:ip6tables_save => 'ip6tables-save',
})
+ def initialize(*args)
+ if Facter.fact('ip6tables_version').value.match /1\.3\.\d/
+ raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables'
+ else
+ super
+ end
+ end
+
def self.iptables(*args)
ip6tables(*args)
end
it 'adds a unmanaged rule without a comment' do
shell('/sbin/iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT')
- expect(shell('iptables-save').stdout).to match(/-A INPUT -s 8\.0\.0\.3\/32 -p tcp -m multiport --ports 102 -j ACCEPT/)
+ expect(shell('iptables-save').stdout).to match(/-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT/)
end
it 'contains the changable 8.0.0.1 rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.1\/32 -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/)
end
end
it 'contains the static 8.0.0.2 rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2\/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/)
end
end
end
it 'contains the staic 8.0.0.2 rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2\/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/)
end
end
it 'contains the changing new 8.0.0.4 rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.4\/32 -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -s 192.168.2.0\/24 -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT ! -s 192.168.2.0\/24 -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/)
end
end
end
EOS
apply_manifest(pp, :expect_failures => true) do |r|
- expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/24/)
+ expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)/)
end
end
it 'should not contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to_not match(/-A INPUT -s 256.168.2.0\/24 -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/)
+ expect(r.stdout).to_not match(/-A INPUT -s 256.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -d 192.168.2.0\/24 -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT ! -d 192.168.2.0\/24 -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/)
+ expect(r.stdout).to match(/-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/)
end
end
end
EOS
apply_manifest(pp, :expect_failures => true) do |r|
- expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/24/)
+ expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)/)
end
end
it 'should not contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to_not match(/-A INPUT -d 256.168.2.0\/24 -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/)
+ expect(r.stdout).to_not match(/-A INPUT -d 256.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/)
end
end
end
it 'should contain the rule' do
shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(/-A PREROUTING -s 200.200.200.200\/32 -p tcp -m comment --comment "569 - test" -j DNAT --to-destination 192.168.1.1/)
+ expect(r.stdout).to match(/-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j DNAT --to-destination 192.168.1.1/)
end
end
end
end
end
- describe 'random' do
- context '192.168.1.1' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '570 - test 2':
- proto => all,
- table => 'nat',
- chain => 'POSTROUTING',
- jump => 'MASQUERADE',
- source => '172.30.0.0/16',
- random => true
- }
- EOS
+ # RHEL5 does not support --random
+ if default['platform'] !~ /el-5/
+ describe 'random' do
+ context '192.168.1.1' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '570 - test 2':
+ proto => all,
+ table => 'nat',
+ chain => 'POSTROUTING',
+ jump => 'MASQUERADE',
+ source => '172.30.0.0/16',
+ random => true
+ }
+ EOS
- apply_manifest(pp, :catch_failures => true)
- apply_manifest(pp, :catch_changes => true)
- end
+ apply_manifest(pp, :catch_failures => true)
+ apply_manifest(pp, :catch_changes => true)
+ end
- it 'should contain the rule' do
- shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(/-A POSTROUTING -s 172\.30\.0\.0\/16 -m comment --comment "570 - test 2" -j MASQUERADE --random/)
+ it 'should contain the rule' do
+ shell('iptables-save -t nat') do |r|
+ expect(r.stdout).to match(/-A POSTROUTING -s 172\.30\.0\.0\/16 -m comment --comment "570 - test 2" -j MASQUERADE --random/)
+ end
end
end
end
end
end
- describe 'hop_limit' do
- context '5' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '571 - test':
- ensure => present,
- proto => tcp,
- port => '571',
- action => accept,
- hop_limit => '5',
- provider => 'ip6tables',
- }
- EOS
+ #iptables version 1.3.5 is not suppored by the ip6tables provider
+ if default['platform'] !~ /el-5/
+ describe 'hop_limit' do
+ context '5' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '571 - test':
+ ensure => present,
+ proto => tcp,
+ port => '571',
+ action => accept,
+ hop_limit => '5',
+ provider => 'ip6tables',
+ }
+ EOS
- apply_manifest(pp, :catch_failures => true)
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq 5 -j ACCEPT/)
+ end
+ end
end
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq 5 -j ACCEPT/)
+ context 'invalid' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '571 - test':
+ ensure => present,
+ proto => tcp,
+ port => '571',
+ action => accept,
+ hop_limit => 'invalid',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :expect_failures => true) do |r|
