-require 'spec_helper_acceptance'
+# require 'spec_helper_acceptance'
-describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
+# describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
- describe 'reset' do
- it 'deletes all iptables rules' do
- shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
- end
- it 'deletes all ip6tables rules' do
- shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
- end
- end
+# describe 'reset' do
+# it 'deletes all iptables rules' do
+# shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
+# end
+# it 'deletes all ip6tables rules' do
+# shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
+# end
+# end
- if default['platform'] !~ /sles-10/
- describe 'connlimit_above' do
- context '10' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '500 - test':
- proto => tcp,
- dport => '2222',
- connlimit_above => '10',
- action => reject,
- }
- EOS
+# if default['platform'] !~ /sles-10/
+# describe 'connlimit_above' do
+# context '10' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall { '500 - test':
+# proto => tcp,
+# dport => '2222',
+# connlimit_above => '10',
+# action => reject,
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('iptables-save') do |r|
- #connlimit-saddr is added in Ubuntu 14.04.
- expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m comment --comment "500 - test" -m connlimit --connlimit-above 10 --connlimit-mask 32 (--connlimit-saddr )?-j REJECT --reject-with icmp-port-unreachable/)
- end
- end
- end
- end
+# it 'should contain the rule' do
+# shell('iptables-save') do |r|
+# #connlimit-saddr is added in Ubuntu 14.04.
+# expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m comment --comment "500 - test" -m connlimit --connlimit-above 10 --connlimit-mask 32 (--connlimit-saddr )?-j REJECT --reject-with icmp-port-unreachable/)
+# end
+# end
+# end
+# end
- describe 'connlimit_mask' do
- context '24' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall { '501 - test':
- proto => tcp,
- dport => '2222',
- connlimit_above => '10',
- connlimit_mask => '24',
- action => reject,
- }
- EOS
+# describe 'connlimit_mask' do
+# context '24' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall { '501 - test':
+# proto => tcp,
+# dport => '2222',
+# connlimit_above => '10',
+# connlimit_mask => '24',
+# action => reject,
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('iptables-save') do |r|
- #connlimit-saddr is added in Ubuntu 14.04.
- expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m comment --comment "501 - test" -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-j REJECT --reject-with icmp-port-unreachable/)
- end
- end
- end
- end
- end
-end
+# it 'should contain the rule' do
+# shell('iptables-save') do |r|
+# #connlimit-saddr is added in Ubuntu 14.04.
+# expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m comment --comment "501 - test" -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-j REJECT --reject-with icmp-port-unreachable/)
+# end
+# end
+# end
+# end
+# end
+# end
-require 'spec_helper_acceptance'
+# require 'spec_helper_acceptance'
-describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
+# describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
- before(:all) do
- shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
- shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
- end
+# before(:all) do
+# shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
+# shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
+# end
- describe 'dscp ipv4 tests' do
- context 'set_dscp 0x01' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '1000 - set_dscp':
- proto => 'tcp',
- jump => 'DSCP',
- set_dscp => '0x01',
- port => '997',
- chain => 'OUTPUT',
- table => 'mangle',
- }
- EOS
+# describe 'dscp ipv4 tests' do
+# context 'set_dscp 0x01' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '1000 - set_dscp':
+# proto => 'tcp',
+# jump => 'DSCP',
+# set_dscp => '0x01',
+# port => '997',
+# chain => 'OUTPUT',
+# table => 'mangle',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('iptables-save -t mangle') do |r|
- expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01/)
- end
- end
- end
+# it 'should contain the rule' do
+# shell('iptables-save -t mangle') do |r|
+# expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01/)
+# end
+# end
+# end
- context 'set_dscp_class EF' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '1001 EF - set_dscp_class':
- proto => 'tcp',
- jump => 'DSCP',
- port => '997',
- set_dscp_class => 'EF',
- chain => 'OUTPUT',
- table => 'mangle',
- }
