# iptables version 1.3.5 is not suppored by the ip6tables provider
# iptables version 1.4.7 fails for multiple hl entries
- if default['platform'] !~ %r{(el-5|el-6|sles-11)}
+ describe 'testing ipv6', unless: (os[:family] == 'redhat' && ['5', '6'].include?(os[:release][0])) || (os[:family] == 'sles') do
describe 'hop_limit' do
context 'when 5' do
pp42 = <<-PUPPETCODE
end
end
- # ip6tables only supports ipset, addrtype, and mask on a limited set of platforms
- if default['platform'] =~ %r{el-7} || default['platform'] =~ %r{ubuntu-14\.04}
- # ipset is really difficult to test, just testing on one platform
- if default['platform'] =~ %r{ubuntu-14\.04}
- describe 'ipset' do
- pp63 = <<-PUPPETCODE
- exec { 'hackery pt 1':
- command => 'service iptables-persistent flush',
- path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
- }
- package { 'ipset':
- ensure => present,
- require => Exec['hackery pt 1'],
- }
- exec { 'hackery pt 2':
- command => 'service iptables-persistent start',
- path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
- require => Package['ipset'],
- }
- class { '::firewall': }
- exec { 'create ipset blacklist':
- command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120',
- path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
- require => Package['ipset'],
- }
- -> exec { 'create ipset honeypot':
- command => 'ipset create honeypot hash:ip family inet6 maxelem 1024 hashsize 65535 timeout 120',
- path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
- }
- -> exec { 'add blacklist':
- command => 'ipset add blacklist 2001:db8::1,80',
- path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
- }
- -> exec { 'add honeypot':
- command => 'ipset add honeypot 2001:db8::5',
- path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
- }
- firewall { '612 - test':
- ensure => present,
- chain => 'INPUT',
- proto => tcp,
- action => drop,
- ipset => ['blacklist src,dst', '! honeypot dst'],
- provider => 'ip6tables',
- require => Exec['add honeypot'],
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp63, catch_failures: true)
- end
+ # ipset is hard to test, only testing on ubuntu 14
+ describe 'ipset', if: (host_inventory['facter']['os']['name'] == 'ubuntu' && os[:release].start_with?('14')) do
+ pp63 = <<-PUPPETCODE
+ exec { 'hackery pt 1':
+ command => 'service iptables-persistent flush',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ }
+ package { 'ipset':
+ ensure => present,
+ require => Exec['hackery pt 1'],
+ }
+ exec { 'hackery pt 2':
+ command => 'service iptables-persistent start',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ require => Package['ipset'],
+ }
+ class { '::firewall': }
+ exec { 'create ipset blacklist':
+ command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ require => Package['ipset'],
+ }
+ -> exec { 'create ipset honeypot':
+ command => 'ipset create honeypot hash:ip family inet6 maxelem 1024 hashsize 65535 timeout 120',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ }
+ -> exec { 'add blacklist':
+ command => 'ipset add blacklist 2001:db8::1,80',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ }
+ -> exec { 'add honeypot':
+ command => 'ipset add honeypot 2001:db8::5',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ }
+ firewall { '612 - test':
+ ensure => present,
+ chain => 'INPUT',
+ proto => tcp,
+ action => drop,
+ ipset => ['blacklist src,dst', '! honeypot dst'],
+ provider => 'ip6tables',
+ require => Exec['add honeypot'],
+ }
+ PUPPETCODE
+ it 'applies' do
+ apply_manifest(pp63, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP})
- end
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -p tcp -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP})
end
end
+ end
- ['dst_type', 'src_type'].each do |type|
- describe type.to_s do
- context 'when MULTICAST' do
- pp65 = <<-PUPPETCODE
+ ['dst_type', 'src_type'].each do |type|
+ describe type.to_s do
+ context 'when MULTICAST' do
+ pp65 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 - test':
proto => tcp,
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp65, catch_failures: true)
- apply_manifest(pp65, catch_changes: do_catch_changes)
- end
+ it 'applies' do
+ apply_manifest(pp65, catch_failures: true)
+ apply_manifest(pp65, catch_changes: do_catch_changes)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "603 - test" -j ACCEPT})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "603 - test" -j ACCEPT})