+ expect(r.stderr).to match(/Invalid value "invalid"./)
+ end
+ end
+
+ it 'should not contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to_not match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT/)
+ end
end
end
end
- context 'invalid' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '571 - test':
- ensure => present,
- proto => tcp,
- port => '571',
- action => accept,
- hop_limit => 'invalid',
- provider => 'ip6tables',
- }
- EOS
+ describe 'ishasmorefrags' do
+ context 'true' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '587 - test':
+ ensure => present,
+ proto => tcp,
+ port => '587',
+ action => accept,
+ ishasmorefrags => true,
+ provider => 'ip6tables',
+ }
+ EOS
- apply_manifest(pp, :expect_failures => true) do |r|
- expect(r.stderr).to match(/Invalid value "invalid"./)
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --ports 587 -m comment --comment "587 - test" -j ACCEPT/)
+ end
end
end
- it 'should not contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to_not match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT/)
+ context 'false' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '588 - test':
+ ensure => present,
+ proto => tcp,
+ port => '588',
+ action => accept,
+ ishasmorefrags => false,
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 588 -m comment --comment "588 - test" -j ACCEPT/)
+ end
+ end
+ end
+ end
+
+ describe 'islastfrag' do
+ context 'true' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '589 - test':
+ ensure => present,
+ proto => tcp,
+ port => '589',
+ action => accept,
+ islastfrag => true,
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --ports 589 -m comment --comment "589 - test" -j ACCEPT/)
+ end
+ end
+ end
+
+ context 'false' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '590 - test':
+ ensure => present,
+ proto => tcp,
+ port => '590',
+ action => accept,
+ islastfrag => false,
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 590 -m comment --comment "590 - test" -j ACCEPT/)
+ end
+ end
+ end
+ end
+
+ describe 'isfirstfrag' do
+ context 'true' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '591 - test':
+ ensure => present,
+ proto => tcp,
+ port => '591',
+ action => accept,
+ isfirstfrag => true,
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --ports 591 -m comment --comment "591 - test" -j ACCEPT/)
+ end
+ end
+ end
+
+ context 'false' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '592 - test':
+ ensure => present,
+ proto => tcp,
+ port => '592',
+ action => accept,
+ isfirstfrag => false,
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 592 -m comment --comment "592 - test" -j ACCEPT/)
+ end
end
end
end
end
end
- describe 'set_mark' do
- context '0x3e8/0xffffffff' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '580 - test':
- ensure => present,
- chain => 'OUTPUT',
- proto => tcp,
- port => '580',
- jump => 'MARK',
- table => 'mangle',
- set_mark => '0x3e8/0xffffffff',
- }
- EOS
+ #iptables version 1.3.5 does not support masks on MARK rules
+ if default['platform'] !~ /el-5/
+ describe 'set_mark' do
+ context '0x3e8/0xffffffff' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '580 - test':
+ ensure => present,
+ chain => 'OUTPUT',
+ proto => tcp,
+ port => '580',
+ jump => 'MARK',
+ table => 'mangle',
+ set_mark => '0x3e8/0xffffffff',
+ }
+ EOS
- apply_manifest(pp, :catch_failures => true)
- end
+ apply_manifest(pp, :catch_failures => true)
+ end
- it 'should contain the rule' do
- shell('iptables-save -t mangle') do |r|
- expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff/)
+ it 'should contain the rule' do
+ shell('iptables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff/)
+ end
end
end
end
end
end
- describe 'socket' do
- context 'true' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '585 - test':
- ensure => present,
- proto => tcp,
- port => '585',
- action => accept,
- chain => 'PREROUTING',
- table => 'nat',
- socket => true,
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
-
- it 'should contain the rule' do
- shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT/)
- end
- end
- end
-
- context 'false' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '586 - test':
- ensure => present,
- proto => tcp,
- port => '586',
- action => accept,
- chain => 'PREROUTING',
- table => 'nat',
- socket => false,
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
-
- it 'should contain the rule' do
- shell('iptables-save -t nat') do |r|
- expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT/)
- end
- end
- end
- end
-
- describe 'ishasmorefrags' do
- context 'true' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '587 - test':
- ensure => present,
- proto => tcp,
- port => '587',
- action => accept,
- ishasmorefrags => true,
- provider => 'ip6tables',
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
-
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --ports 587 -m comment --comment "587 - test" -j ACCEPT/)
- end
- end
- end
-
- context 'false' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '588 - test':
- ensure => present,
- proto => tcp,
- port => '588',
- action => accept,
- ishasmorefrags => false,
- provider => 'ip6tables',
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
-
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 588 -m comment --comment "588 - test" -j ACCEPT/)
- end
- end
- end
- end
-
- describe 'islastfrag' do
- context 'true' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '589 - test':
- ensure => present,
- proto => tcp,
- port => '589',
- action => accept,
- islastfrag => true,
- provider => 'ip6tables',
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
+ # RHEL5 does not support -m socket
+ if default['platform'] !~ /el-5/
+ describe 'socket' do
+ context 'true' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '585 - test':
+ ensure => present,
+ proto => tcp,
+ port => '585',
+ action => accept,
+ chain => 'PREROUTING',
+ table => 'nat',
+ socket => true,
+ }
+ EOS
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --ports 589 -m comment --comment "589 - test" -j ACCEPT/)
+ apply_manifest(pp, :catch_failures => true)
end
- end
- end
- context 'false' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '590 - test':
- ensure => present,
- proto => tcp,
- port => '590',
- action => accept,
- islastfrag => false,
- provider => 'ip6tables',
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
-
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 590 -m comment --comment "590 - test" -j ACCEPT/)
+ it 'should contain the rule' do
+ shell('iptables-save -t nat') do |r|
+ expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT/)
+ end
end
end
- end
- end
- describe 'isfirstfrag' do
- context 'true' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '591 - test':
- ensure => present,
- proto => tcp,
- port => '591',
- action => accept,
- isfirstfrag => true,
- provider => 'ip6tables',
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
+ context 'false' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '586 - test':
+ ensure => present,
+ proto => tcp,
+ port => '586',
+ action => accept,
+ chain => 'PREROUTING',
+ table => 'nat',
+ socket => false,
+ }
+ EOS
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --ports 591 -m comment --comment "591 - test" -j ACCEPT/)
+ apply_manifest(pp, :catch_failures => true)
end
- end
- end
- context 'false' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '592 - test':
- ensure => present,
- proto => tcp,
- port => '592',
- action => accept,
- isfirstfrag => false,
- provider => 'ip6tables',
- }
- EOS
-
- apply_manifest(pp, :catch_failures => true)
- end
-
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 592 -m comment --comment "592 - test" -j ACCEPT/)
+ it 'should contain the rule' do
+ shell('iptables-save -t nat') do |r|
+ expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT/)
+ end
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/8 -m comment --comment "593 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/)
+ expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "593 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/8 -m comment --comment "594 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp-net-unreachable/)
+ expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "594 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp-net-unreachable/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/8 -m comment --comment "595 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/)
+ expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "595 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -d 20.0.0.0\/8 -m comment --comment "596 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp-net-unreachable/)
+ expect(r.stdout).to match(/-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "596 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp-net-unreachable/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "597 - test" -m recent --set --name list1 --rdest/)
+ expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "597 - test" -m recent --set --name list1 --rdest/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "598 - test" -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 --rsource/)
+ expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "598 - test" -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 --rsource/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "599 - test" -m recent --update/)
+ expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "599 - test" -m recent --update/)
end
end
end
it 'should contain the rule' do
shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "600 - test" -m recent --remove/)
+ expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "600 - test" -m recent --remove/)
end
end
end
require 'spec_helper_acceptance'
-describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do
- before :all do
- ip6tables_flush_all_tables
- end
+if default['platform'] =~ /el-5/
+ describe "firewall ip6tables doesn't work on 1.3.5 because --comment is missing" do
+ before :all do
+ ip6tables_flush_all_tables
+ end
- shared_examples "is idempotent" do |values, line_match|
- it "changes the values to #{values}" do
+ it "can't use ip6tables" do
pp = <<-EOS
- class { '::firewall': }
- firewall { '599 - test':
- ensure => present,
- proto => 'tcp',
