From: adrianiurca <adrian.iurca@gmail.com>
Date: Wed, 2 Sep 2020 06:51:29 +0000 (+0300)
Subject: add aceptance test for condition parameter
X-Git-Tag: v2.8.0~4^2~2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=aca038f991c2334ff182169b68b6381e478785c5;p=puppet-modules%2Fpuppetlabs-firewall.git

add aceptance test for condition parameter
---

diff --git a/README.md b/README.md
index bc583a5..500d403 100644
--- a/README.md
+++ b/README.md
@@ -474,6 +474,20 @@ To prevent this issue, do not use MCollective to kick off Puppet runs. Use any o
 * Use a cron job.
 * Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console.
 
+### condition parameter
+
+The `condition` parameter requires `xtables-addons` to be installed locally.
+For ubuntu distributions `xtables-addons-common` package can be installed by running command: `apt-get install xtables-addons-common` or
+running a manifest:
+
+```puppet
+package { 'xtables-addons-common':
+  ensure => 'latest',
+}
+```
+
+For other distributions(RedHat, Debian, Centos etc) is required a manual installation of `xtables-addons` package.
+
 #### Reporting Issues
 
 Please report any bugs in the Puppetlabs JIRA issue tracker:
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 53d161d..efab4f8 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -311,5 +311,5 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name, :notrack, :condition]
+                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :condition, :name, :notrack]
 end
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 2963017..5624e45 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -351,7 +351,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :name, :notrack, :condition
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :condition, :name, :notrack
   ]
 
   def insert
@@ -455,6 +455,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     values = values.gsub(%r{(!\s+)?--tcp-flags (\S*) (\S*)}, '--tcp-flags "\1\2 \3"')
     # --hex-string output is in quotes, need to move ! inside quotes
     values = values.gsub(%r{(!\s+)?--hex-string "(\S*?)"}, '--hex-string "\1\2"')
+    # --condition output is in quotes, need to move ! inside quotes
+    values = values.gsub(%r{(!\s+)?--condition "(\S*?)"}, '--condition "\1\2"')
     # --match-set can have multiple values with weird iptables format
     if values =~ %r{-m set (!\s+)?--match-set}
       values = values.gsub(%r{(!\s+)?--match-set (\S*) (\S*)}, '--match-set \1\2 \3')
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 71199d1..10a61ce 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -2254,7 +2254,7 @@ Puppet::Type.newtype(:firewall) do
     PUPPETCODE
     newvalues(:true, :false)
   end
-  
+
   newproperty(:condition, required_features: :condition) do
     desc <<-PUPPETCODE
       Match on boolean value (0/1) stored in /proc/net/nf_condition/name.
diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb
index 03937a7..26ba273 100644
--- a/spec/acceptance/firewall_attributes_exceptions_spec.rb
+++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb
@@ -1369,4 +1369,31 @@ describe 'firewall basics', docker: true do
       expect(result.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE})
     end
   end
+
+  describe 'condition', ubuntu_vmpooler: false do
+    context 'is set' do
+      pp = <<-PUPPETCODE
+        if $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '14.04') > 0 {
+          firewall { '010 isblue ipv4':
+            ensure    => 'present',
+            condition => '! isblue',
+            chain     => 'INPUT',
+            iniface   => 'enp0s8',
+            proto     => 'icmp',
+            action    => 'drop',
+          }
+        }
+      PUPPETCODE
+      it 'applies' do
+        apply_manifest(pp)
+      end
+      if fetch_os_name == 'ubuntu' && os[:release].to_i > 14
+        it 'contains the rule' do
+          run_shell('iptables-save') do |r|
+            expect(r.stdout).to match(%r{-A INPUT -i enp0s8 -p icmp -m condition ! --condition "isblue"  -m comment --comment "010 isblue ipv4" -j DROP})
+          end
+        end
+      end
+    end
+  end
 end
diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb
index 6682c44..f34e628 100644
--- a/spec/spec_helper_acceptance_local.rb
+++ b/spec/spec_helper_acceptance_local.rb
@@ -44,15 +44,15 @@ def update_profile_file
 end
 
 RSpec.configure do |c|
+  # This flag is disabling some tests on docker/vagrant containers
+  # To enable tests on abs/vmpooler machines just set to `true` this flag
+  c.filter_run_excluding ubuntu_vmpooler: false
   c.before :suite do
     if os[:family] == 'debian' && os[:release].to_i == 10
       pp = <<-PUPPETCODE
         package { 'net-tools':
           ensure   => 'latest',
         }
-        package { 'iptables':
-          ensure   => 'latest',
-        }
         PUPPETCODE
       LitmusHelper.instance.apply_manifest(pp)
       LitmusHelper.instance.run_shell('update-alternatives --set iptables /usr/sbin/iptables-legacy', expect_failures: true)
@@ -62,6 +62,12 @@ RSpec.configure do |c|
       package { 'conntrack-tools':
         ensure => 'latest',
       }
+      package { 'xtables-addons-common':
+        ensure => 'latest',
+      }
+      package { 'iptables':
+        ensure   => 'latest',
+      }
     PUPPETCODE
     LitmusHelper.instance.apply_manifest(pp)
   end