end
end
+ end
- context 'when ! MULTICAST' do
- pp66 = <<-PUPPETCODE
+ context 'when ! MULTICAST' do
+ pp66 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 - test inversion':
proto => tcp,
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp66, catch_failures: true)
- apply_manifest(pp66, catch_changes: do_catch_changes)
- end
+ it 'applies' do
+ apply_manifest(pp66, catch_failures: true)
+ apply_manifest(pp66, catch_changes: do_catch_changes)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT})
end
end
+ end
- context 'when BROKEN' do
- pp67 = <<-PUPPETCODE
+ context 'when BROKEN' do
+ pp67 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 - test':
proto => tcp,
provider => 'ip6tables',
}
PUPPETCODE
- it 'fails' do
- apply_manifest(pp67, expect_failures: true) do |r|
- expect(r.stderr).to match(%r{Invalid value "BROKEN".})
- end
+ it 'fails' do
+ apply_manifest(pp67, expect_failures: true) do |r|
+ expect(r.stderr).to match(%r{Invalid value "BROKEN".})
end
+ end
- it 'does not contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT})
- end
+ it 'does not contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT})
end
end
+ end
- context 'when LOCAL --limit-iface-in', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')
- ) do
- pp102 = <<-PUPPETCODE
+ context 'when LOCAL --limit-iface-in', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')
+ ) do
+ pp102 = <<-PUPPETCODE
class { '::firewall': }
firewall { '617 - test':
proto => tcp,
#{type} => 'LOCAL --limit-iface-in',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp102, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp102, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "617 - test" -j ACCEPT})
- end
+ it 'contains the rule' do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "617 - test" -j ACCEPT})
end
end
+ end
- context 'when LOCAL --limit-iface-in fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5')
- ) do
- pp103 = <<-PUPPETCODE
+ context 'when LOCAL --limit-iface-in fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5')
+ ) do
+ pp103 = <<-PUPPETCODE
class { '::firewall': }
firewall { '618 - test':
proto => tcp,
#{type} => 'LOCAL --limit-iface-in',
}
PUPPETCODE
- it 'fails' do
- apply_manifest(pp103, expect_failures: true) do |r|
- expect(r.stderr).to match(%r{--limit-iface-in and --limit-iface-out are available from iptables version})
- end
+ it 'fails' do
+ apply_manifest(pp103, expect_failures: true) do |r|
+ expect(r.stderr).to match(%r{--limit-iface-in and --limit-iface-out are available from iptables version})
end
+ end
- it 'does not contain the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "618 - test" -j ACCEPT})
- end
+ it 'does not contain the rule' do
+ shell('iptables-save') do |r|
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "618 - test" -j ACCEPT})
end
end
+ end
- context 'when duplicated LOCAL', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')
- ) do
- pp104 = <<-PUPPETCODE
+ context 'when duplicated LOCAL', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')
+ ) do
+ pp104 = <<-PUPPETCODE
class { '::firewall': }
firewall { '619 - test':
proto => tcp,
provider => 'ip6tables',
}
PUPPETCODE
- it 'fails' do
- apply_manifest(pp104, expect_failures: true) do |r|
- expect(r.stderr).to match(%r{#{type} elements must be unique})
- end
+ it 'fails' do
+ apply_manifest(pp104, expect_failures: true) do |r|
+ expect(r.stderr).to match(%r{#{type} elements must be unique})
end
+ end
- it 'does not contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL -m addrtype\s.*\sLOCAL -m comment --comment "619 - test" -j ACCEPT})
- end
+ it 'does not contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL -m addrtype\s.*\sLOCAL -m comment --comment "619 - test" -j ACCEPT})
end
end
+ end
- context 'when multiple addrtype', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')
- ) do
- pp105 = <<-PUPPETCODE
+ context 'when multiple addrtype', unless: (os[:family] == 'redhat' && ['5', '6'].include?(os[:release][0])) do
+ pp105 = <<-PUPPETCODE
class { '::firewall': }
firewall { '620 - test':
proto => tcp,
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp105, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp105, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "620 - test" -j ACCEPT})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "620 - test" -j ACCEPT})
end
end
+ end
- context 'when multiple addrtype fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5')
- ) do
- pp106 = <<-PUPPETCODE
+ context 'when multiple addrtype fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5')
+ ) do
+ pp106 = <<-PUPPETCODE
class { '::firewall': }
firewall { '616 - test':
proto => tcp,
provider => 'ip6tables',
}
PUPPETCODE
- it 'fails' do
- apply_manifest(pp106, expect_failures: true) do |r|
- expect(r.stderr).to match(%r{Multiple #{type} elements are available from iptables version})
- end
+ it 'fails' do
+ apply_manifest(pp106, expect_failures: true) do |r|
+ expect(r.stderr).to match(%r{Multiple #{type} elements are available from iptables version})
end
+ end
- it 'does not contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT})
- end
+ it 'does not contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT})
end
end
end
end
end
-
end
# iptables version 1.3.5 does not support masks on MARK rules
require 'spec_helper_acceptance'
-describe 'firewall bridging' do
+# iptables version 1.3.5 is not suppored by the ip6tables provider
+describe 'firewall bridging', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')) do
before :all do
iptables_flush_all_tables
ip6tables_flush_all_tables
end
- describe 'iptables physdev tests' do
- # iptables version 1.3.5 is not suppored by the ip6tables provider
- unless os[:family] == 'redhat' && os[:release].start_with?('5')
- describe 'ip6tables physdev tests' do
- context 'when physdev_in eth0' do
- pp8 = <<-PUPPETCODE
+ describe 'ip6tables physdev tests' do
+ context 'when physdev_in eth0' do
+ pp8 = <<-PUPPETCODE
class { '::firewall': }
firewall { '701 - test':
provider => 'ip6tables',
physdev_in => 'eth0',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp8, catch_failures: true)
- apply_manifest(pp8, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp8, catch_failures: true)
+ apply_manifest(pp8, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_out eth1' do
- pp9 = <<-PUPPETCODE
+ context 'when physdev_out eth1' do
+ pp9 = <<-PUPPETCODE
class { '::firewall': }
firewall { '702 - test':
provider => 'ip6tables',
physdev_out => 'eth1',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp9, catch_failures: true)
- apply_manifest(pp9, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp9, catch_failures: true)
+ apply_manifest(pp9, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_in eth0 and physdev_out eth1' do
- pp10 = <<-PUPPETCODE
+ context 'when physdev_in eth0 and physdev_out eth1' do
+ pp10 = <<-PUPPETCODE
class { '::firewall': }
firewall { '703 - test':
provider => 'ip6tables',
physdev_out => 'eth1',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp10, catch_failures: true)
- apply_manifest(pp10, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp10, catch_failures: true)
+ apply_manifest(pp10, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_is_bridged' do
- pp11 = <<-PUPPETCODE
+ context 'when physdev_is_bridged' do
+ pp11 = <<-PUPPETCODE
class { '::firewall': }
firewall { '704 - test':
provider => 'ip6tables',
physdev_is_bridged => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp11, catch_failures: true)
- apply_manifest(pp11, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp11, catch_failures: true)
+ apply_manifest(pp11, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_in eth0 and physdev_is_bridged' do
- pp12 = <<-PUPPETCODE
+ context 'when physdev_in eth0 and physdev_is_bridged' do
+ pp12 = <<-PUPPETCODE
class { '::firewall': }
firewall { '705 - test':
provider => 'ip6tables',
physdev_is_bridged => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp12, catch_failures: true)
- apply_manifest(pp12, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp12, catch_failures: true)
+ apply_manifest(pp12, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_out eth1 and physdev_is_bridged' do
- pp13 = <<-PUPPETCODE
+ context 'when physdev_out eth1 and physdev_is_bridged' do
+ pp13 = <<-PUPPETCODE
class { '::firewall': }
firewall { '706 - test':
provider => 'ip6tables',
physdev_is_bridged => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp13, catch_failures: true)
- apply_manifest(pp13, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp13, catch_failures: true)