- provider => 'ip6tables',
- #{values}
- }
+ class { '::firewall': }
+ firewall { '599 - test':
+ ensure => present,
+ proto => 'tcp',
+ provider => 'ip6tables',
+ }
EOS
-
- apply_manifest(pp, :catch_failures => true)
- apply_manifest(pp, :catch_changes => true)
-
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/#{line_match}/)
- end
+ expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/ip6tables provider is not supported/)
end
end
- shared_examples "doesn't change" do |values, line_match|
- it "doesn't change the values to #{values}" do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '599 - test':
- ensure => present,
- proto => 'tcp',
- provider => 'ip6tables',
- #{values}
- }
- EOS
+else
+ describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do
+ before :all do
+ ip6tables_flush_all_tables
+ end
- apply_manifest(pp, :catch_changes => true)
+ shared_examples "is idempotent" do |values, line_match|
+ it "changes the values to #{values}" do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '599 - test':
+ ensure => present,
+ proto => 'tcp',
+ provider => 'ip6tables',
+ #{values}
+ }
+ EOS
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/#{line_match}/)
- end
- end
- end
+ apply_manifest(pp, :catch_failures => true)
+ apply_manifest(pp, :catch_changes => true)
- describe 'adding a rule' do
- context 'when unset' do
- before :all do
- ip6tables_flush_all_tables
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/#{line_match}/)
+ end
end
- it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "599 - test"/
end
- context 'when set to true' do
- before :all do
- ip6tables_flush_all_tables
- end
- it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
- end
- context 'when set to false' do
- before :all do
- ip6tables_flush_all_tables
+ shared_examples "doesn't change" do |values, line_match|
+ it "doesn't change the values to #{values}" do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '599 - test':
+ ensure => present,
+ proto => 'tcp',
+ provider => 'ip6tables',
+ #{values}
+ }
+ EOS
+
+ apply_manifest(pp, :catch_changes => true)
+
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/#{line_match}/)
+ end
end
- it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
end
- end
- describe 'editing a rule' do
- context 'when unset or false' do
- before :each do
- ip6tables_flush_all_tables
- shell('/sbin/ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
- end
- context 'and current value is false' do
- it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
+
+ describe 'adding a rule' do
+ context 'when unset' do
+ before :all do
+ ip6tables_flush_all_tables
+ end
+ it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "599 - test"/
end
- context 'and current value is true' do
+ context 'when set to true' do
+ before :all do
+ ip6tables_flush_all_tables
+ end
it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
end
- end
- context 'when set to true' do
- before :each do
- ip6tables_flush_all_tables
- shell('/sbin/ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
- end
- context 'and current value is false' do
+ context 'when set to false' do
+ before :all do
+ ip6tables_flush_all_tables
+ end
it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
end
- context 'and current value is true' do
- it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
+ end
+ describe 'editing a rule' do
+ context 'when unset or false' do
+ before :each do
+ ip6tables_flush_all_tables
+ shell('/sbin/ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
+ end
+ context 'and current value is false' do
+ it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
+ end
+ context 'and current value is true' do
+ it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
+ end
+ end
+ context 'when set to true' do
+ before :each do
+ ip6tables_flush_all_tables
+ shell('/sbin/ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
+ end
+ context 'and current value is false' do
+ it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/
+ end
+ context 'and current value is true' do
+ it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/
+ end
end
end
end
apply_manifest(pp, :catch_failures => true)
- expect(shell('/sbin/iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1\/32 -p tcp\s?\n-A INPUT -s 1\.2\.1\.1\/32 -p udp/)
+ expect(shell('/sbin/iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
end
end
end
/INPUT ACCEPT/,
/FORWARD ACCEPT/,
/OUTPUT ACCEPT/,
- /-A FORWARD -s 10.0.0.0\/8 -d 10.0.0.0\/8 -m comment --comment \"090 forward allow local\" -j ACCEPT/,
- /-A FORWARD -s 10.0.0.0\/8 ! -d 10.0.0.0\/8 -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/,
- /-A FORWARD -s 10.0.0.0\/8 ! -d 10.0.0.0\/8 -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/,
- /-A FORWARD -s 10.0.0.0\/8 ! -d 10.0.0.0\/8 -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/
+ /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/,
+ /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/,
+ /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/,
+ /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/
].each do |line|
expect(r.stdout).to match(line)
end
/-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/,
/-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/,
/-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/,
- /-A INPUT -s 10.0.0.0\/8 -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/,
+ /-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/,
/-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/,
/-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/,
/-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/,
require 'spec_helper_acceptance'
-describe 'firewall socket property' do
- before :all do
- iptables_flush_all_tables
- end
+# RHEL5 does not support -m socket
+if default['platform'] !~ /el-5/
+ describe 'firewall socket property' do
+ before :all do
+ iptables_flush_all_tables
+ end
- shared_examples "is idempotent" do |value, line_match|
- it "changes the value to #{value}" do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '598 - test':
- ensure => present,
- proto => 'tcp',
- chain => 'PREROUTING',
- table => 'raw',
- #{value}
- }
- EOS
+ shared_examples "is idempotent" do |value, line_match|
+ it "changes the value to #{value}" do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '598 - test':
+ ensure => present,
+ proto => 'tcp',
+ chain => 'PREROUTING',
+ table => 'raw',
+ #{value}
+ }
+ EOS
- apply_manifest(pp, :catch_failures => true)
- apply_manifest(pp, :catch_changes => true)
+ apply_manifest(pp, :catch_failures => true)
+ apply_manifest(pp, :catch_changes => true)
- shell('iptables-save -t raw') do |r|
- expect(r.stdout).to match(/#{line_match}/)
+ shell('iptables-save -t raw') do |r|
+ expect(r.stdout).to match(/#{line_match}/)
+ end
end
end
- end
- shared_examples "doesn't change" do |value, line_match|
- it "doesn't change the value to #{value}" do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '598 - test':
- ensure => present,
- proto => 'tcp',
- chain => 'PREROUTING',
- table => 'raw',
- #{value}
- }
- EOS
+ shared_examples "doesn't change" do |value, line_match|
+ it "doesn't change the value to #{value}" do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '598 - test':
+ ensure => present,
+ proto => 'tcp',
+ chain => 'PREROUTING',
+ table => 'raw',
+ #{value}
+ }
+ EOS
- apply_manifest(pp, :catch_changes => true)
+ apply_manifest(pp, :catch_changes => true)
- shell('iptables-save -t raw') do |r|
- expect(r.stdout).to match(/#{line_match}/)
+ shell('iptables-save -t raw') do |r|
+ expect(r.stdout).to match(/#{line_match}/)
+ end
end
end
- end
- describe 'adding a rule' do
- context 'when unset' do
- before :all do
- iptables_flush_all_tables
- end
- it_behaves_like 'is idempotent', '', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
- end
- context 'when set to true' do
- before :all do
- iptables_flush_all_tables
- end
- it_behaves_like 'is idempotent', 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
- end
- context 'when set to false' do
- before :all do
- iptables_flush_all_tables
- end
- it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
- end
- end
- describe 'editing a rule' do
- context 'when unset or false' do
- before :each do
- iptables_flush_all_tables
- shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
+ describe 'adding a rule' do
+ context 'when unset' do
+ before :all do
+ iptables_flush_all_tables
+ end
+ it_behaves_like 'is idempotent', '', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
end
- context 'and current value is false' do
- it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+ context 'when set to true' do
+ before :all do
+ iptables_flush_all_tables
+ end
+ it_behaves_like 'is idempotent', 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
end
- context 'and current value is true' do
- it_behaves_like "is idempotent", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
+ context 'when set to false' do
+ before :all do
+ iptables_flush_all_tables
+ end
+ it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
end
end
- context 'when set to true' do
- before :each do
- iptables_flush_all_tables
- shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
- end
- context 'and current value is false' do
- it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+ describe 'editing a rule' do
+ context 'when unset or false' do
+ before :each do
+ iptables_flush_all_tables
+ shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"')
+ end
+ context 'and current value is false' do
+ it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+ end
+ context 'and current value is true' do
+ it_behaves_like "is idempotent", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
+ end
end
- context 'and current value is true' do
- it_behaves_like "doesn't change", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
+ context 'when set to true' do
+ before :each do
+ iptables_flush_all_tables
+ shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"')
+ end
+ context 'and current value is false' do
+ it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/
+ end
+ context 'and current value is true' do
+ it_behaves_like "doesn't change", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/
+ end
end
end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff