch_failures: true)
apply_manifest(pp12, catch_changes: do_catch_changes)
end
end
- context '! 192.168.2.0/24' do
- pp13 = <<-EOS
+ context 'when ! 192.168.2.0/24' do
+ pp13 = <<-PUPPETCODE
class { '::firewall': }
firewall { '558 - test':
proto => tcp,
action => accept,
destination => '! 192.168.2.0/24',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp13, catch_failures: true)
apply_manifest(pp13, catch_changes: do_catch_changes)
end
# Invalid address
- context '256.168.2.0/24' do
- pp14 = <<-EOS
+ context 'when 256.168.2.0/24' do
+ pp14 = <<-PUPPETCODE
class { '::firewall': }
firewall { '558 - test':
proto => tcp,
action => accept,
destination => '256.168.2.0/24',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp14, expect_failures: true) do |r|
expect(r.stderr).to match(%r{host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)})
end
describe 'dst_range' do
- context '192.168.1.1-192.168.1.10' do
- pp15 = <<-EOS
+ context 'when 192.168.1.1-192.168.1.10' do
+ pp15 = <<-PUPPETCODE
class { '::firewall': }
firewall { '559 - test':
proto => tcp,
action => accept,
dst_range => '192.168.1.1-192.168.1.10',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp15, catch_failures: true)
apply_manifest(pp15, catch_changes: do_catch_changes)
end
# Invalid IP
- context '392.168.1.1-192.168.1.10' do
- pp16 = <<-EOS
+ context 'when 392.168.1.1-192.168.1.10' do
+ pp16 = <<-PUPPETCODE
class { '::firewall': }
firewall { '559 - test':
proto => tcp,
action => accept,
dst_range => '392.168.1.1-192.168.1.10',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp16, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid IP address "392.168.1.1" in range "392.168.1.1-192.168.1.10"})
end
describe 'sport' do
- context 'single port' do
- pp17 = <<-EOS
+ context 'when single port' do
+ pp17 = <<-PUPPETCODE
class { '::firewall': }
firewall { '560 - test':
proto => tcp,
sport => '560',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp17, catch_failures: true)
end
end
end
- context 'multiple ports' do
- pp18 = <<-EOS
+ context 'when multiple ports' do
+ pp18 = <<-PUPPETCODE
class { '::firewall': }
firewall { '560 - test':
proto => tcp,
sport => '560-561',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp18, catch_failures: true)
end
end
end
- context 'invalid ports' do
- pp19 = <<-EOS
+ context 'when invalid ports' do
+ pp19 = <<-PUPPETCODE
class { '::firewall': }
firewall { '560 - test':
proto => tcp,
sport => '9999560-561',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp19, expect_failures: true) do |r|
expect(r.stderr).to match(%r{invalid port\/service `9999560' specified})
end
describe 'dport' do
- context 'single port' do
- pp20 = <<-EOS
+ context 'when single port' do
+ pp20 = <<-PUPPETCODE
class { '::firewall': }
firewall { '561 - test':
proto => tcp,
dport => '561',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp20, catch_failures: true)
end
end
end
- context 'multiple ports' do
- pp21 = <<-EOS
+ context 'when multiple ports' do
+ pp21 = <<-PUPPETCODE
class { '::firewall': }
firewall { '561 - test':
proto => tcp,
dport => '561-562',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp21, catch_failures: true)
end
end
end
- context 'invalid ports' do
- pp22 = <<-EOS
+ context 'when invalid ports' do
+ pp22 = <<-PUPPETCODE
class { '::firewall': }
firewall { '561 - test':
proto => tcp,
dport => '9999561-562',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp22, expect_failures: true) do |r|
expect(r.stderr).to match(%r{invalid port\/service `9999561' specified})
end
describe 'port' do
- context 'single port' do
- pp23 = <<-EOS
+ context 'when single port' do
+ pp23 = <<-PUPPETCODE
class { '::firewall': }
firewall { '562 - test':
proto => tcp,
port => '562',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp23, catch_failures: true)
end
end
end
- context 'multiple ports' do
- pp24 = <<-EOS
+ context 'when multiple ports' do
+ pp24 = <<-PUPPETCODE
class { '::firewall': }
firewall { '562 - test':
proto => tcp,
port => '562-563',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp24, catch_failures: true)
end
end
end
- context 'invalid ports' do
- pp25 = <<-EOS
+ context 'when invalid ports' do
+ pp25 = <<-PUPPETCODE
class { '::firewall': }
firewall { '562 - test':
proto => tcp,
port => '9999562-563',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp25, expect_failures: true) do |r|
expect(r.stderr).to match(%r{invalid port\/service `9999562' specified})
%w[dst_type src_type].each do |type|
describe type.to_s do
- context 'MULTICAST' do
- pp26 = <<-EOS
+ context 'when MULTICAST' do
+ pp26 = <<-PUPPETCODE
class { '::firewall': }
firewall { '563 - test':
proto => tcp,
action => accept,
#{type} => 'MULTICAST',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp26, catch_failures: true)
end
end
end
- context '! MULTICAST' do
- pp27 = <<-EOS
+ context 'when ! MULTICAST' do
+ pp27 = <<-PUPPETCODE
class { '::firewall': }
firewall { '563 - test inversion':
proto => tcp,
action => accept,
#{type} => '! MULTICAST',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp27, catch_failures: true)
apply_manifest(pp27, catch_changes: do_catch_changes)
end
end
- context 'BROKEN' do
- pp28 = <<-EOS
+ context 'when BROKEN' do
+ pp28 = <<-PUPPETCODE
class { '::firewall': }
firewall { '563 - test':
proto => tcp,
action => accept,
#{type} => 'BROKEN',
}
- EOS
+ PUPPETCODE
it 'fails' do
apply_manifest(pp28, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid value "BROKEN".})
end
describe 'tcp_flags' do
- context 'FIN,SYN ACK' do
- pp29 = <<-EOS
+ context 'when FIN,SYN ACK' do
+ pp29 = <<-PUPPETCODE
class { '::firewall': }
firewall { '564 - test':
proto => tcp,
action => accept,
tcp_flags => 'FIN,SYN ACK',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp29, catch_failures: true)
end
end
describe 'chain' do
- context 'INPUT' do
- pp30 = <<-EOS
+ context 'when INPUT' do
+ pp30 = <<-PUPPETCODE
class { '::firewall': }
firewall { '565 - test':
proto => tcp,
action => accept,
chain => 'FORWARD',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp30, catch_failures: true)
end
end
describe 'table' do
- context 'mangle' do
- pp31 = <<-EOS
+ context 'when mangle' do
+ pp31 = <<-PUPPETCODE
class { '::firewall': }
firewall { '566 - test':
proto => tcp,
action => accept,
table => 'mangle',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp31, catch_failures: true)
end
end
end
end
- context 'nat' do
- pp32 = <<-EOS
+ context 'when nat' do
+ pp32 = <<-PUPPETCODE
class { '::firewall': }
firewall { '566 - test2':
proto => tcp,
table => 'nat',
chain => 'OUTPUT',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp32, catch_failures: true)
end
iptables_flush_all_tables
end
- context 'MARK' do
- pp33 = <<-EOS
+ context 'when MARK' do
+ pp33 = <<-PUPPETCODE
class { '::firewall': }
firewallchain { 'TEST:filter:IPv4':
ensure => present,
chain => 'INPUT',
jump => 'TEST',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp33, catch_failures: true)
end
end
end
- context 'jump and apply' do
- pp34 = <<-EOS
+ context 'when jump and apply' do
+ pp34 = <<-PUPPETCODE
class { '::firewall': }
firewallchain { 'TEST:filter:IPv4':
ensure => present,
action => 'accept',
jump => 'TEST',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp34, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Only one of the parameters 'action' and 'jump' can be set})
end
describe 'tosource' do
- context '192.168.1.1' do
- pp35 = <<-EOS
+ context 'when 192.168.1.1' do
+ pp35 = <<-PUPPETCODE
class { '::firewall': }
firewall { '568 - test':
proto => tcp,
jump => 'SNAT',
tosource => '192.168.1.1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp35, catch_failures: true)
end
end
describe 'todest' do
- context '192.168.1.1' do
- pp36 = <<-EOS
+ context 'when 192.168.1.1' do
+ pp36 = <<-PUPPETCODE
class { '::firewall': }
firewall { '569 - test':
proto => tcp,
source => '200.200.200.200',
todest => '192.168.1.1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp36, catch_failures: true)
end
end
describe 'toports' do
- context '192.168.1.1' do
- pp37 = <<-EOS
+ context 'when 192.168.1.1' do
+ pp37 = <<-PUPPETCODE
class { '::firewall': }
firewall { '570 - test':
proto => icmp,
jump => 'REDIRECT',
toports => '2222',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp37, catch_failures: true)
end
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{ubuntu-10\.04} && default['platform'] !~ %r{debian-6} && default['platform'] !~ %r{sles}
describe 'checksum_fill' do
- context 'virbr' do
- pp38 = <<-EOS
+ context 'when virbr' do
+ pp38 = <<-PUPPETCODE
class { '::firewall': }
firewall { '576 - test':
proto => udp,
checksum_fill => true,
provider => iptables,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp38, catch_failures: true)
end
end
describe 'checksum_fill6' do
- context 'virbr' do
- pp39 = <<-EOS
+ context 'when virbr' do
+ pp39 = <<-PUPPETCODE
class { '::firewall': }
firewall { '576 - test':
proto => udp,
checksum_fill => true,
provider => ip6tables,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp39, catch_failures: true)
end
# RHEL5 does not support --random
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'random' do
- context '192.168.1.1' do
- pp40 = <<-EOS
+ context 'when 192.168.1.1' do
+ pp40 = <<-PUPPETCODE
class { '::firewall': }
firewall { '570 - test 2':
proto => all,
source => '172.30.0.0/16',
random => true
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp40, catch_failures: true)
apply_manifest(pp40, catch_changes: do_catch_changes)
end
describe 'icmp' do
- context 'any' do
- pp41 = <<-EOS
+ context 'when any' do
+ pp41 = <<-PUPPETCODE
class { '::firewall': }
firewall { '571 - test':
proto => icmp,
icmp => 'any',
}
- EOS
+ PUPPETCODE
it 'fails' do
apply_manifest(pp41, expect_failures: true) do |r|
expect(r.stderr).to match(%r{This behaviour should be achieved by omitting or undefining the ICMP parameter})
# iptables version 1.4.7 fails for multiple hl entries
if default['platform'] !~ %r{(el-5|el-6|sles-10|sles-11)}
describe 'hop_limit' do
- context '5' do
- pp42 = <<-EOS
+ context 'when 5' do
+ pp42 = <<-PUPPETCODE
class { '::firewall': }
firewall { '571 - test':
ensure => present,
hop_limit => '5',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp42, catch_failures: true)
end
end
end
- context 'invalid' do
- pp43 = <<-EOS
+ context 'when invalid' do
+ pp43 = <<-PUPPETCODE
class { '::firewall': }
firewall { '571 - test':
ensure => present,
hop_limit => 'invalid',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp43, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid value "invalid".})
end
describe 'ishasmorefrags' do
- context 'true' do
- pp44 = <<-EOS
+ context 'when true' do
+ pp44 = <<-PUPPETCODE
class { '::firewall': }
firewall { '587 - test':
ensure => present,
ishasmorefrags => true,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp44, catch_failures: true)
end
end
end
- context 'false' do
- pp45 = <<-EOS
+ context 'when false' do
+ pp45 = <<-PUPPETCODE
class { '::firewall': }
firewall { '588 - test':
ensure => present,
ishasmorefrags => false,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp45, catch_failures: true)
end
end
describe 'islastfrag' do
- context 'true' do
- pp46 = <<-EOS
+ context 'when true' do
+ pp46 = <<-PUPPETCODE
class { '::firewall': }
firewall { '589 - test':
ensure => present,
islastfrag => true,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp46, catch_failures: true)
end
end
end
- context 'false' do
- pp47 = <<-EOS
+ context 'when false' do
+ pp47 = <<-PUPPETCODE
class { '::firewall': }
firewall { '590 - test':
ensure => present,
islastfrag => false,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp47, catch_failures: true)
end
end
describe 'isfirstfrag' do
- context 'true' do
- pp48 = <<-EOS
+ context 'when true' do
+ pp48 = <<-PUPPETCODE
class { '::firewall': }
firewall { '591 - test':
ensure => present,
isfirstfrag => true,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp48, catch_failures: true)
end
end
end
- context 'false' do
- pp49 = <<-EOS
+ context 'when false' do
+ pp49 = <<-PUPPETCODE
class { '::firewall': }
firewall { '592 - test':
ensure => present,
isfirstfrag => false,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp49, catch_failures: true)
end
end
describe 'tcp_flags' do
- context 'FIN,SYN ACK' do
- pp50 = <<-EOS
+ context 'when FIN,SYN ACK' do
+ pp50 = <<-PUPPETCODE
class { '::firewall': }
firewall { '593 - test':
proto => tcp,
tcp_flags => 'FIN,SYN ACK',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp50, catch_failures: true)
end
end
describe 'src_range' do
- context '2001:db8::1-2001:db8::ff' do
- pp51 = <<-EOS
+ context 'when 2001:db8::1-2001:db8::ff' do
+ pp51 = <<-PUPPETCODE
class { '::firewall': }
firewall { '601 - test':
proto => tcp,
src_range => '2001:db8::1-2001:db8::ff',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp51, catch_failures: true)
apply_manifest(pp51, catch_changes: do_catch_changes)
end
# Invalid IP
- context '2001::db8::1-2001:db8::ff' do
- pp52 = <<-EOS
+ context 'when 2001::db8::1-2001:db8::ff' do
+ pp52 = <<-PUPPETCODE
class { '::firewall': }
firewall { '601 - test':
proto => tcp,
provider => 'ip6tables',
src_range => '2001::db8::1-2001:db8::ff',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp52, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"})
end
describe 'dst_range' do
- context '2001:db8::1-2001:db8::ff' do
- pp53 = <<-EOS
+ context 'when 2001:db8::1-2001:db8::ff' do
+ pp53 = <<-PUPPETCODE
class { '::firewall': }
firewall { '602 - test':
proto => tcp,
dst_range => '2001:db8::1-2001:db8::ff',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp53, catch_failures: true)
apply_manifest(pp53, catch_changes: do_catch_changes)
end
# Invalid IP
- context '2001::db8::1-2001:db8::ff' do
- pp54 = <<-EOS
+ context 'when 2001::db8::1-2001:db8::ff' do
+ pp54 = <<-PUPPETCODE
class { '::firewall': }
firewall { '602 - test':
proto => tcp,
provider => 'ip6tables',
dst_range => '2001::db8::1-2001:db8::ff',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp54, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"})
end
describe 'mac_source' do
- context '0A:1B:3C:4D:5E:6F' do
- pp55 = <<-EOS
+ context 'when 0A:1B:3C:4D:5E:6F' do
+ pp55 = <<-PUPPETCODE
class { '::firewall': }
firewall { '604 - test':
ensure => present,
chain => 'INPUT',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp55, catch_failures: true)
end
# ip6tables has limited `-m socket` support
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{ubuntu-10\.04} && default['platform'] !~ %r{debian-6} && default['platform'] !~ %r{sles}
describe 'socket' do
- context 'true' do
- pp56 = <<-EOS
+ context 'when true' do
+ pp56 = <<-PUPPETCODE
class { '::firewall': }
firewall { '605 - test':
ensure => present,
socket => true,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp56, catch_failures: true)
end
end
end
- context 'false' do
- pp57 = <<-EOS
+ context 'when false' do
+ pp57 = <<-PUPPETCODE
class { '::firewall': }
firewall { '606 - test':
ensure => present,
socket => false,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp57, catch_failures: true)
end
end
describe 'ipsec_policy' do
- context 'ipsec' do
- pp58 = <<-EOS
+ context 'when ipsec' do
+ pp58 = <<-PUPPETCODE
class { '::firewall': }
firewall { '607 - test':
ensure => 'present',
table => 'filter',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp58, catch_failures: true)
end
end
end
- context 'none' do
- pp59 = <<-EOS
+ context 'when none' do
+ pp59 = <<-PUPPETCODE
class { '::firewall': }
firewall { '608 - test':
ensure => 'present',
table => 'filter',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp59, catch_failures: true)
end
end
describe 'ipsec_dir' do
- context 'out' do
- pp60 = <<-EOS
+ context 'when out' do
+ pp60 = <<-PUPPETCODE
class { '::firewall': }
firewall { '609 - test':
ensure => 'present',
table => 'filter',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp60, catch_failures: true)
end
end
end
- context 'in' do
- pp61 = <<-EOS
+ context 'when in' do
+ pp61 = <<-PUPPETCODE
class { '::firewall': }
firewall { '610 - test':
ensure => 'present',
table => 'filter',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp61, catch_failures: true)
end
end
describe 'set_mark' do
- context '0x3e8/0xffffffff' do
- pp62 = <<-EOS
+ context 'when 0x3e8/0xffffffff' do
+ pp62 = <<-PUPPETCODE
class { '::firewall': }
firewall { '611 - test':
ensure => present,
set_mark => '0x3e8/0xffffffff',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp62, catch_failures: true)
end
# ipset is really difficult to test, just testing on one platform
if default['platform'] =~ %r{ubuntu-14\.04}
describe 'ipset' do
- pp63 = <<-EOS
+ pp63 = <<-PUPPETCODE
exec { 'hackery pt 1':
command => 'service iptables-persistent flush',
path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
provider => 'ip6tables',
require => Exec['add honeypot'],
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp63, catch_failures: true)
end
# mask isn't supported on deb7
if default['platform'] !~ %r{debian-7}
describe 'mask' do
- pp64 = <<-EOS
+ pp64 = <<-PUPPETCODE
class { '::firewall': }
firewall { '613 - test':
recent => 'update',
mask => 'ffff::',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp64, catch_failures: true)
end
%w[dst_type src_type].each do |type|
describe type.to_s do
- context 'MULTICAST' do
- pp65 = <<-EOS
+ context 'when MULTICAST' do
+ pp65 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 - test':
proto => tcp,
#{type} => 'MULTICAST',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp65, catch_failures: true)
apply_manifest(pp65, catch_changes: do_catch_changes)
end
end
- context '! MULTICAST' do
- pp66 = <<-EOS
+ context 'when ! MULTICAST' do
+ pp66 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 - test inversion':
proto => tcp,
#{type} => '! MULTICAST',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp66, catch_failures: true)
apply_manifest(pp66, catch_changes: do_catch_changes)
end
end
- context 'BROKEN' do
- pp67 = <<-EOS
+ context 'when BROKEN' do
+ pp67 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 - test':
proto => tcp,
#{type} => 'BROKEN',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'fails' do
apply_manifest(pp67, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid value "BROKEN".})
end
describe 'limit' do
- context '500/sec' do
- pp68 = <<-EOS
+ context 'when 500/sec' do
+ pp68 = <<-PUPPETCODE
class { '::firewall': }
firewall { '572 - test':
ensure => present,
action => accept,
limit => '500/sec',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp68, catch_failures: true)
end
end
describe 'burst' do
- context '500' do
- pp69 = <<-EOS
+ context 'when 500' do
+ pp69 = <<-PUPPETCODE
class { '::firewall': }
firewall { '573 - test':
ensure => present,
limit => '500/sec',
burst => '1500',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp69, catch_failures: true)
end
end
end
- context 'invalid' do
- pp70 = <<-EOS
+ context 'when invalid' do
+ pp70 = <<-PUPPETCODE
class { '::firewall': }
firewall { '571 - test':
ensure => present,
limit => '500/sec',
burst => '1500/sec',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp70, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid value "1500\/sec".})
end
describe 'uid' do
- context 'nobody' do
- pp71 = <<-EOS
+ context 'when nobody' do
+ pp71 = <<-PUPPETCODE
class { '::firewall': }
firewall { '574 - test':
ensure => present,
action => accept,
uid => 'nobody',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp71, catch_failures: true)
end
end
describe 'gid' do
- context 'root' do
- pp72 = <<-EOS
+ context 'when root' do
+ pp72 = <<-PUPPETCODE
class { '::firewall': }
firewall { '575 - test':
ensure => present,
action => accept,
gid => 'root',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp72, catch_failures: true)
end
# iptables version 1.3.5 does not support masks on MARK rules
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'set_mark' do
- context '0x3e8/0xffffffff' do
- pp73 = <<-EOS
+ context 'when 0x3e8/0xffffffff' do
+ pp73 = <<-PUPPETCODE
class { '::firewall': }
firewall { '580 - test':
ensure => present,
table => 'mangle',
set_mark => '0x3e8/0xffffffff',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp73, catch_failures: true)
end
end
describe 'pkttype' do
- context 'multicast' do
- pp74 = <<-EOS
+ context 'when multicast' do
+ pp74 = <<-PUPPETCODE
class { '::firewall': }
firewall { '581 - test':
ensure => present,
action => accept,
pkttype => 'multicast',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp74, catch_failures: true)
end
end
end
- context 'test' do
- pp75 = <<-EOS
+ context 'when test' do
+ pp75 = <<-PUPPETCODE
class { '::firewall': }
firewall { '582 - test':
ensure => present,
action => accept,
pkttype => 'test',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp75, expect_failures: true) do |r|
expect(r.stderr).to match(%r{Invalid value "test".})
end
describe 'isfragment' do
- context 'true' do
- pp76 = <<-EOS
+ context 'when true' do
+ pp76 = <<-PUPPETCODE
class { '::firewall': }
firewall { '583 - test':
ensure => present,
action => accept,
isfragment => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp76, catch_failures: true)
end
end
end
- context 'false' do
- pp77 = <<-EOS
+ context 'when false' do
+ pp77 = <<-PUPPETCODE
class { '::firewall': }
firewall { '584 - test':
ensure => present,
action => accept,
isfragment => false,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp77, catch_failures: true)
end
# RHEL5/SLES does not support -m socket
describe 'socket', unless: (default['platform'] =~ %r{el-5} || fact('operatingsystem') == 'SLES') do
- context 'true' do
- pp78 = <<-EOS
+ context 'when true' do
+ pp78 = <<-PUPPETCODE
class { '::firewall': }
firewall { '585 - test':
ensure => present,
table => 'nat',
socket => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp78, catch_failures: true)
end
end
end
- context 'false' do
- pp79 = <<-EOS
+ context 'when false' do
+ pp79 = <<-PUPPETCODE
class { '::firewall': }
firewall { '586 - test':
ensure => present,
table => 'nat',
socket => false,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp79, catch_failures: true)
end
end
describe 'ipsec_policy' do
- context 'ipsec' do
- pp80 = <<-EOS
+ context 'when ipsec' do
+ pp80 = <<-PUPPETCODE
class { '::firewall': }
firewall { '593 - test':
ensure => 'present',
reject => 'icmp-net-unreachable',
table => 'filter',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp80, catch_failures: true)
end
end
end
- context 'none' do
- pp81 = <<-EOS
+ context 'when none' do
+ pp81 = <<-PUPPETCODE
class { '::firewall': }
firewall { '594 - test':
ensure => 'present',
reject => 'icmp-net-unreachable',
table => 'filter',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp81, catch_failures: true)
end
end
describe 'ipsec_dir' do
- context 'out' do
- pp82 = <<-EOS
+ context 'when out' do
+ pp82 = <<-PUPPETCODE
class { '::firewall': }
firewall { '595 - test':
ensure => 'present',
reject => 'icmp-net-unreachable',
table => 'filter',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp82, catch_failures: true)
end
end
end
- context 'in' do
- pp83 = <<-EOS
+ context 'when in' do
+ pp83 = <<-PUPPETCODE
class { '::firewall': }
firewall { '596 - test':
ensure => 'present',
reject => 'icmp-net-unreachable',
table => 'filter',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp83, catch_failures: true)
end
end
describe 'recent' do
- context 'set' do
- pp84 = <<-EOS
+ context 'when set' do
+ pp84 = <<-PUPPETCODE
class { '::firewall': }
firewall { '597 - test':
ensure => 'present',
rdest => true,
rname => 'list1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp84, catch_failures: true)
end
end
end
- context 'rcheck' do
- pp85 = <<-EOS
+ context 'when rcheck' do
+ pp85 = <<-PUPPETCODE
class { '::firewall': }
firewall { '598 - test':
ensure => 'present',
rhitcount => 5,
rttl => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp85, catch_failures: true)
end
end
end
- context 'update' do
- pp86 = <<-EOS
+ context 'when update' do
+ pp86 = <<-PUPPETCODE
class { '::firewall': }
firewall { '599 - test':
ensure => 'present',
table => 'filter',
recent => 'update',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp86, catch_failures: true)
end
end
end
- context 'remove' do
- pp87 = <<-EOS
+ context 'when remove' do
+ pp87 = <<-PUPPETCODE
class { '::firewall': }
firewall { '600 - test':
ensure => 'present',
table => 'filter',
recent => 'remove',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp87, catch_failures: true)
end
end
describe 'mac_source' do
- context '0A:1B:3C:4D:5E:6F' do
- pp88 = <<-EOS
+ context 'when 0A:1B:3C:4D:5E:6F' do
+ pp88 = <<-PUPPETCODE
class { '::firewall': }
firewall { '610 - test':
ensure => present,
mac_source => '0A:1B:3C:4D:5E:6F',
chain => 'INPUT',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp88, catch_failures: true)
end
end
describe 'to' do
- context 'Destination netmap 192.168.1.1' do
- pp89 = <<-EOS
+ context 'when Destination netmap 192.168.1.1' do
+ pp89 = <<-PUPPETCODE
class { '::firewall': }
firewall { '569 - test':
proto => tcp,
source => '200.200.200.200',
to => '192.168.1.1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp89, catch_failures: true)
end
end
end
- context 'Source netmap 192.168.1.1' do
- pp90 = <<-EOS
+ context 'when Source netmap 192.168.1.1' do
+ pp90 = <<-PUPPETCODE
class { '::firewall': }
firewall { '569 - test':
proto => tcp,
destination => '200.200.200.200',
to => '192.168.1.1',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp90, catch_failures: true)
end
end
end
- context 'log_prefix containing -A' do
- pp91 = <<-EOS
+ context 'when log_prefix containing -A' do
+ pp91 = <<-PUPPETCODE
class { '::firewall': }
firewall { '700 - test':
jump => 'LOG',
log_prefix => 'FW-A-INPUT: ',
}
- EOS
+ PUPPETCODE
it 'adds the rule' do
apply_manifest(pp91, catch_failures: true)
end
end
end
- pp92 = <<-EOS
+ pp92 = <<-PUPPETCODE
class { '::firewall': }
firewall { '700 - test':
ensure => absent,
jump => 'LOG',
log_prefix => 'FW-A-INPUT: ',
}
- EOS
+ PUPPETCODE
it 'removes the rule' do
apply_manifest(pp92, catch_failures: true)
end
end
end
- context 'log_uid is true' do
- pp93 = <<-EOS
+ context 'when log_uid is true' do
+ pp93 = <<-PUPPETCODE
class { '::firewall': }
firewall { '700 - test log_uid':
chain => 'OUTPUT',
jump => 'LOG',
log_uid => true,
}
- EOS
+ PUPPETCODE
it 'adds the rule' do
apply_manifest(pp93, catch_failures: true)
end
end
end
- pp94 = <<-EOS
+ pp94 = <<-PUPPETCODE
class { '::firewall': }
firewall { '700 - test log_uid':
chain => 'OUTPUT',
log_uid => false,
ensure => absent,
}
- EOS
+ PUPPETCODE
it 'removes the rule' do
apply_manifest(pp94, catch_failures: true)
end
end
end
- context 'comment containing "-A "' do
- pp95 = <<-EOS
+ context 'when comment containing "-A "' do
+ pp95 = <<-PUPPETCODE
class { '::firewall': }
firewall { '700 - blah-A Test Rule':
jump => 'LOG',
log_prefix => 'FW-A-INPUT: ',
}
- EOS
+ PUPPETCODE
it 'adds the rule' do
apply_manifest(pp95, catch_failures: true)
end
end
end
- pp96 = <<-EOS
+ pp96 = <<-PUPPETCODE
class { '::firewall': }
firewall { '700 - blah-A Test Rule':
ensure => absent,
jump => 'LOG',
log_prefix => 'FW-A-INPUT: ',
}
- EOS
+ PUPPETCODE
it 'removes the rule' do
apply_manifest(pp96, catch_failures: true)
end
if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{ubuntu-1204} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7}
describe 'tee_gateway' do
- context '10.0.0.2' do
- pp1 = <<-EOS
+ context 'when 10.0.0.2' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'810 - tee_gateway':
gateway => '10.0.0.2',
proto => all,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
end
describe 'tee_gateway6' do
- context '2001:db8::1' do
- pp2 = <<-EOS
+ context 'when 2001:db8::1' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'811 - tee_gateway6':
proto => all,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7}
describe 'time tests ipv4' do
- context 'set all time parameters' do
- pp1 = <<-EOS
+ context 'when set all time parameters' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
week_days => 'Tue',
kernel_timezone => true,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
describe 'time tests ipv6' do
- context 'set all time parameters' do
- pp2 = <<-EOS
+ context 'when when set all time parameters' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
kernel_timezone => true,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end
describe 'uid tests' do
- context 'uid set to root' do
- pp1 = <<-EOS
+ context 'when uid set to root' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - test':
chain => 'OUTPUT',
uid => 'root',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
end
- context 'uid set to !root' do
- pp2 = <<-EOS
+ context 'when uid set to !root' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - test':
chain => 'OUTPUT',
uid => '!root',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end
end
- context 'uid set to 0' do
- pp3 = <<-EOS
+ context 'when uid set to 0' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '803 - test':
chain => 'OUTPUT',
uid => '0',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end
end
- context 'uid set to !0' do
- pp4 = <<-EOS
+ context 'when uid set to !0' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '804 - test':
chain => 'OUTPUT',
uid => '!0',
proto => 'all',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
end
describe 'ensure' do
- context 'present' do
- pp1 = <<-EOS
+ context 'when present' do
+ pp1 = <<-PUPPETCODE
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => present,
}
- EOS
+ PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp1, catch_failures: true)
end
end
- context 'absent' do
- pp2 = <<-EOS
+ context 'when absent' do
+ pp2 = <<-PUPPETCODE
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => absent,
}
- EOS
+ PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp2, catch_failures: true)
end
# XXX purge => false is not yet implemented
- # context 'adding a firewall rule to a chain:' do
- # pp3 = <<-EOS
+ # context 'when adding a firewall rule to a chain:' do
+ # pp3 = <<-PUPPETCODE
# firewallchain { 'MY_CHAIN:filter:IPv4':
# ensure => present,
# }
# proto => 'tcp',
# dport => 5000,
# }
- # EOS
+ # PUPPETCODE
# it 'applies cleanly' do
# # Run it twice and test for idempotency
# apply_manifest(pp3, :catch_failures => true)
# end
# end
- # context 'not purge firewallchain chains:' do
- # pp4 = <<-EOS
+ # context 'when not purge firewallchain chains:' do
+ # pp4 = <<-PUPPETCODE
# firewallchain { 'MY_CHAIN:filter:IPv4':
# ensure => present,
# purge => false,
# resources { 'firewall':
# purge => true,
# }
- # EOS
+ # PUPPETCODE
# it 'does not purge the rule' do
# # Run it twice and test for idempotency
# apply_manifest(pp4, :catch_failures => true) do |r|
# apply_manifest(pp4, :catch_changes => do_catch_changes)
# end
- # pp5 = <<-EOS
+ # pp5 = <<-PUPPETCODE
# firewall { '100 my rule':
# chain => 'MY_CHAIN',
# action => 'accept',
# proto => 'tcp',
# dport => 5000,
# }
- # EOS
+ # PUPPETCODE
# it 'still has the rule' do
# # Run it twice and test for idempotency
# apply_manifest(pp5, :catch_changes => do_catch_changes)
shell('iptables -t filter -P FORWARD ACCEPT')
end
- context 'DROP' do
- pp6 = <<-EOS
+ context 'when DROP' do
+ pp6 = <<-PUPPETCODE
firewallchain { 'FORWARD:filter:IPv4':
policy => 'drop',
}
- EOS
+ PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp6, catch_failures: true)
end
describe 'hashlimit_tests' do
- context 'hashlimit_above' do
- pp1 = <<-EOS
+ context 'when hashlimit_above' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '800 - hashlimit_above test':
chain => 'INPUT',
hashlimit_mode => 'srcip,dstip',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
end
- context 'hashlimit_above_ip6' do
- pp2 = <<-EOS
+ context 'when hashlimit_above_ip6' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - hashlimit_above test ipv6':
chain => 'INPUT',
hashlimit_mode => 'srcip,dstip',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end
end
- context 'hashlimit_upto' do
- pp3 = <<-EOS
+ context 'when hashlimit_upto' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - hashlimit_upto test':
chain => 'INPUT',
hashlimit_htable_expire => '36000000',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end
end
- context 'hashlimit_upto_ip6' do
- pp4 = <<-EOS
+ context 'when hashlimit_upto_ip6' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '803 - hashlimit_upto test ip6':
chain => 'INPUT',
hashlimit_htable_expire => '36000000',
action => accept,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
ip6tables_flush_all_tables
end
- context 'inverting rules' do
- pp1 = <<-EOS
+ context 'when inverting rules' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '601 disallow esp protocol':
action => 'accept',
source => '! 10.0.0.0/8',
tcp_flags => '! FIN,SYN,RST,ACK SYN',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
end
end
- context 'inverting partial array rules' do
- pp2 = <<-EOS
+ context 'when inverting partial array rules' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 drop 80,443 traffic':
chain => 'INPUT',
proto => 'tcp',
sport => ['! http', '443'],
}
- EOS
+ PUPPETCODE
it 'raises a failure' do
apply_manifest(pp2, expect_failures: true) do |r|
expect(r.stderr).to match(%r{is not prefixed})
ip6tables_flush_all_tables
end
- pp1 = <<-EOS
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '599 - test':
ensure => present,
proto => 'tcp',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it "can't use ip6tables" do
expect(apply_manifest(pp1, expect_failures: true).stderr).to match(%r{ip6tables provider is not supported})
end
end
shared_examples 'is idempotent' do |values, line_match|
- pp2 = <<-EOS
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '599 - test':
ensure => present,
provider => 'ip6tables',
#{values}
}
- EOS
+ PUPPETCODE
it "changes the values to #{values}" do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end
end
shared_examples "doesn't change" do |values, line_match|
- pp3 = <<-EOS
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '599 - test':
ensure => present,
provider => 'ip6tables',
#{values}
}
- EOS
+ PUPPETCODE
it "doesn't change the values to #{values}" do
apply_manifest(pp3, catch_changes: do_catch_changes)
ip6tables_flush_all_tables
shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
end
- context 'and current value is false' do
+ context 'when current value is false' do
it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"}
end
- context 'and current value is true' do
+ context 'when current value is true' do
it_behaves_like 'is idempotent', 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true',
%r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"}
end
ip6tables_flush_all_tables
shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
end
- context 'and current value is false' do
+ context 'when current value is false' do
it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"}
end
- context 'and current value is true' do
+ context 'when current value is true' do
it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true',
%r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"}
end
end
shared_examples 'is idempotent' do |value, line_match|
- pp1 = <<-EOS
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '597 - test':
ensure => present,
proto => 'tcp',
#{value}
}
- EOS
+ PUPPETCODE
it "changes the value to #{value}" do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end
shared_examples "doesn't change" do |value, line_match|
- pp2 = <<-EOS
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '597 - test':
ensure => present,
proto => 'tcp',
#{value}
}
- EOS
+ PUPPETCODE
it "doesn't change the value to #{value}" do
apply_manifest(pp2, catch_changes: do_catch_changes)
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'match_mark' do
- context '0x1' do
- pp1 = <<-EOS
+ context 'when 0x1' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '503 match_mark - test':
proto => 'all',
match_mark => '0x1',
action => reject,
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
end
describe 'match_mark_ip6' do
- context '0x1' do
- pp2 = <<-EOS
+ context 'when 0x1' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '503 match_mark ip6tables - test':
proto => 'all',
action => reject,
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
require 'spec_helper_acceptance'
describe 'nflog on older OSes', if: fact('iptables_version') < '1.3.7' do # rubocop:disable RSpec/MultipleDescribes : Describes are clearly seperate
- pp1 = <<-EOS
+ pp1 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test':
jump => 'NFLOG',
proto => 'all',
nflog_group => 3,
}
- EOS
+ PUPPETCODE
it 'throws an error' do
apply_manifest(pp1, acceptable_error_codes: [0])
end
let(:group) { 3 }
it 'applies' do
- pp2 = <<-EOS
+ pp2 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_group => #{group}}
- EOS
+ PUPPETCODE
apply_manifest(pp2, catch_failures: true)
end
let(:prefix) { 'TEST PREFIX' }
it 'applies' do
- pp3 = <<-EOS
+ pp3 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_prefix => '#{prefix}'}
- EOS
+ PUPPETCODE
apply_manifest(pp3, catch_failures: true)
end
let(:range) { 16 }
it 'applies' do
- pp4 = <<-EOS
+ pp4 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_range => #{range}}
- EOS
+ PUPPETCODE
apply_manifest(pp4, catch_failures: true)
end
let(:threshold) { 2 }
it 'applies' do
- pp5 = <<-EOS
+ pp5 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => #{threshold}}
- EOS
+ PUPPETCODE
apply_manifest(pp5, catch_failures: true)
end
let(:group) { 3 }
it 'applies' do
- pp6 = <<-EOS
+ pp6 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => #{threshold}, nflog_group => #{group}}
- EOS
+ PUPPETCODE
apply_manifest(pp6, catch_failures: true)
end
ip6tables_flush_all_tables
end
- ppm1 = <<-EOS
+ ppm1 = <<-PUPPETCODE
firewall { '100 test':
table => 'raw',
socket => 'true',
jump => 'LOG',
log_level => 'debug',
}
- EOS
+ PUPPETCODE
values = [2, 0]
it 'test various params', unless: (default['platform'].match(%r{el-5}) || fact('operatingsystem') == 'SLES') do
iptables_flush_all_tables
end
end
- ppm2 = <<-EOS
+ ppm2 = <<-PUPPETCODE
firewall { '998 log all':
proto => 'all',
jump => 'LOG',
log_level => 'debug',
}
- EOS
+ PUPPETCODE
values = [2, 0]
it 'test log rule' do
iptables_flush_all_tables
end
end
- ppm3 = <<-EOS
+ ppm3 = <<-PUPPETCODE
firewall { '004 log all INVALID packets':
chain => 'INPUT',
proto => 'all',
log_level => '3',
log_prefix => 'IPTABLES dropped invalid: ',
}
- EOS
- ppm4 = <<-EOS
+ PUPPETCODE
+ ppm4 = <<-PUPPETCODE
firewall { '003 log all INVALID packets':
chain => 'INPUT',
proto => 'all',
log_level => '3',
log_prefix => 'IPTABLES dropped invalid: ',
}
- EOS
- ppm5 = <<-EOS + "\n" + ppm4
+ PUPPETCODE
+ ppm5 = <<-PUPPETCODE + "\n" + ppm4
resources { 'firewall':
purge => true,
}
- EOS
+ PUPPETCODE
it 'test log rule - changing names' do # rubocop:disable RSpec/MultipleExpectations
iptables_flush_all_tables
expect(apply_manifest(ppm5, catch_failures: true).exit_code).to eq(2)
end
- ppm6 = <<-EOS
+ ppm6 = <<-PUPPETCODE
firewall { '004 with a chain':
chain => 'INPUT',
proto => 'all',
}
- EOS
- ppm7 = <<-EOS
+ PUPPETCODE
+ ppm7 = <<-PUPPETCODE
firewall { '004 with a chain':
chain => 'OUTPUT',
proto => 'all',
}
- EOS
- _ppm8 = <<-EOS + "\n" + ppm7
+ PUPPETCODE
+ _ppm8 = <<-PUPPETCODE + "\n" + ppm7
resources { 'firewall':
purge => true,
}
- EOS
+ PUPPETCODE
it 'test chain - changing names' do
iptables_flush_all_tables
expect(apply_manifest(ppm7, expect_failures: true).stderr).to match(%r{is not supported})
end
- ppm9 = <<-EOS
+ ppm9 = <<-PUPPETCODE
firewall { '004 log all INVALID packets':
chain => 'INPUT',
proto => 'all',
log_level => '3',
log_prefix => 'IPTABLES dropped invalid: ',
}
- EOS
+ PUPPETCODE
values = [2, 0]
it 'test log rule - idempotent' do
iptables_flush_all_tables
end
end
- ppm10 = <<-EOS
+ ppm10 = <<-PUPPETCODE
firewall { '997 block src ip range':
chain => 'INPUT',
proto => 'all',
action => 'drop',
src_range => '10.0.0.1-10.0.0.10',
}
- EOS
+ PUPPETCODE
values = [2, 0]
it 'test src_range rule' do
iptables_flush_all_tables
end
end
- ppm11 = <<-EOS
+ ppm11 = <<-PUPPETCODE
firewall { '998 block dst ip range':
chain => 'INPUT',
proto => 'all',
action => 'drop',
dst_range => '10.0.0.2-10.0.0.20',
}
- EOS
+ PUPPETCODE
values = [2, 0]
it 'test dst_range rule' do
iptables_flush_all_tables
ip6tables_flush_all_tables
end
- context('resources purge') do
+ context('when resources purge') do
before(:all) do
iptables_flush_all_tables
shell('iptables -A INPUT -s 1.2.1.2')
end
- pp1 = <<-EOS
+ pp1 = <<-PUPPETCODE
class { 'firewall': }
resources { 'firewall':
purge => true,
}
- EOS
+ PUPPETCODE
it 'make sure duplicate existing rules get purged' do
apply_manifest(pp1, expect_changes: true)
end
end
end
- context('ipv4 chain purge') do
+ context('when ipv4 chain purge') do
after(:all) do
iptables_flush_all_tables
end
shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
end
- pp2 = <<-EOS
+ pp2 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv4':
purge => true,
}
- EOS
+ PUPPETCODE
# rubocop:disable RSpec/ExampleLength
it 'purges only the specified chain' do # rubocop:disable RSpec/MultipleExpectations
apply_manifest(pp2, expect_changes: true)
end
# rubocop:enable RSpec/ExampleLength
- pp3 = <<-EOS
+ pp3 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'OUTPUT:filter:IPv4':
purge => true,
proto => 'all',
source => '1.2.1.2',
}
- EOS
+ PUPPETCODE
it 'ignores managed rules' do
apply_manifest(pp3, catch_changes: do_catch_changes)
end
- pp4 = <<-EOS
+ pp4 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv4':
purge => true,
'-s 1\.2\.1\.1',
],
}
- EOS
+ PUPPETCODE
it 'ignores specified rules' do
apply_manifest(pp4, catch_changes: do_catch_changes)
end
- pp5 = <<-EOS
+ pp5 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv4':
purge => true,
proto => 'all',
source => '1.2.1.3',
}
- EOS
+ PUPPETCODE
it 'adds managed rules with ignored rules' do
apply_manifest(pp5, catch_failures: true)
end
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
- context 'ipv6 chain purge' do
+ context 'when ipv6 chain purge' do
after(:all) do
ip6tables_flush_all_tables
end
shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
end
- pp6 = <<-EOS
+ pp6 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
}
- EOS
+ PUPPETCODE
# rubocop:disable RSpec/ExampleLength
it 'purges only the specified chain' do # rubocop:disable RSpec/MultipleExpectations
apply_manifest(pp6, expect_changes: true)
end
# rubocop:enable RSpec/ExampleLength
- pp7 = <<-EOS
+ pp7 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'OUTPUT:filter:IPv6':
purge => true,
source => '1::50',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'ignores managed rules' do
apply_manifest(pp7, catch_changes: do_catch_changes)
end
- pp8 = <<-EOS
+ pp8 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
'-s 1::42',
],
}
- EOS
+ PUPPETCODE
it 'ignores specified rules' do
apply_manifest(pp8, catch_changes: do_catch_changes)
end
- pp9 = <<-EOS
+ pp9 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
source => '1::43',
provider => 'ip6tables',
}
- EOS
+ PUPPETCODE
it 'adds managed rules with ignored rules' do
apply_manifest(pp9, catch_failures: true)
shell("sed -i -e \'s/^templatedir.*$//\' #{config}")
end
- context 'make sure it returns no errors when executed on a clean machine' do
+ context 'when make sure it returns no errors when executed on a clean machine' do
it do
shell('puppet resource firewall') do |r|
r.exit_code.should be_zero
end
end
- context 'flush iptables and make sure it returns nothing afterwards' do
+ context 'when flush iptables and make sure it returns nothing afterwards' do
before(:all) do
iptables_flush_all_tables
end
end
end
- context 'accepts rules without comments' do
+ context 'when accepts rules without comments' do
before(:all) do
iptables_flush_all_tables
shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80')
end
end
- context 'accepts rules with invalid comments' do
+ context 'when accepts rules with invalid comments' do
before(:all) do
iptables_flush_all_tables
shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"')
end
end
- context 'accepts rules with negation' do
+ context 'when accepts rules with negation' do
before :all do
iptables_flush_all_tables
shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535')
end
end
- context 'accepts rules with match extension tcp flag' do
+ context 'when accepts rules with match extension tcp flag' do
before :all do
iptables_flush_all_tables
shell('iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42')
end
if default['platform'] !~ %r{sles-10}
- context 'accepts rules utilizing the statistic module' do
+ context 'when accepts rules utilizing the statistic module' do
before :all do
iptables_flush_all_tables
# This command doesn't work with all versions/oses, so let it fail
end
end
- context 'accepts rules with negation' do
+ context 'when accepts rules with negation' do
before :all do
iptables_flush_all_tables
shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -m policy --dir out --pol ipsec -j ACCEPT')
end
end
- context 'accepts rules with -m (tcp|udp) without dport/sport' do
+ context 'when accepts rules with -m (tcp|udp) without dport/sport' do
before :all do
iptables_flush_all_tables
shell('iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp -j ACCEPT')
end
end
- context 'accepts rules with -m ttl' do
+ context 'when accepts rules with -m ttl' do
before :all do
iptables_flush_all_tables
shell('iptables -t nat -A OUTPUT -s 10.0.0.0/8 -p tcp -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12299')
# ip6tables provider
# TODO: Test below fails if this file is run seperately. i.e. bundle exec rspec spec/acceptance/resource_cmd_spec.rb
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
- context 'dport/sport with ip6tables' do
+ context 'when dport/sport with ip6tables' do
before :all do
if fact('osfamily') == 'Debian'
shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections')
shell('iptables -t filter --flush')
end
- pp1 = <<-EOS
+ pp1 = <<-PUPPETCODE
firewall { '090 forward allow local':
chain => 'FORWARD',
proto => 'all',
toports => '22',
jump => 'REDIRECT',
}
- EOS
+ PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp1, catch_failures: true)
shell('iptables -t filter --flush')
end
- pp2 = <<-EOS
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
Firewall {
# and the nat table
firewallchain { ['PREROUTING:nat:IPv4', 'INPUT:nat:IPv4', 'OUTPUT:nat:IPv4', 'POSTROUTING:nat:IPv4']: }
- EOS
+ PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp2, catch_failures: true)
end
shared_examples 'is idempotent' do |value, line_match|
- pp1 = <<-EOS
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '598 - test':
ensure => present,
table => 'raw',
#{value}
}
- EOS
+ PUPPETCODE
it "changes the value to #{value}" do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: true)
end
shared_examples "doesn't change" do |value, line_match|
- pp2 = <<-EOS
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '598 - test':
ensure => present,
table => 'raw',
#{value}
}
- EOS
+ PUPPETCODE
it "doesn't change the value to #{value}" do
apply_manifest(pp2, catch_changes: true)
# Some tests for the standard recommended usage
describe 'standard usage tests' do
- pp = <<-EOS
+ pp = <<-PUPPETCODE
class my_fw::pre {
Firewall {
require => undef,
proto => 'tcp',
dport => 22,
}
- EOS
+ PUPPETCODE
it 'applies twice' do
# Run it twice and test for idempotency
apply_manifest(pp, catch_failures: true)
)
}
- context 'ensure => stopped' do
+ context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }
it {
}
end
- context 'enable => false' do
+ context 'with enable => false' do
let(:params) { { enable: 'false' } }
it {
require 'spec_helper'
describe 'firewall::linux::debian', type: :class do
- context 'Debian 7' do
+ context 'with Debian 7' do
let(:facts) do
{
osfamily: 'Debian',
}
end
- context 'deb7 enable => false' do
+ context 'with deb7 enable => false' do
let(:facts) do
{
osfamily: 'Debian',
}
end
- context 'Debian 8' do
+ context 'with Debian 8' do
let(:facts) do
{
osfamily: 'Debian',
}
end
- context 'deb8 enable => false' do
+ context 'with deb8 enable => false' do
let(:facts) do
{
osfamily: 'Debian',
}
end
- context 'Debian 8, alt operatingsystem' do
+ context 'with Debian 8, alt operatingsystem' do
let(:facts) do
{
osfamily: 'Debian',
}
end
- context 'deb8, alt operatingsystem, enable => false' do
+ context 'with deb8, alt operatingsystem, enable => false' do
let(:facts) do
{
osfamily: 'Debian',
)
}
- context 'ensure => stopped' do
+ context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }
it {
}
end
- context 'enable => false' do
+ context 'with enable => false' do
let(:params) { { enable: 'false' } }
it {
require 'spec_helper'
RSpec.shared_examples 'ensures iptables service' do
- context 'default' do
+ context 'with default' do
it {
is_expected.to contain_service('iptables').with(
ensure: 'running',
}
end
- context 'ensure => stopped' do
+ context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }
it {
}
end
- context 'enable => false' do
+ context 'with enable => false' do
let(:params) { { enable: 'false' } }
it {
)
}
- context 'ensure => stopped' do
+ context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }
it {
}
end
- context 'ensure_v6 => stopped' do
+ context 'with ensure_v6 => stopped' do
let(:params) { { ensure_v6: 'stopped' } }
it {
}
end
- context 'enable => false' do
+ context 'with enable => false' do
let(:params) { { enable: 'false' } }
it {
}
end
- context 'enable_v6 => false' do
+ context 'with enable_v6 => false' do
let(:params) { { enable_v6: 'false' } }
it {
require 'spec_helper'
describe 'firewall', type: :class do
- context 'kernel => Linux' do
+ context 'with kernel => Linux' do
with_debian_facts
it { is_expected.to contain_class('firewall::linux').with_ensure('running') }
end
# rubocop:disable RSpec/MultipleExpectations
- context 'kernel => Windows' do
+ context 'with kernel => Windows' do
let(:facts) { { kernel: 'Windows' } }
it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end
- context 'kernel => SunOS' do
+ context 'with kernel => SunOS' do
let(:facts) { { kernel: 'SunOS' } }
it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end
- context 'kernel => Darwin' do
+ context 'with kernel => Darwin' do
let(:facts) { { kernel: 'Darwin' } }
it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end
- context 'ensure => stopped' do
+ context 'with ensure => stopped' do
with_debian_facts
let(:params) { { ensure: 'stopped' } }
it { is_expected.to contain_class('firewall::linux').with_ensure('stopped') }
end
- context 'ensure => test' do
+ context 'with ensure => test' do
let(:facts) { { kernel: 'Linux' } }
let(:params) { { ensure: 'test' } }
it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end
- context 'ebtables_manage => true' do
+ context 'with ebtables_manage => true' do
let(:facts) { { kernel: 'Linux' } }
let(:params) { { ebtables_manage: true } }
require 'spec_helper'
describe 'Facter::Util::Fact iptables_persistent_version' do
- context 'iptables-persistent applicable' do
+ context 'when iptables-persistent applicable' do
before(:each) { Facter.clear }
let(:dpkg_cmd) { "dpkg-query -Wf '${Version}' iptables-persistent 2>/dev/null" }
end
end
- context 'netfilter-persistent applicable' do
+ context 'when netfilter-persistent applicable' do
before(:each) { Facter.clear }
let(:dpkg_cmd) { "dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null" }
provider.new(resource.new(params))
}
end
- context 'iptables 1.3' do
+ context 'when iptables 1.3' do
let(:params) { { name: '000 test foo', action: 'accept' } }
let(:error_message) { %r{The ip6tables provider is not supported on version 1\.3 of iptables} }
let(:ip6tables_version) { '1.3.10' }
it_behaves_like 'raise error'
end
- context 'ip6tables nil' do
+ context 'when ip6tables nil' do
let(:params) { { name: '000 test foo', action: 'accept' } }
let(:error_message) { %r{The ip6tables provider is not supported on version 1\.3 of iptables} }
let(:ip6tables_version) { nil }
expect(resource[:name]).to eql name
end
end
- end # chainname
- end # protocol
+ end
+ end
%w[PREROUTING POSTROUTING BROUTING INPUT FORWARD OUTPUT].each do |internalchain|
name = internalchain + ':' + table + ':'
expect { resource[:name] = name }.to raise_error(Puppet::Error)
end
end
- end # internalchain
- end # table, allowedinternalchainnames
+ end
+ end
it 'fails with invalid table names' do
expect { resource[:name] = 'wrongtablename:test:IPv4' }.to raise_error(Puppet::Error)
describe 'purge iptables rules' do
# rubocop:disable Layout/IndentHeredoc
before(:each) do
- stub_return = <<EOS
+ stub_return = <<PUPPETCODE
# Completed on Sun Jan 5 19:30:21 2014
# Generated by iptables-save v1.4.12 on Sun Jan 5 19:30:21 2014
*filter
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Sun Jan 5 19:30:21 2014
-EOS
+PUPPETCODE
allow(Puppet::Type.type(:firewall).provider(:iptables)).to receive(:iptables_save).and_return(stub_return)
allow(Puppet::Type.type(:firewall).provider(:ip6tables)).to receive(:ip6tables_save).and_return(stub_return)
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff