From: tphoney Date: Tue, 5 Mar 2019 09:24:29 +0000 (+0000) Subject: simplify ipv6 test logic and remove default calls X-Git-Tag: 1.15.2~7^2~1 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=feb491bab500f61bad1d48d0097b42776b317d64;p=puppet-modules%2Fpuppetlabs-firewall.git simplify ipv6 test logic and remove default calls --- diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index 7ce6ede..a2956b2 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -405,7 +405,7 @@ describe 'firewall basics', docker: true do # iptables version 1.3.5 is not suppored by the ip6tables provider # iptables version 1.4.7 fails for multiple hl entries - if default['platform'] !~ %r{(el-5|el-6|sles-11)} + describe 'testing ipv6', unless: (os[:family] == 'redhat' && ['5', '6'].include?(os[:release][0])) || (os[:family] == 'sles') do describe 'hop_limit' do context 'when 5' do pp42 = <<-PUPPETCODE @@ -947,69 +947,65 @@ describe 'firewall basics', docker: true do end end - # ip6tables only supports ipset, addrtype, and mask on a limited set of platforms - if default['platform'] =~ %r{el-7} || default['platform'] =~ %r{ubuntu-14\.04} - # ipset is really difficult to test, just testing on one platform - if default['platform'] =~ %r{ubuntu-14\.04} - describe 'ipset' do - pp63 = <<-PUPPETCODE - exec { 'hackery pt 1': - command => 'service iptables-persistent flush', - path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - } - package { 'ipset': - ensure => present, - require => Exec['hackery pt 1'], - } - exec { 'hackery pt 2': - command => 'service iptables-persistent start', - path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - require => Package['ipset'], - } - class { '::firewall': } - exec { 'create ipset blacklist': - command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120', - path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - require => Package['ipset'], - } - -> exec { 'create ipset honeypot': - command => 'ipset create honeypot hash:ip family inet6 maxelem 1024 hashsize 65535 timeout 120', - path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - } - -> exec { 'add blacklist': - command => 'ipset add blacklist 2001:db8::1,80', - path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - } - -> exec { 'add honeypot': - command => 'ipset add honeypot 2001:db8::5', - path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', - } - firewall { '612 - test': - ensure => present, - chain => 'INPUT', - proto => tcp, - action => drop, - ipset => ['blacklist src,dst', '! honeypot dst'], - provider => 'ip6tables', - require => Exec['add honeypot'], - } - PUPPETCODE - it 'applies' do - apply_manifest(pp63, catch_failures: true) - end + # ipset is hard to test, only testing on ubuntu 14 + describe 'ipset', if: (host_inventory['facter']['os']['name'] == 'ubuntu' && os[:release].start_with?('14')) do + pp63 = <<-PUPPETCODE + exec { 'hackery pt 1': + command => 'service iptables-persistent flush', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + package { 'ipset': + ensure => present, + require => Exec['hackery pt 1'], + } + exec { 'hackery pt 2': + command => 'service iptables-persistent start', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + require => Package['ipset'], + } + class { '::firewall': } + exec { 'create ipset blacklist': + command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + require => Package['ipset'], + } + -> exec { 'create ipset honeypot': + command => 'ipset create honeypot hash:ip family inet6 maxelem 1024 hashsize 65535 timeout 120', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + -> exec { 'add blacklist': + command => 'ipset add blacklist 2001:db8::1,80', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + -> exec { 'add honeypot': + command => 'ipset add honeypot 2001:db8::5', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + firewall { '612 - test': + ensure => present, + chain => 'INPUT', + proto => tcp, + action => drop, + ipset => ['blacklist src,dst', '! honeypot dst'], + provider => 'ip6tables', + require => Exec['add honeypot'], + } + PUPPETCODE + it 'applies' do + apply_manifest(pp63, catch_failures: true) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP}) - end - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -p tcp -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP}) end end + end - ['dst_type', 'src_type'].each do |type| - describe type.to_s do - context 'when MULTICAST' do - pp65 = <<-PUPPETCODE + ['dst_type', 'src_type'].each do |type| + describe type.to_s do + context 'when MULTICAST' do + pp65 = <<-PUPPETCODE class { '::firewall': } firewall { '603 - test': proto => tcp, @@ -1018,20 +1014,20 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp65, catch_failures: true) - apply_manifest(pp65, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp65, catch_failures: true) + apply_manifest(pp65, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "603 - test" -j ACCEPT}) - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "603 - test" -j ACCEPT}) end end + end - context 'when ! MULTICAST' do - pp66 = <<-PUPPETCODE + context 'when ! MULTICAST' do + pp66 = <<-PUPPETCODE class { '::firewall': } firewall { '603 - test inversion': proto => tcp, @@ -1040,20 +1036,20 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp66, catch_failures: true) - apply_manifest(pp66, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp66, catch_failures: true) + apply_manifest(pp66, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT}) - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT}) end end + end - context 'when BROKEN' do - pp67 = <<-PUPPETCODE + context 'when BROKEN' do + pp67 = <<-PUPPETCODE class { '::firewall': } firewall { '603 - test': proto => tcp, @@ -1062,22 +1058,22 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', } PUPPETCODE - it 'fails' do - apply_manifest(pp67, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Invalid value "BROKEN".}) - end + it 'fails' do + apply_manifest(pp67, expect_failures: true) do |r| + expect(r.stderr).to match(%r{Invalid value "BROKEN".}) end + end - it 'does not contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT}) - end + it 'does not contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT}) end end + end - context 'when LOCAL --limit-iface-in', unless: (os[:family] == 'redhat' && os[:release].start_with?('5') - ) do - pp102 = <<-PUPPETCODE + context 'when LOCAL --limit-iface-in', unless: (os[:family] == 'redhat' && os[:release].start_with?('5') + ) do + pp102 = <<-PUPPETCODE class { '::firewall': } firewall { '617 - test': proto => tcp, @@ -1085,20 +1081,20 @@ describe 'firewall basics', docker: true do #{type} => 'LOCAL --limit-iface-in', } PUPPETCODE - it 'applies' do - apply_manifest(pp102, catch_failures: true) - end + it 'applies' do + apply_manifest(pp102, catch_failures: true) + end - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "617 - test" -j ACCEPT}) - end + it 'contains the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "617 - test" -j ACCEPT}) end end + end - context 'when LOCAL --limit-iface-in fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5') - ) do - pp103 = <<-PUPPETCODE + context 'when LOCAL --limit-iface-in fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5') + ) do + pp103 = <<-PUPPETCODE class { '::firewall': } firewall { '618 - test': proto => tcp, @@ -1106,22 +1102,22 @@ describe 'firewall basics', docker: true do #{type} => 'LOCAL --limit-iface-in', } PUPPETCODE - it 'fails' do - apply_manifest(pp103, expect_failures: true) do |r| - expect(r.stderr).to match(%r{--limit-iface-in and --limit-iface-out are available from iptables version}) - end + it 'fails' do + apply_manifest(pp103, expect_failures: true) do |r| + expect(r.stderr).to match(%r{--limit-iface-in and --limit-iface-out are available from iptables version}) end + end - it 'does not contain the rule' do - shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "618 - test" -j ACCEPT}) - end + it 'does not contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL --limit-iface-in -m comment --comment "618 - test" -j ACCEPT}) end end + end - context 'when duplicated LOCAL', unless: (os[:family] == 'redhat' && os[:release].start_with?('5') - ) do - pp104 = <<-PUPPETCODE + context 'when duplicated LOCAL', unless: (os[:family] == 'redhat' && os[:release].start_with?('5') + ) do + pp104 = <<-PUPPETCODE class { '::firewall': } firewall { '619 - test': proto => tcp, @@ -1130,22 +1126,21 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', } PUPPETCODE - it 'fails' do - apply_manifest(pp104, expect_failures: true) do |r| - expect(r.stderr).to match(%r{#{type} elements must be unique}) - end + it 'fails' do + apply_manifest(pp104, expect_failures: true) do |r| + expect(r.stderr).to match(%r{#{type} elements must be unique}) end + end - it 'does not contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL -m addrtype\s.*\sLOCAL -m comment --comment "619 - test" -j ACCEPT}) - end + it 'does not contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL -m addrtype\s.*\sLOCAL -m comment --comment "619 - test" -j ACCEPT}) end end + end - context 'when multiple addrtype', unless: (os[:family] == 'redhat' && os[:release].start_with?('5') - ) do - pp105 = <<-PUPPETCODE + context 'when multiple addrtype', unless: (os[:family] == 'redhat' && ['5', '6'].include?(os[:release][0])) do + pp105 = <<-PUPPETCODE class { '::firewall': } firewall { '620 - test': proto => tcp, @@ -1154,20 +1149,20 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp105, catch_failures: true) - end + it 'applies' do + apply_manifest(pp105, catch_failures: true) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "620 - test" -j ACCEPT}) - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "620 - test" -j ACCEPT}) end end + end - context 'when multiple addrtype fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5') - ) do - pp106 = <<-PUPPETCODE + context 'when multiple addrtype fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5') + ) do + pp106 = <<-PUPPETCODE class { '::firewall': } firewall { '616 - test': proto => tcp, @@ -1176,22 +1171,20 @@ describe 'firewall basics', docker: true do provider => 'ip6tables', } PUPPETCODE - it 'fails' do - apply_manifest(pp106, expect_failures: true) do |r| - expect(r.stderr).to match(%r{Multiple #{type} elements are available from iptables version}) - end + it 'fails' do + apply_manifest(pp106, expect_failures: true) do |r| + expect(r.stderr).to match(%r{Multiple #{type} elements are available from iptables version}) end + end - it 'does not contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT}) - end + it 'does not contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT}) end end end end end - end # iptables version 1.3.5 does not support masks on MARK rules diff --git a/spec/acceptance/firewall_bridging_spec.rb b/spec/acceptance/firewall_bridging_spec.rb index 590e96d..5d6625e 100644 --- a/spec/acceptance/firewall_bridging_spec.rb +++ b/spec/acceptance/firewall_bridging_spec.rb @@ -1,16 +1,14 @@ require 'spec_helper_acceptance' -describe 'firewall bridging' do +# iptables version 1.3.5 is not suppored by the ip6tables provider +describe 'firewall bridging', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')) do before :all do iptables_flush_all_tables ip6tables_flush_all_tables end - describe 'iptables physdev tests' do - # iptables version 1.3.5 is not suppored by the ip6tables provider - unless os[:family] == 'redhat' && os[:release].start_with?('5') - describe 'ip6tables physdev tests' do - context 'when physdev_in eth0' do - pp8 = <<-PUPPETCODE + describe 'ip6tables physdev tests' do + context 'when physdev_in eth0' do + pp8 = <<-PUPPETCODE class { '::firewall': } firewall { '701 - test': provider => 'ip6tables', @@ -21,20 +19,20 @@ describe 'firewall bridging' do physdev_in => 'eth0', } PUPPETCODE - it 'applies' do - apply_manifest(pp8, catch_failures: true) - apply_manifest(pp8, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp8, catch_failures: true) + apply_manifest(pp8, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT}) end + end + end - context 'when physdev_out eth1' do - pp9 = <<-PUPPETCODE + context 'when physdev_out eth1' do + pp9 = <<-PUPPETCODE class { '::firewall': } firewall { '702 - test': provider => 'ip6tables', @@ -45,20 +43,20 @@ describe 'firewall bridging' do physdev_out => 'eth1', } PUPPETCODE - it 'applies' do - apply_manifest(pp9, catch_failures: true) - apply_manifest(pp9, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp9, catch_failures: true) + apply_manifest(pp9, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT}) end + end + end - context 'when physdev_in eth0 and physdev_out eth1' do - pp10 = <<-PUPPETCODE + context 'when physdev_in eth0 and physdev_out eth1' do + pp10 = <<-PUPPETCODE class { '::firewall': } firewall { '703 - test': provider => 'ip6tables', @@ -70,20 +68,20 @@ describe 'firewall bridging' do physdev_out => 'eth1', } PUPPETCODE - it 'applies' do - apply_manifest(pp10, catch_failures: true) - apply_manifest(pp10, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp10, catch_failures: true) + apply_manifest(pp10, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT}) end + end + end - context 'when physdev_is_bridged' do - pp11 = <<-PUPPETCODE + context 'when physdev_is_bridged' do + pp11 = <<-PUPPETCODE class { '::firewall': } firewall { '704 - test': provider => 'ip6tables', @@ -94,20 +92,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp11, catch_failures: true) - apply_manifest(pp11, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp11, catch_failures: true) + apply_manifest(pp11, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT}) end + end + end - context 'when physdev_in eth0 and physdev_is_bridged' do - pp12 = <<-PUPPETCODE + context 'when physdev_in eth0 and physdev_is_bridged' do + pp12 = <<-PUPPETCODE class { '::firewall': } firewall { '705 - test': provider => 'ip6tables', @@ -119,20 +117,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp12, catch_failures: true) - apply_manifest(pp12, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp12, catch_failures: true) + apply_manifest(pp12, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT}) end + end + end - context 'when physdev_out eth1 and physdev_is_bridged' do - pp13 = <<-PUPPETCODE + context 'when physdev_out eth1 and physdev_is_bridged' do + pp13 = <<-PUPPETCODE class { '::firewall': } firewall { '706 - test': provider => 'ip6tables', @@ -144,20 +142,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp13, catch_failures: true) - apply_manifest(pp13, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp13, catch_failures: true) + apply_manifest(pp13, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT}) end + end + end - context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do - pp14 = <<-PUPPETCODE + context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do + pp14 = <<-PUPPETCODE class { '::firewall': } firewall { '707 - test': provider => 'ip6tables', @@ -170,20 +168,20 @@ describe 'firewall bridging' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp14, catch_failures: true) - apply_manifest(pp14, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT}) # rubocop:disable Metrics/LineLength - end - end + it 'applies' do + apply_manifest(pp14, catch_failures: true) + apply_manifest(pp14, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT}) end + end + end - context 'when physdev_is_in' do - pp15 = <<-PUPPETCODE + context 'when physdev_is_in' do + pp15 = <<-PUPPETCODE class { '::firewall': } firewall { '708 - test': provider => 'ip6tables', @@ -194,20 +192,20 @@ describe 'firewall bridging' do physdev_is_in => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp15, catch_failures: true) - apply_manifest(pp15, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp15, catch_failures: true) + apply_manifest(pp15, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT}) end + end + end - context 'when physdev_is_out' do - pp16 = <<-PUPPETCODE + context 'when physdev_is_out' do + pp16 = <<-PUPPETCODE class { '::firewall': } firewall { '709 - test': provider => 'ip6tables', @@ -218,16 +216,14 @@ describe 'firewall bridging' do physdev_is_out => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp16, catch_failures: true) - apply_manifest(pp16, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT}) - end - end + it 'applies' do + apply_manifest(pp16, catch_failures: true) + apply_manifest(pp16, catch_changes: do_catch_changes) + end + + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT}) end end end diff --git a/spec/acceptance/firewall_dscp_spec.rb b/spec/acceptance/firewall_dscp_spec.rb index 4552f76..7501991 100644 --- a/spec/acceptance/firewall_dscp_spec.rb +++ b/spec/acceptance/firewall_dscp_spec.rb @@ -56,10 +56,9 @@ describe 'firewall DSCP' do end end - unless os[:family] == 'redhat' && os[:release].start_with?('5') - describe 'dscp ipv6 tests' do - context 'when set_dscp 0x01' do - pp3 = <<-PUPPETCODE + describe 'dscp ipv6 tests', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do + context 'when set_dscp 0x01' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '1002 - set_dscp': @@ -72,19 +71,19 @@ describe 'firewall DSCP' do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp3, catch_failures: true) - end + it 'applies' do + apply_manifest(pp3, catch_failures: true) + end - it 'contains the rule' do - shell('ip6tables-save -t mangle') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01}) - end + it 'contains the rule' do + shell('ip6tables-save -t mangle') do |r| + expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01}) end end + end - context 'when set_dscp_class EF' do - pp4 = <<-PUPPETCODE + context 'when set_dscp_class EF' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '1003 EF - set_dscp_class': @@ -97,14 +96,13 @@ describe 'firewall DSCP' do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp4, catch_failures: true) - end + it 'applies' do + apply_manifest(pp4, catch_failures: true) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) end end end diff --git a/spec/acceptance/firewall_iptmodules_spec.rb b/spec/acceptance/firewall_iptmodules_spec.rb index 92464cb..6cea073 100644 --- a/spec/acceptance/firewall_iptmodules_spec.rb +++ b/spec/acceptance/firewall_iptmodules_spec.rb @@ -33,7 +33,7 @@ describe 'firewall iptmodules' do it 'contains the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size + expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength end end end @@ -60,17 +60,15 @@ describe 'firewall iptmodules' do it 'contains the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size + expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength end end end end - # iptables version 1.3.5 is not suppored by the ip6tables provider - if default['platform'] =~ %r{ubuntu-14\.04} - describe 'ip6tables ipt_modules tests' do - context 'when all the modules with multiple args' do - pp3 = <<-PUPPETCODE + describe 'ip6tables ipt_modules tests', unless: (os[:family] == 'redhat' && ['5', '6'].include?(os[:release][0])) || (os[:family] == 'sles') do + context 'when all the modules with multiple args' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '801 - ipt_modules tests': proto => tcp, @@ -89,82 +87,20 @@ describe 'firewall iptmodules' do physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp3, catch_failures: true) - apply_manifest(pp3, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size - end - end + it 'applies' do + apply_manifest(pp3, catch_failures: true) + apply_manifest(pp3, catch_changes: do_catch_changes) end - context 'when all the modules with single args' do - pp4 = <<-PUPPETCODE - class { '::firewall': } - firewall { '802 - ipt_modules tests': - proto => tcp, - dport => '8080', - action => reject, - chain => 'OUTPUT', - provider => 'ip6tables', - gid => 404, - dst_range => "2003::-2004::", - dst_type => 'UNICAST', - physdev_out => "eth1", - physdev_is_bridged => true, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp4, catch_failures: true) - apply_manifest(pp4, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength end end end - # Older OSes don't have addrtype so we leave those properties out. - # el-5 doesn't support ipv6 by default - elsif default['platform'] !~ %r{el-5} - describe 'ip6tables ipt_modules tests' do - context 'when all the modules with multiple args' do - pp5 = <<-PUPPETCODE - class { '::firewall': } - firewall { '801 - ipt_modules tests': - proto => tcp, - dport => '8080', - action => reject, - chain => 'OUTPUT', - provider => 'ip6tables', - uid => 0, - gid => 404, - src_range => "2001::-2002::", - dst_range => "2003::-2004::", - physdev_in => "eth0", - physdev_out => "eth1", - physdev_is_bridged => true, - } - PUPPETCODE - it 'applies' do - apply_manifest(pp5, catch_failures: true) - apply_manifest(pp5, catch_changes: do_catch_changes) - end - - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size - end - end - end - context 'when all the modules with single args' do - pp6 = <<-PUPPETCODE + context 'when all the modules with single args' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '802 - ipt_modules tests': proto => tcp, @@ -174,19 +110,19 @@ describe 'firewall iptmodules' do provider => 'ip6tables', gid => 404, dst_range => "2003::-2004::", + dst_type => 'UNICAST', physdev_out => "eth1", physdev_is_bridged => true, } PUPPETCODE - it 'applies' do - apply_manifest(pp6, catch_failures: true) - apply_manifest(pp6, catch_changes: do_catch_changes) - end + it 'applies' do + apply_manifest(pp4, catch_failures: true) + apply_manifest(pp4, catch_changes: do_catch_changes) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength end end end diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb index d1b438e..cd91c96 100644 --- a/spec/acceptance/firewall_mss_spec.rb +++ b/spec/acceptance/firewall_mss_spec.rb @@ -1,15 +1,14 @@ require 'spec_helper_acceptance' -describe 'firewall MSS' do +describe 'firewall MSS', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do before :all do iptables_flush_all_tables ip6tables_flush_all_tables end - unless os[:family] == 'redhat' && os[:release].start_with?('5') - describe 'mss ipv6 tests' do - context 'when 1360' do - pp3 = <<-PUPPETCODE + describe 'mss ipv6 tests' do + context 'when 1360' do + pp3 = <<-PUPPETCODE class { '::firewall': } firewall { '502 - set_mss': @@ -23,19 +22,19 @@ describe 'firewall MSS' do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp3, catch_failures: true) - end + it 'applies' do + apply_manifest(pp3, catch_failures: true) + end - it 'contains the rule' do - shell('ip6tables-save -t mangle') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360}) - end + it 'contains the rule' do + shell('ip6tables-save -t mangle') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360}) end end + end - context 'when clamp_mss_to_pmtu' do - pp4 = <<-PUPPETCODE + context 'when clamp_mss_to_pmtu' do + pp4 = <<-PUPPETCODE class { '::firewall': } firewall { '503 - clamp_mss_to_pmtu': @@ -47,14 +46,13 @@ describe 'firewall MSS' do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp4, catch_failures: true) - end + it 'applies' do + apply_manifest(pp4, catch_failures: true) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu}) - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu}) end end end diff --git a/spec/acceptance/match_mark_spec.rb b/spec/acceptance/match_mark_spec.rb index b903d6d..25e00a5 100644 --- a/spec/acceptance/match_mark_spec.rb +++ b/spec/acceptance/match_mark_spec.rb @@ -1,15 +1,14 @@ require 'spec_helper_acceptance' -describe 'firewall match marks' do +describe 'firewall match marks', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do before :all do iptables_flush_all_tables ip6tables_flush_all_tables end - unless os[:family] == 'redhat' && os[:release].start_with?('5') - describe 'match_mark' do - context 'when 0x1' do - pp1 = <<-PUPPETCODE + describe 'match_mark' do + context 'when 0x1' do + pp1 = <<-PUPPETCODE class { '::firewall': } firewall { '503 match_mark - test': proto => 'all', @@ -17,21 +16,21 @@ describe 'firewall match marks' do action => reject, } PUPPETCODE - it 'applies' do - apply_manifest(pp1, catch_failures: true) - end + it 'applies' do + apply_manifest(pp1, catch_failures: true) + end - it 'contains the rule' do - shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark - test" -j REJECT --reject-with icmp-port-unreachable}) - end + it 'contains the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark - test" -j REJECT --reject-with icmp-port-unreachable}) end end end + end - describe 'match_mark_ip6' do - context 'when 0x1' do - pp2 = <<-PUPPETCODE + describe 'match_mark_ip6' do + context 'when 0x1' do + pp2 = <<-PUPPETCODE class { '::firewall': } firewall { '503 match_mark ip6tables - test': proto => 'all', @@ -40,14 +39,13 @@ describe 'firewall match marks' do provider => 'ip6tables', } PUPPETCODE - it 'applies' do - apply_manifest(pp2, catch_failures: true) - end + it 'applies' do + apply_manifest(pp2, catch_failures: true) + end - it 'contains the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable}) - end + it 'contains the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable}) end end end diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb index bd17b7d..084d203 100644 --- a/spec/acceptance/purge_spec.rb +++ b/spec/acceptance/purge_spec.rb @@ -125,37 +125,36 @@ describe 'purge tests' do end end - unless os[:family] == 'redhat' && os[:release].start_with?('5') - context 'when ipv6 chain purge' do - after(:all) do - ip6tables_flush_all_tables - end - before(:each) do - ip6tables_flush_all_tables + context 'when ipv6 chain purge', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do + after(:all) do + ip6tables_flush_all_tables + end + before(:each) do + ip6tables_flush_all_tables - shell('ip6tables -A INPUT -p tcp -s 1::42') - shell('ip6tables -A INPUT -p udp -s 1::42') - shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') - end + shell('ip6tables -A INPUT -p tcp -s 1::42') + shell('ip6tables -A INPUT -p udp -s 1::42') + shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') + end - pp6 = <<-PUPPETCODE + pp6 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv6': purge => true, } PUPPETCODE - it 'purges only the specified chain' do - apply_manifest(pp6, expect_changes: true) - - shell('ip6tables-save') do |r| - expect(r.stdout).to match(%r{010 output-1::50}) - expect(r.stdout).not_to match(%r{1::42}) - expect(r.stderr).to eq('') - end + it 'purges only the specified chain' do + apply_manifest(pp6, expect_changes: true) + + shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{010 output-1::50}) + expect(r.stdout).not_to match(%r{1::42}) + expect(r.stderr).to eq('') end - # rubocop:enable RSpec/ExampleLength + end + # rubocop:enable RSpec/ExampleLength - pp7 = <<-PUPPETCODE + pp7 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'OUTPUT:filter:IPv6': purge => true, @@ -167,11 +166,11 @@ describe 'purge tests' do provider => 'ip6tables', } PUPPETCODE - it 'ignores managed rules' do - apply_manifest(pp7, catch_changes: do_catch_changes) - end + it 'ignores managed rules' do + apply_manifest(pp7, catch_changes: do_catch_changes) + end - pp8 = <<-PUPPETCODE + pp8 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv6': purge => true, @@ -180,11 +179,11 @@ describe 'purge tests' do ], } PUPPETCODE - it 'ignores specified rules' do - apply_manifest(pp8, catch_changes: do_catch_changes) - end + it 'ignores specified rules' do + apply_manifest(pp8, catch_changes: do_catch_changes) + end - pp9 = <<-PUPPETCODE + pp9 = <<-PUPPETCODE class { 'firewall': } firewallchain { 'INPUT:filter:IPv6': purge => true, @@ -217,11 +216,10 @@ describe 'purge tests' do provider => 'ip6tables', } PUPPETCODE - it 'adds managed rules with ignored rules' do - apply_manifest(pp9, catch_failures: true) + it 'adds managed rules with ignored rules' do + apply_manifest(pp9, catch_failures: true) - expect(shell('ip6tables-save').stdout).to match(%r{-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp}) - end + expect(shell('ip6tables-save').stdout).to match(%r{-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp}) end end end diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index a06e10d..12a6845 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -181,23 +181,21 @@ describe 'puppet resource firewall command' do # version of iptables that ships with el5 doesn't work with the # ip6tables provider # TODO: Test below fails if this file is run seperately. i.e. bundle exec rspec spec/acceptance/resource_cmd_spec.rb - unless os[:family] == 'redhat' && os[:release].start_with?('5') - context 'when dport/sport with ip6tables' do - before :all do - if os['family'] == 'debian' - shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections') - shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections') - shell('apt-get install iptables-persistent -y') - end - ip6tables_flush_all_tables - shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar') + context 'when dport/sport with ip6tables', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do + before :all do + if os['family'] == 'debian' + shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections') + shell('echo "iptables-persistent iptables-persistent/autosave_v6 boolean false" | debconf-set-selections') + shell('apt-get install iptables-persistent -y') end - it do - shell('puppet resource firewall \'000-foobar\' provider=ip6tables') do |r| - r.exit_code.should be_zero - # don't check stdout, testing preexisting rules, output is normal - r.stderr.should be_empty - end + ip6tables_flush_all_tables + shell('ip6tables -A INPUT -d fe80::/64 -p tcp -m tcp --dport 546 --sport 547 -j ACCEPT -m comment --comment 000-foobar') + end + it do + shell('puppet resource firewall \'000-foobar\' provider=ip6tables') do |r| + r.exit_code.should be_zero + # don't check stdout, testing preexisting rules, output is normal + r.stderr.should be_empty end end end