From: Jonathan Tripathy Date: Thu, 23 Jul 2015 10:37:27 +0000 (+0100) Subject: Further test exclusions for SLES 10 X-Git-Tag: 1.7.0~3^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=6d2716eebb4baf93ffd183a26c0d3145f6be7ce8;p=puppet-modules%2Fpuppetlabs-firewall.git Further test exclusions for SLES 10 --- diff --git a/spec/acceptance/firewall_iptmodules_spec.rb b/spec/acceptance/firewall_iptmodules_spec.rb index be0c5db..259a472 100644 --- a/spec/acceptance/firewall_iptmodules_spec.rb +++ b/spec/acceptance/firewall_iptmodules_spec.rb @@ -140,7 +140,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end # Older OSes don't have addrtype so we leave those properties out. # el-5 doesn't support ipv6 by default - elsif default['platform'] !~ /el-5/ + elsif default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ describe 'ip6tables ipt_modules tests' do context 'all the modules with multiple args' do it 'applies' do diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb index 167c958..4a2125b 100644 --- a/spec/acceptance/firewall_mss_spec.rb +++ b/spec/acceptance/firewall_mss_spec.rb @@ -59,7 +59,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end - if default['platform'] !~ /el-5/ + if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ describe 'mss ipv6 tests' do context '1360' do it 'applies' do diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 8ae9b12..4ce7bb4 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -903,7 +903,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end # RHEL5 does not support --random - if default['platform'] !~ /el-5/ + if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ describe 'random' do context '192.168.1.1' do it 'applies' do @@ -1801,7 +1801,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end #iptables version 1.3.5 does not support masks on MARK rules - if default['platform'] !~ /el-5/ or default['platform'] !~ /sles-10/ + if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ describe 'set_mark' do context '0x3e8/0xffffffff' do it 'applies' do @@ -2217,7 +2217,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami it 'should contain the rule' do shell('iptables-save') do |r| - if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') + if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') or (fact('osfamily') == 'SLES' and fact('operatingsystemmajrelease') == '10') expect(r.stdout).to match(/-A INPUT -s 10.1.5.28 -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"/) else expect(r.stdout).to match(/-A INPUT -s 10.1.5.28\/(32|255\.255\.255\.255) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"/) diff --git a/spec/acceptance/invert_spec.rb b/spec/acceptance/invert_spec.rb index f8ce25e..1c5790b 100644 --- a/spec/acceptance/invert_spec.rb +++ b/spec/acceptance/invert_spec.rb @@ -30,7 +30,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami it 'should contain the rules' do shell('iptables-save') do |r| - if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') + if (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') or (fact('osfamily') == 'SLES' and fact('operatingsystemmajrelease') == '10') expect(r.stdout).to match(/-A INPUT -p ! esp -m comment --comment "601 disallow esp protocol" -j ACCEPT/) expect(r.stdout).to match(/-A INPUT -s ! 10\.0\.0\.0\/255\.0\.0\.0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --sports ! 80,443 -m comment --comment "602 drop NEW external website packets with FIN\/RST\/ACK set and SYN unset" -m state --state NEW -j DROP/) else diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb index 86c2858..5a34ebf 100644 --- a/spec/acceptance/ip6_fragment_spec.rb +++ b/spec/acceptance/ip6_fragment_spec.rb @@ -1,6 +1,6 @@ require 'spec_helper_acceptance' -if default['platform'] =~ /el-5/ +if default['platform'] =~ /el-5/ and default['platform'] =~ /sles-10/ describe "firewall ip6tables doesn't work on 1.3.5 because --comment is missing", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do before :all do ip6tables_flush_all_tables diff --git a/spec/acceptance/match_mark_spec.rb b/spec/acceptance/match_mark_spec.rb index a2fff49..cf5858d 100644 --- a/spec/acceptance/match_mark_spec.rb +++ b/spec/acceptance/match_mark_spec.rb @@ -7,7 +7,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') end - if default['platform'] !~ /el-5/ + if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ describe 'match_mark' do context '0x1' do it 'applies' do diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb index 2d87220..e191c12 100644 --- a/spec/acceptance/purge_spec.rb +++ b/spec/acceptance/purge_spec.rb @@ -124,104 +124,107 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/) end end - context 'ipv6 chain purge', :unless => (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') do - after(:all) do - ip6tables_flush_all_tables - end - before(:each) do - ip6tables_flush_all_tables - - shell('ip6tables -A INPUT -p tcp -s 1::42') - shell('ip6tables -A INPUT -p udp -s 1::42') - shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') - end - - it 'purges only the specified chain' do - pp = <<-EOS - class { 'firewall': } - firewallchain { 'INPUT:filter:IPv6': - purge => true, - } - EOS - - apply_manifest(pp, :expect_changes => true) - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/010 output-1::50/) - expect(r.stdout).to_not match(/1::42/) - expect(r.stderr).to eq("") + if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ + context 'ipv6 chain purge' do + after(:all) do + ip6tables_flush_all_tables end - end - - it 'ignores managed rules' do - pp = <<-EOS - class { 'firewall': } - firewallchain { 'OUTPUT:filter:IPv6': - purge => true, - } - firewall { '010 output-1::50': - chain => 'OUTPUT', - proto => 'all', - source => '1::50', - provider => 'ip6tables', - } - EOS + before(:each) do + ip6tables_flush_all_tables - apply_manifest(pp, :catch_changes => do_catch_changes) - end - - it 'ignores specified rules' do - pp = <<-EOS - class { 'firewall': } - firewallchain { 'INPUT:filter:IPv6': - purge => true, - ignore => [ - '-s 1::42', - ], - } - EOS + shell('ip6tables -A INPUT -p tcp -s 1::42') + shell('ip6tables -A INPUT -p udp -s 1::42') + shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') + end - apply_manifest(pp, :catch_changes => do_catch_changes) - end + it 'purges only the specified chain' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'INPUT:filter:IPv6': + purge => true, + } + EOS + + apply_manifest(pp, :expect_changes => true) + + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/010 output-1::50/) + expect(r.stdout).to_not match(/1::42/) + expect(r.stderr).to eq("") + end + end - it 'adds managed rules with ignored rules' do - pp = <<-EOS - class { 'firewall': } - firewallchain { 'INPUT:filter:IPv6': - purge => true, - ignore => [ - '-s 1::42', - ], - } - firewall { '014 input-1::46': - chain => 'INPUT', - proto => 'all', - source => '1::46', - provider => 'ip6tables', - } - -> firewall { '013 input-1::45': - chain => 'INPUT', - proto => 'all', - source => '1::45', - provider => 'ip6tables', - } - -> firewall { '012 input-1::44': - chain => 'INPUT', - proto => 'all', - source => '1::44', - provider => 'ip6tables', - } - -> firewall { '011 input-1::43': - chain => 'INPUT', - proto => 'all', - source => '1::43', - provider => 'ip6tables', - } - EOS + it 'ignores managed rules' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'OUTPUT:filter:IPv6': + purge => true, + } + firewall { '010 output-1::50': + chain => 'OUTPUT', + proto => 'all', + source => '1::50', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_changes => do_catch_changes) + end - apply_manifest(pp, :catch_failures => true) + it 'ignores specified rules' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'INPUT:filter:IPv6': + purge => true, + ignore => [ + '-s 1::42', + ], + } + EOS + + apply_manifest(pp, :catch_changes => do_catch_changes) + end - expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/) + it 'adds managed rules with ignored rules' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'INPUT:filter:IPv6': + purge => true, + ignore => [ + '-s 1::42', + ], + } + firewall { '014 input-1::46': + chain => 'INPUT', + proto => 'all', + source => '1::46', + provider => 'ip6tables', + } + -> firewall { '013 input-1::45': + chain => 'INPUT', + proto => 'all', + source => '1::45', + provider => 'ip6tables', + } + -> firewall { '012 input-1::44': + chain => 'INPUT', + proto => 'all', + source => '1::44', + provider => 'ip6tables', + } + -> firewall { '011 input-1::43': + chain => 'INPUT', + proto => 'all', + source => '1::43', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + + expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/) + end end end end diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index f2b0141..76a106e 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -96,20 +96,22 @@ describe 'puppet resource firewall command:', :unless => UNSUPPORTED_PLATFORMS.i end end - context 'accepts rules utilizing the statistic module' do - before :all do - iptables_flush_all_tables - # This command doesn't work with all versions/oses, so let it fail - shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', :acceptable_exit_codes => [0,1,2] ) - shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6') - shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7') - end + if default['platform'] !~ /sles-10/ + context 'accepts rules utilizing the statistic module' do + before :all do + iptables_flush_all_tables + # This command doesn't work with all versions/oses, so let it fail + shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 2 -j SNAT --to-source 2.3.4.5', :acceptable_exit_codes => [0,1,2] ) + shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode nth --every 1 --packet 0 -j SNAT --to-source 2.3.4.6') + shell('iptables -t nat -A POSTROUTING -d 1.2.3.4/32 -o eth0 -m statistic --mode random --probability 0.99 -j SNAT --to-source 2.3.4.7') + end - it do - shell('puppet resource firewall') do |r| - r.exit_code.should be_zero - # don't check stdout, testing preexisting rules, output is normal - r.stderr.should be_empty + it do + shell('puppet resource firewall') do |r| + r.exit_code.should be_zero + # don't check stdout, testing preexisting rules, output is normal + r.stderr.should be_empty + end end end end @@ -150,7 +152,7 @@ describe 'puppet resource firewall command:', :unless => UNSUPPORTED_PLATFORMS.i # version of iptables that ships with el5 doesn't work with the # ip6tables provider - if default['platform'] !~ /el-5/ + if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/ context 'dport/sport with ip6tables' do before :all do if fact('osfamily') == 'Debian'