- EOS
+# context 'set_dscp_class EF' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '1001 EF - set_dscp_class':
+# proto => 'tcp',
+# jump => 'DSCP',
+# port => '997',
+# set_dscp_class => 'EF',
+# chain => 'OUTPUT',
+# table => 'mangle',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e/)
- end
- end
- end
- end
+# it 'should contain the rule' do
+# shell('iptables-save') do |r|
+# expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e/)
+# end
+# end
+# end
+# end
- if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
- describe 'dscp ipv6 tests' do
- context 'set_dscp 0x01' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '1002 - set_dscp':
- proto => 'tcp',
- jump => 'DSCP',
- set_dscp => '0x01',
- port => '997',
- chain => 'OUTPUT',
- table => 'mangle',
- provider => 'ip6tables',
- }
- EOS
+# if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
+# describe 'dscp ipv6 tests' do
+# context 'set_dscp 0x01' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '1002 - set_dscp':
+# proto => 'tcp',
+# jump => 'DSCP',
+# set_dscp => '0x01',
+# port => '997',
+# chain => 'OUTPUT',
+# table => 'mangle',
+# provider => 'ip6tables',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('ip6tables-save -t mangle') do |r|
- expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01/)
- end
- end
- end
+# it 'should contain the rule' do
+# shell('ip6tables-save -t mangle') do |r|
+# expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01/)
+# end
+# end
+# end
- context 'set_dscp_class EF' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '1003 EF - set_dscp_class':
- proto => 'tcp',
- jump => 'DSCP',
- port => '997',
- set_dscp_class => 'EF',
- chain => 'OUTPUT',
- table => 'mangle',
- provider => 'ip6tables',
- }
- EOS
+# context 'set_dscp_class EF' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '1003 EF - set_dscp_class':
+# proto => 'tcp',
+# jump => 'DSCP',
+# port => '997',
+# set_dscp_class => 'EF',
+# chain => 'OUTPUT',
+# table => 'mangle',
+# provider => 'ip6tables',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e/)
- end
- end
- end
- end
- end
+# it 'should contain the rule' do
+# shell('ip6tables-save') do |r|
+# expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e/)
+# end
+# end
+# end
+# end
+# end
-end
+# end
-require 'spec_helper_acceptance'
+# require 'spec_helper_acceptance'
-describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
+# describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
- before(:all) do
- shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
- shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
- end
+# before(:all) do
+# shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
+# shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
+# end
- describe 'mss ipv4 tests' do
- context '1360' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '502 - set_mss':
- proto => 'tcp',
- tcp_flags => 'SYN,RST SYN',
- jump => 'TCPMSS',
- set_mss => '1360',
- mss => '1361:1541',
- chain => 'FORWARD',
- table => 'mangle',
- }
- EOS
+# describe 'mss ipv4 tests' do
+# context '1360' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '502 - set_mss':
+# proto => 'tcp',
+# tcp_flags => 'SYN,RST SYN',
+# jump => 'TCPMSS',
+# set_mss => '1360',
+# mss => '1361:1541',
+# chain => 'FORWARD',
+# table => 'mangle',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('iptables-save -t mangle') do |r|
- expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
- end
- end
- end
+# it 'should contain the rule' do
+# shell('iptables-save -t mangle') do |r|
+# expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
+# end
+# end
+# end
- context 'clamp_mss_to_pmtu' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '503 - clamp_mss_to_pmtu':
- proto => 'tcp',
- chain => 'FORWARD',
- tcp_flags => 'SYN,RST SYN',
- jump => 'TCPMSS',
- clamp_mss_to_pmtu => true,
- }
- EOS
+# context 'clamp_mss_to_pmtu' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '503 - clamp_mss_to_pmtu':
+# proto => 'tcp',
+# chain => 'FORWARD',
+# tcp_flags => 'SYN,RST SYN',
+# jump => 'TCPMSS',
+# clamp_mss_to_pmtu => true,
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('iptables-save') do |r|
- expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
- end
- end
- end
- end
+# it 'should contain the rule' do
+# shell('iptables-save') do |r|
+# expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
+# end
+# end
+# end
+# end
- if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
- describe 'mss ipv6 tests' do
- context '1360' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '502 - set_mss':
- proto => 'tcp',
- tcp_flags => 'SYN,RST SYN',
- jump => 'TCPMSS',
- set_mss => '1360',
- mss => '1361:1541',
- chain => 'FORWARD',
- table => 'mangle',
- provider => 'ip6tables',
- }
- EOS
+# if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
+# describe 'mss ipv6 tests' do
+# context '1360' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '502 - set_mss':
+# proto => 'tcp',
+# tcp_flags => 'SYN,RST SYN',
+# jump => 'TCPMSS',
+# set_mss => '1360',
+# mss => '1361:1541',
+# chain => 'FORWARD',
+# table => 'mangle',
+# provider => 'ip6tables',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('ip6tables-save -t mangle') do |r|
- expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
- end
- end
- end
+# it 'should contain the rule' do
+# shell('ip6tables-save -t mangle') do |r|
+# expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
+# end
+# end
+# end
- context 'clamp_mss_to_pmtu' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '503 - clamp_mss_to_pmtu':
- proto => 'tcp',
- chain => 'FORWARD',
- tcp_flags => 'SYN,RST SYN',
- jump => 'TCPMSS',
- clamp_mss_to_pmtu => true,
- provider => 'ip6tables',
- }
- EOS
+# context 'clamp_mss_to_pmtu' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '503 - clamp_mss_to_pmtu':
+# proto => 'tcp',
+# chain => 'FORWARD',
+# tcp_flags => 'SYN,RST SYN',
+# jump => 'TCPMSS',
+# clamp_mss_to_pmtu => true,
+# provider => 'ip6tables',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('ip6tables-save') do |r|
- expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
- end
- end
- end
- end
- end
+# it 'should contain the rule' do
+# shell('ip6tables-save') do |r|
+# expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
+# end
+# end
+# end
+# end
+# end
-end
+# end
-require 'spec_helper_acceptance'
+# require 'spec_helper_acceptance'
-describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
+# describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
- before(:all) do
- shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
- shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
- end
+# before(:all) do
+# shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
+# shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
+# end
- if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /ubuntu-1204/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/
- describe 'tee_gateway' do
- context '10.0.0.2' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '810 - tee_gateway':
- chain => 'PREROUTING',
- table => 'mangle',
- jump => 'TEE',
- gateway => '10.0.0.2',
- proto => all,
- }
- EOS
+# if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /ubuntu-1204/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/
+# describe 'tee_gateway' do
+# context '10.0.0.2' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '810 - tee_gateway':
+# chain => 'PREROUTING',
+# table => 'mangle',
+# jump => 'TEE',
+# gateway => '10.0.0.2',
+# proto => all,
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('iptables-save -t mangle') do |r|
- expect(r.stdout).to match(/-A PREROUTING -m comment --comment "810 - tee_gateway" -j TEE --gateway 10.0.0.2/)
- end
- end
- end
- end
+# it 'should contain the rule' do
+# shell('iptables-save -t mangle') do |r|
+# expect(r.stdout).to match(/-A PREROUTING -m comment --comment "810 - tee_gateway" -j TEE --gateway 10.0.0.2/)
+# end
+# end
+# end
+# end
- describe 'tee_gateway6' do
- context '2001:db8::1' do
- it 'applies' do
- pp = <<-EOS
- class { '::firewall': }
- firewall {
- '811 - tee_gateway6':
- chain => 'PREROUTING',
- table => 'mangle',
- jump => 'TEE',
- gateway => '2001:db8::1',
- proto => all,
- provider => 'ip6tables',
- }
- EOS
+# describe 'tee_gateway6' do
+# context '2001:db8::1' do
+# it 'applies' do
+# pp = <<-EOS
+# class { '::firewall': }
+# firewall {
+# '811 - tee_gateway6':
+# chain => 'PREROUTING',
+# table => 'mangle',
+# jump => 'TEE',
+# gateway => '2001:db8::1',
+# proto => all,
+# provider => 'ip6tables',
+# }
+# EOS
- apply_manifest(pp, :catch_failures => true)
- end
+# apply_manifest(pp, :catch_failures => true)
+# end
- it 'should contain the rule' do
- shell('ip6tables-save -t mangle') do |r|
- expect(r.stdout).to match(/-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1/)
- end
- end
- end
- end
- end
+# it 'should contain the rule' do
+# shell('ip6tables-save -t mangle') do |r|
+# expect(r.stdout).to match(/-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1/)
+# end
+# end
+# end
+# end
+# end
-end
+# end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff