From: tphoney <tp@puppet.com>
Date: Thu, 21 Feb 2019 17:18:57 +0000 (+0000)
Subject: clean tests for log mss
X-Git-Tag: 1.15.2~8^2~1
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=31a60eb4cbeedbc43fadbca29e4d2c321d4e5d77;p=puppet-modules%2Fpuppetlabs-firewall.git

clean tests for log mss
---

diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index a95b5f8..89b8760 100644
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -10,6 +10,15 @@ describe 'firewall attribute testing, happy path' do
     before(:all) do
       pp = <<-PUPPETCODE
           class { '::firewall': }
+          firewall { '004 - log_level and log_prefix':
+            chain      => 'INPUT',
+            proto      => 'all',
+            ctstate    => 'INVALID',
+            jump       => 'LOG',
+            log_level  => '3',
+            log_prefix => 'IPTABLES dropped invalid: ',
+          }
+
           firewall { '501 - connlimit':
             proto           => tcp,
             dport           => '2222',
@@ -166,6 +175,24 @@ describe 'firewall attribute testing, happy path' do
             reject       => 'icmp-net-unreachable',
             table        => 'filter',
           }
+          firewall {
+            '600 - set_mss':
+              proto     => 'tcp',
+              tcp_flags => 'SYN,RST SYN',
+              jump      => 'TCPMSS',
+              set_mss   => '1360',
+              mss       => '1361:1541',
+              chain     => 'FORWARD',
+              table     => 'mangle',
+          }
+          firewall {
+            '601 - clamp_mss_to_pmtu':
+              proto             => 'tcp',
+              chain             => 'FORWARD',
+              tcp_flags         => 'SYN,RST SYN',
+              jump              => 'TCPMSS',
+              clamp_mss_to_pmtu => true,
+          }
           firewall { '700 - blah-A Test Rule':
             jump       => 'LOG',
             log_prefix => 'FW-A-INPUT: ',
@@ -228,6 +255,9 @@ describe 'firewall attribute testing, happy path' do
     end
     let(:result) { shell('iptables-save') }
 
+    it 'log_level and log_prefix' do
+      expect(result.stdout).to match(%r{A INPUT -m conntrack --ctstate INVALID -m comment --comment "004 - log_level and log_prefix" -j LOG --log-prefix "IPTABLES dropped invalid: " --log-level 3})
+    end
     it 'contains the connlimit and connlimit_mask rule' do
       expect(result.stdout).to match(
         %r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - connlimit" -j REJECT --reject-with icmp-port-unreachable}, # rubocop:disable Metrics/LineLength
@@ -302,6 +332,12 @@ describe 'firewall attribute testing, happy path' do
     it 'ipsec_policy none and dir in' do
       expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength
     end
+    it 'set_mss is set' do
+      expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "600 - set_mss" -j TCPMSS --set-mss 1360})
+    end
+    it 'clamp_mss_to_pmtu is set' do
+      expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "601 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
+    end
     it 'comment containing "-A "' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "})
     end
diff --git a/spec/acceptance/firewall_log_spec.rb b/spec/acceptance/firewall_log_spec.rb
deleted file mode 100644
index 4693221..0000000
--- a/spec/acceptance/firewall_log_spec.rb
+++ /dev/null
@@ -1,75 +0,0 @@
-require 'spec_helper_acceptance'
-
-describe 'log based tests' do
-  before :all do
-    iptables_flush_all_tables
-    ip6tables_flush_all_tables
-  end
-
-  ppm2 = <<-PUPPETCODE
-    firewall { '998 log all':
-      proto     => 'all',
-      jump      => 'LOG',
-      log_level => 'debug',
-    }
-  PUPPETCODE
-  values = [2, 0]
-  it 'test log rule' do
-    iptables_flush_all_tables
-
-    values.each do |value|
-      expect(apply_manifest(ppm2, catch_failures: true).exit_code).to eq(value)
-    end
-  end
-
-  ppm3 = <<-PUPPETCODE
-    firewall { '004 log all INVALID packets':
-      chain      => 'INPUT',
-      proto      => 'all',
-      ctstate    => 'INVALID',
-      jump       => 'LOG',
-      log_level  => '3',
-      log_prefix => 'IPTABLES dropped invalid: ',
-    }
-  PUPPETCODE
-  ppm4 = <<-PUPPETCODE
-    firewall { '003 log all INVALID packets':
-      chain      => 'INPUT',
-      proto      => 'all',
-      ctstate    => 'INVALID',
-      jump       => 'LOG',
-      log_level  => '3',
-      log_prefix => 'IPTABLES dropped invalid: ',
-    }
-  PUPPETCODE
-  ppm5 = <<-PUPPETCODE + "\n" + ppm4
-      resources { 'firewall':
-        purge => true,
-      }
-  PUPPETCODE
-  it 'test log rule - changing names' do
-    iptables_flush_all_tables
-
-    expect(apply_manifest(ppm3, catch_failures: true).exit_code).to eq(2)
-    expect(apply_manifest(ppm5, catch_failures: true).exit_code).to eq(2)
-  end
-
-  ppm9 = <<-PUPPETCODE
-    firewall { '004 log all INVALID packets':
-      chain      => 'INPUT',
-      proto      => 'all',
-      ctstate    => 'INVALID',
-      jump       => 'LOG',
-      log_level  => '3',
-      log_prefix => 'IPTABLES dropped invalid: ',
-    }
-  PUPPETCODE
-  values = [2, 0]
-  it 'test log rule - idempotent' do
-    iptables_flush_all_tables
-
-    values.each do |value|
-      expect(apply_manifest(ppm9, catch_failures: true).exit_code).to eq(value)
-    end
-  end
-end
diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb
index 2648fe5..d389b17 100644
--- a/spec/acceptance/firewall_mss_spec.rb
+++ b/spec/acceptance/firewall_mss_spec.rb
@@ -6,56 +6,6 @@ describe 'firewall MSS' do
     ip6tables_flush_all_tables
   end
 
-  describe 'mss ipv4 tests' do
-    context 'when 1360' do
-      pp1 = <<-PUPPETCODE
-          class { '::firewall': }
-          firewall {
-            '502 - set_mss':
-              proto     => 'tcp',
-              tcp_flags => 'SYN,RST SYN',
-              jump      => 'TCPMSS',
-              set_mss   => '1360',
-              mss       => '1361:1541',
-              chain     => 'FORWARD',
-              table     => 'mangle',
-          }
-      PUPPETCODE
-      it 'applies' do
-        apply_manifest(pp1, catch_failures: true)
-      end
-
-      it 'contains the rule' do
-        shell('iptables-save -t mangle') do |r|
-          expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360})
-        end
-      end
-    end
-
-    context 'when clamp_mss_to_pmtu' do
-      pp2 = <<-PUPPETCODE
-          class { '::firewall': }
-          firewall {
-            '503 - clamp_mss_to_pmtu':
-              proto             => 'tcp',
-              chain             => 'FORWARD',
-              tcp_flags         => 'SYN,RST SYN',
-              jump              => 'TCPMSS',
-              clamp_mss_to_pmtu => true,
-          }
-      PUPPETCODE
-      it 'applies' do
-        apply_manifest(pp2, catch_failures: true)
-      end
-
-      it 'contains the rule' do
-        shell('iptables-save') do |r|
-          expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
-        end
-      end
-    end
-  end
-
   if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
     describe 'mss ipv6 tests' do
       context 'when 1360' do