+ apply_manifest(pp13, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
- pp14 = <<-PUPPETCODE
+ context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
+ pp14 = <<-PUPPETCODE
class { '::firewall': }
firewall { '707 - test':
provider => 'ip6tables',
physdev_is_bridged => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp14, catch_failures: true)
- apply_manifest(pp14, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT}) # rubocop:disable Metrics/LineLength
- end
- end
+ it 'applies' do
+ apply_manifest(pp14, catch_failures: true)
+ apply_manifest(pp14, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_is_in' do
- pp15 = <<-PUPPETCODE
+ context 'when physdev_is_in' do
+ pp15 = <<-PUPPETCODE
class { '::firewall': }
firewall { '708 - test':
provider => 'ip6tables',
physdev_is_in => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp15, catch_failures: true)
- apply_manifest(pp15, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp15, catch_failures: true)
+ apply_manifest(pp15, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT})
end
+ end
+ end
- context 'when physdev_is_out' do
- pp16 = <<-PUPPETCODE
+ context 'when physdev_is_out' do
+ pp16 = <<-PUPPETCODE
class { '::firewall': }
firewall { '709 - test':
provider => 'ip6tables',
physdev_is_out => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp16, catch_failures: true)
- apply_manifest(pp16, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT})
- end
- end
+ it 'applies' do
+ apply_manifest(pp16, catch_failures: true)
+ apply_manifest(pp16, catch_changes: do_catch_changes)
+ end
+
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT})
end
end
end
end
end
- unless os[:family] == 'redhat' && os[:release].start_with?('5')
- describe 'dscp ipv6 tests' do
- context 'when set_dscp 0x01' do
- pp3 = <<-PUPPETCODE
+ describe 'dscp ipv6 tests', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do
+ context 'when set_dscp 0x01' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1002 - set_dscp':
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp3, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp3, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('ip6tables-save -t mangle') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save -t mangle') do |r|
+ expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01})
end
end
+ end
- context 'when set_dscp_class EF' do
- pp4 = <<-PUPPETCODE
+ context 'when set_dscp_class EF' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1003 EF - set_dscp_class':
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp4, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp4, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
end
end
end
it 'contains the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
+ expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength
end
end
end
it 'contains the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
+ expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength
end
end
end
end
- # iptables version 1.3.5 is not suppored by the ip6tables provider
- if default['platform'] =~ %r{ubuntu-14\.04}
- describe 'ip6tables ipt_modules tests' do
- context 'when all the modules with multiple args' do
- pp3 = <<-PUPPETCODE
+ describe 'ip6tables ipt_modules tests', unless: (os[:family] == 'redhat' && ['5', '6'].include?(os[:release][0])) || (os[:family] == 'sles') do
+ context 'when all the modules with multiple args' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
physdev_is_bridged => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp3, catch_failures: true)
- apply_manifest(pp3, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
- end
- end
+ it 'applies' do
+ apply_manifest(pp3, catch_failures: true)
+ apply_manifest(pp3, catch_changes: do_catch_changes)
end
- context 'when all the modules with single args' do
- pp4 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '802 - ipt_modules tests':
- proto => tcp,
- dport => '8080',
- action => reject,
- chain => 'OUTPUT',
- provider => 'ip6tables',
- gid => 404,
- dst_range => "2003::-2004::",
- dst_type => 'UNICAST',
- physdev_out => "eth1",
- physdev_is_bridged => true,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp4, catch_failures: true)
- apply_manifest(pp4, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength
end
end
end
- # Older OSes don't have addrtype so we leave those properties out.
- # el-5 doesn't support ipv6 by default
- elsif default['platform'] !~ %r{el-5}
- describe 'ip6tables ipt_modules tests' do
- context 'when all the modules with multiple args' do
- pp5 = <<-PUPPETCODE
- class { '::firewall': }
- firewall { '801 - ipt_modules tests':
- proto => tcp,
- dport => '8080',
- action => reject,
- chain => 'OUTPUT',
- provider => 'ip6tables',
- uid => 0,
- gid => 404,
- src_range => "2001::-2002::",
- dst_range => "2003::-2004::",
- physdev_in => "eth0",
- physdev_out => "eth1",
- physdev_is_bridged => true,
- }
- PUPPETCODE
- it 'applies' do
- apply_manifest(pp5, catch_failures: true)
- apply_manifest(pp5, catch_changes: do_catch_changes)
- end
-
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
- end
- end
- end
- context 'when all the modules with single args' do
- pp6 = <<-PUPPETCODE
+ context 'when all the modules with single args' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
provider => 'ip6tables',
gid => 404,
dst_range => "2003::-2004::",
+ dst_type => 'UNICAST',
physdev_out => "eth1",
physdev_is_bridged => true,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp6, catch_failures: true)
- apply_manifest(pp6, catch_changes: do_catch_changes)
- end
+ it 'applies' do
+ apply_manifest(pp4, catch_failures: true)
+ apply_manifest(pp4, catch_changes: do_catch_changes)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength
end
end
end
require 'spec_helper_acceptance'
-describe 'firewall MSS' do
+describe 'firewall MSS', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do
before :all do
iptables_flush_all_tables
ip6tables_flush_all_tables
end
- unless os[:family] == 'redhat' && os[:release].start_with?('5')
- describe 'mss ipv6 tests' do
- context 'when 1360' do
- pp3 = <<-PUPPETCODE
+ describe 'mss ipv6 tests' do
+ context 'when 1360' do
+ pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'502 - set_mss':
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp3, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp3, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('ip6tables-save -t mangle') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save -t mangle') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360})
end
end
+ end
- context 'when clamp_mss_to_pmtu' do
- pp4 = <<-PUPPETCODE
+ context 'when clamp_mss_to_pmtu' do
+ pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp4, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp4, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
end
end
end
require 'spec_helper_acceptance'
-describe 'firewall match marks' do
+describe 'firewall match marks', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do
before :all do
iptables_flush_all_tables
ip6tables_flush_all_tables
end
- unless os[:family] == 'redhat' && os[:release].start_with?('5')
- describe 'match_mark' do
- context 'when 0x1' do
- pp1 = <<-PUPPETCODE
+ describe 'match_mark' do
+ context 'when 0x1' do
+ pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '503 match_mark - test':
proto => 'all',
action => reject,
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp1, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp1, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark - test" -j REJECT --reject-with icmp-port-unreachable})
- end
+ it 'contains the rule' do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark - test" -j REJECT --reject-with icmp-port-unreachable})
end
end
end
+ end
- describe 'match_mark_ip6' do
- context 'when 0x1' do
- pp2 = <<-PUPPETCODE
+ describe 'match_mark_ip6' do
+ context 'when 0x1' do
+ pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '503 match_mark ip6tables - test':
proto => 'all',
provider => 'ip6tables',
}
PUPPETCODE
- it 'applies' do
- apply_manifest(pp2, catch_failures: true)
- end
+ it 'applies' do
+ apply_manifest(pp2, catch_failures: true)
+ end
- it 'contains the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable})
- end
+ it 'contains the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable})
end
end
end
end
end
- unless os[:family] == 'redhat' && os[:release].start_with?('5')
- context 'when ipv6 chain purge' do
- after(:all) do
- ip6tables_flush_all_tables
- end
- before(:each) do
- ip6tables_flush_all_tables
+ context 'when ipv6 chain purge', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do
+ after(:all) do
+ ip6tables_flush_all_tables
+ end
+ before(:each) do
+ ip6tables_flush_all_tables
- shell('ip6tables -A INPUT -p tcp -s 1::42')
- shell('ip6tables -A INPUT -p udp -s 1::42')
- shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
- end
+ shell('ip6tables -A INPUT -p tcp -s 1::42')
+ shell('ip6tables -A INPUT -p udp -s 1::42')
+ shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
+ end
- pp6 = <<-PUPPETCODE
+ pp6 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
}
PUPPETCODE
- it 'purges only the specified chain' do
- apply_manifest(pp6, expect_changes: true)
-
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(%r{010 output-1::50})
- expect(r.stdout).not_to match(%r{1::42})
- expect(r.stderr).to eq('')
- end
+ it 'purges only the specified chain' do
+ apply_manifest(pp6, expect_changes: true)
+
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(%r{010 output-1::50})
+ expect(r.stdout).not_to match(%r{1::42})
+ expect(r.stderr).to eq('')
end
- # rubocop:enable RSpec/ExampleLength
+ end
+ # rubocop:enable RSpec/ExampleLength
- pp7 = <<-PUPPETCODE
+ pp7 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'OUTPUT:filter:IPv6':
purge => true,
provider => 'ip6tables',
}
PUPPETCODE
- it 'ignores managed rules' do
- apply_manifest(pp7, catch_changes: do_catch_changes)
- end
+ it 'ignores managed rules' do
+ apply_manifest(pp7, catch_changes: do_catch_changes)
+ end
- pp8 = <<-PUPPETCODE
+ pp8 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
],
}
PUPPETCODE
- it 'ignores specified rules' do
- apply_manifest(pp8, catch_changes: do_catch_changes)
- end
+ it 'ignores specified rules' do
+ apply_manifest(pp8, catch_changes: do_catch_changes)
+ end
- pp9 = <<-PUPPETCODE
+ pp9 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
provider => 'ip6tables',
}
PUPPETCODE
- it 'adds managed rules with ignored rules' do
- apply_manifest(pp9, catch_failures: true)
+ it 'adds managed rules with ignored rules' do
+ apply_manifest(pp9, catch_failures: true)
- expect(shell('ip6tables-save').stdout).to match(%r{-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp})
- end
+ expect(shell('ip6tables-save').stdout).to match(%r{-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp})
end
end
end
# version of iptables that ships with el5 doesn't work with the
# ip6tables provider
# TODO: Test below fails if this file is run seperately. i.e. bundle exec rspec spec/acceptance/resource_cmd_spec.rb
- unless os[:family] == 'redhat' && os[:release].start_with?('5')
- context 'when dport/sport with ip6tables' do
- before :all do
- if os['family'] == 'debian'
- shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections')
- shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections')
- shell('apt-get install iptables-persistent -y')
- end
- ip6tables_flush_all_tables
- shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar')
+ context 'when dport/sport with ip6tables', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do
+ before :all do
+ if os['family'] == 'debian'
+ shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections')
+ shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections')
+ shell('apt-get install iptables-persistent -y')
end
- it do
- shell('puppet resource firewall \'000-foobar\' provider=ip6tables') do |r|
- r.exit_code.should be_zero
- # don't check stdout, testing preexisting rules, output is normal
- r.stderr.should be_empty
- end
+ ip6tables_flush_all_tables
+ shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar')
+ end
+ it do
+ shell('puppet resource firewall \'000-foobar\' provider=ip6tables') do |r|
+ r.exit_code.should be_zero
+ # don't check stdout, testing preexisting rules, output is normal
+ r.stderr.should be_empty
end
end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff