From: Hunter Haugen Date: Tue, 18 Feb 2014 21:13:22 +0000 (-0800) Subject: Fix various differences for rhel5 X-Git-Tag: 1.0.1~14^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=ff4bbf0df5b59ae23e2ee01c86c4ccff1aa6f042;p=puppet-modules%2Fpuppetlabs-firewall.git Fix various differences for rhel5 iptables 1.3.5 ships on rhel 5 and is really old. It doesn't support `--comment` on ip6tables, doesn't support `-m socket` or `--random`, and the format of netmasks uses subnet mask format instead of CIDR. --- diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index cc8ad61..d531633 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -26,6 +26,14 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :ip6tables_save => 'ip6tables-save', }) + def initialize(*args) + if Facter.fact('ip6tables_version').value.match /1\.3\.\d/ + raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' + else + super + end + end + def self.iptables(*args) ip6tables(*args) end diff --git a/spec/acceptance/change_source_spec.rb b/spec/acceptance/change_source_spec.rb index 4eae313..04347c1 100644 --- a/spec/acceptance/change_source_spec.rb +++ b/spec/acceptance/change_source_spec.rb @@ -30,17 +30,17 @@ describe 'firewall type' do it 'adds a unmanaged rule without a comment' do shell('/sbin/iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT') - expect(shell('iptables-save').stdout).to match(/-A INPUT -s 8\.0\.0\.3\/32 -p tcp -m multiport --ports 102 -j ACCEPT/) + expect(shell('iptables-save').stdout).to match(/-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT/) end it 'contains the changable 8.0.0.1 rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.1\/32 -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/) end end it 'contains the static 8.0.0.2 rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2\/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/) end end @@ -65,12 +65,12 @@ describe 'firewall type' do end it 'contains the staic 8.0.0.2 rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2\/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/) end end it 'contains the changing new 8.0.0.4 rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.4\/32 -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/) end end end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index e8bfbe6..647a66f 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -121,7 +121,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -s 192.168.2.0\/24 -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/) end end end @@ -144,7 +144,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT ! -s 192.168.2.0\/24 -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/) end end end @@ -163,13 +163,13 @@ describe 'firewall type' do EOS apply_manifest(pp, :expect_failures => true) do |r| - expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/24/) + expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)/) end end it 'should not contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to_not match(/-A INPUT -s 256.168.2.0\/24 -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/) + expect(r.stdout).to_not match(/-A INPUT -s 256.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - test" -j ACCEPT/) end end end @@ -244,7 +244,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 192.168.2.0\/24 -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/) end end end @@ -267,7 +267,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT ! -d 192.168.2.0\/24 -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/) end end end @@ -286,13 +286,13 @@ describe 'firewall type' do EOS apply_manifest(pp, :expect_failures => true) do |r| - expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/24/) + expect(r.stderr).to match(/host_to_ip failed for 256.168.2.0\/(24|255\.255\.255\.0)/) end end it 'should not contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to_not match(/-A INPUT -d 256.168.2.0\/24 -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/) + expect(r.stdout).to_not match(/-A INPUT -d 256.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 558 -m comment --comment "558 - test" -j ACCEPT/) end end end @@ -790,7 +790,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save -t nat') do |r| - expect(r.stdout).to match(/-A PREROUTING -s 200.200.200.200\/32 -p tcp -m comment --comment "569 - test" -j DNAT --to-destination 192.168.1.1/) + expect(r.stdout).to match(/-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j DNAT --to-destination 192.168.1.1/) end end end @@ -821,28 +821,31 @@ describe 'firewall type' do end end - describe 'random' do - context '192.168.1.1' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '570 - test 2': - proto => all, - table => 'nat', - chain => 'POSTROUTING', - jump => 'MASQUERADE', - source => '172.30.0.0/16', - random => true - } - EOS + # RHEL5 does not support --random + if default['platform'] !~ /el-5/ + describe 'random' do + context '192.168.1.1' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '570 - test 2': + proto => all, + table => 'nat', + chain => 'POSTROUTING', + jump => 'MASQUERADE', + source => '172.30.0.0/16', + random => true + } + EOS - apply_manifest(pp, :catch_failures => true) - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) + end - it 'should contain the rule' do - shell('iptables-save -t nat') do |r| - expect(r.stdout).to match(/-A POSTROUTING -s 172\.30\.0\.0\/16 -m comment --comment "570 - test 2" -j MASQUERADE --random/) + it 'should contain the rule' do + shell('iptables-save -t nat') do |r| + expect(r.stdout).to match(/-A POSTROUTING -s 172\.30\.0\.0\/16 -m comment --comment "570 - test 2" -j MASQUERADE --random/) + end end end end @@ -872,53 +875,206 @@ describe 'firewall type' do end end - describe 'hop_limit' do - context '5' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '571 - test': - ensure => present, - proto => tcp, - port => '571', - action => accept, - hop_limit => '5', - provider => 'ip6tables', - } - EOS + #iptables version 1.3.5 is not suppored by the ip6tables provider + if default['platform'] !~ /el-5/ + describe 'hop_limit' do + context '5' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '571 - test': + ensure => present, + proto => tcp, + port => '571', + action => accept, + hop_limit => '5', + provider => 'ip6tables', + } + EOS - apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq 5 -j ACCEPT/) + end + end end - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq 5 -j ACCEPT/) + context 'invalid' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '571 - test': + ensure => present, + proto => tcp, + port => '571', + action => accept, + hop_limit => 'invalid', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :expect_failures => true) do |r| + expect(r.stderr).to match(/Invalid value "invalid"./) + end + end + + it 'should not contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to_not match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT/) + end end end end - context 'invalid' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '571 - test': - ensure => present, - proto => tcp, - port => '571', - action => accept, - hop_limit => 'invalid', - provider => 'ip6tables', - } - EOS + describe 'ishasmorefrags' do + context 'true' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '587 - test': + ensure => present, + proto => tcp, + port => '587', + action => accept, + ishasmorefrags => true, + provider => 'ip6tables', + } + EOS - apply_manifest(pp, :expect_failures => true) do |r| - expect(r.stderr).to match(/Invalid value "invalid"./) + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --ports 587 -m comment --comment "587 - test" -j ACCEPT/) + end end end - it 'should not contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to_not match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT/) + context 'false' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '588 - test': + ensure => present, + proto => tcp, + port => '588', + action => accept, + ishasmorefrags => false, + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 588 -m comment --comment "588 - test" -j ACCEPT/) + end + end + end + end + + describe 'islastfrag' do + context 'true' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '589 - test': + ensure => present, + proto => tcp, + port => '589', + action => accept, + islastfrag => true, + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --ports 589 -m comment --comment "589 - test" -j ACCEPT/) + end + end + end + + context 'false' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '590 - test': + ensure => present, + proto => tcp, + port => '590', + action => accept, + islastfrag => false, + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 590 -m comment --comment "590 - test" -j ACCEPT/) + end + end + end + end + + describe 'isfirstfrag' do + context 'true' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '591 - test': + ensure => present, + proto => tcp, + port => '591', + action => accept, + isfirstfrag => true, + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --ports 591 -m comment --comment "591 - test" -j ACCEPT/) + end + end + end + + context 'false' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '592 - test': + ensure => present, + proto => tcp, + port => '592', + action => accept, + isfirstfrag => false, + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 592 -m comment --comment "592 - test" -j ACCEPT/) + end end end end @@ -1053,28 +1209,31 @@ describe 'firewall type' do end end - describe 'set_mark' do - context '0x3e8/0xffffffff' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '580 - test': - ensure => present, - chain => 'OUTPUT', - proto => tcp, - port => '580', - jump => 'MARK', - table => 'mangle', - set_mark => '0x3e8/0xffffffff', - } - EOS + #iptables version 1.3.5 does not support masks on MARK rules + if default['platform'] !~ /el-5/ + describe 'set_mark' do + context '0x3e8/0xffffffff' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '580 - test': + ensure => present, + chain => 'OUTPUT', + proto => tcp, + port => '580', + jump => 'MARK', + table => 'mangle', + set_mark => '0x3e8/0xffffffff', + } + EOS - apply_manifest(pp, :catch_failures => true) - end + apply_manifest(pp, :catch_failures => true) + end - it 'should contain the rule' do - shell('iptables-save -t mangle') do |r| - expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff/) + it 'should contain the rule' do + shell('iptables-save -t mangle') do |r| + expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff/) + end end end end @@ -1178,203 +1337,56 @@ describe 'firewall type' do end end - describe 'socket' do - context 'true' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '585 - test': - ensure => present, - proto => tcp, - port => '585', - action => accept, - chain => 'PREROUTING', - table => 'nat', - socket => true, - } - EOS - - apply_manifest(pp, :catch_failures => true) - end - - it 'should contain the rule' do - shell('iptables-save -t nat') do |r| - expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT/) - end - end - end - - context 'false' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '586 - test': - ensure => present, - proto => tcp, - port => '586', - action => accept, - chain => 'PREROUTING', - table => 'nat', - socket => false, - } - EOS - - apply_manifest(pp, :catch_failures => true) - end - - it 'should contain the rule' do - shell('iptables-save -t nat') do |r| - expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT/) - end - end - end - end - - describe 'ishasmorefrags' do - context 'true' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '587 - test': - ensure => present, - proto => tcp, - port => '587', - action => accept, - ishasmorefrags => true, - provider => 'ip6tables', - } - EOS - - apply_manifest(pp, :catch_failures => true) - end - - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --ports 587 -m comment --comment "587 - test" -j ACCEPT/) - end - end - end - - context 'false' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '588 - test': - ensure => present, - proto => tcp, - port => '588', - action => accept, - ishasmorefrags => false, - provider => 'ip6tables', - } - EOS - - apply_manifest(pp, :catch_failures => true) - end - - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 588 -m comment --comment "588 - test" -j ACCEPT/) - end - end - end - end - - describe 'islastfrag' do - context 'true' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '589 - test': - ensure => present, - proto => tcp, - port => '589', - action => accept, - islastfrag => true, - provider => 'ip6tables', - } - EOS - - apply_manifest(pp, :catch_failures => true) - end + # RHEL5 does not support -m socket + if default['platform'] !~ /el-5/ + describe 'socket' do + context 'true' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '585 - test': + ensure => present, + proto => tcp, + port => '585', + action => accept, + chain => 'PREROUTING', + table => 'nat', + socket => true, + } + EOS - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --ports 589 -m comment --comment "589 - test" -j ACCEPT/) + apply_manifest(pp, :catch_failures => true) end - end - end - context 'false' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '590 - test': - ensure => present, - proto => tcp, - port => '590', - action => accept, - islastfrag => false, - provider => 'ip6tables', - } - EOS - - apply_manifest(pp, :catch_failures => true) - end - - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 590 -m comment --comment "590 - test" -j ACCEPT/) + it 'should contain the rule' do + shell('iptables-save -t nat') do |r| + expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT/) + end end end - end - end - describe 'isfirstfrag' do - context 'true' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '591 - test': - ensure => present, - proto => tcp, - port => '591', - action => accept, - isfirstfrag => true, - provider => 'ip6tables', - } - EOS - - apply_manifest(pp, :catch_failures => true) - end + context 'false' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '586 - test': + ensure => present, + proto => tcp, + port => '586', + action => accept, + chain => 'PREROUTING', + table => 'nat', + socket => false, + } + EOS - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --ports 591 -m comment --comment "591 - test" -j ACCEPT/) + apply_manifest(pp, :catch_failures => true) end - end - end - context 'false' do - it 'applies' do - pp = <<-EOS - class { '::firewall': } - firewall { '592 - test': - ensure => present, - proto => tcp, - port => '592', - action => accept, - isfirstfrag => false, - provider => 'ip6tables', - } - EOS - - apply_manifest(pp, :catch_failures => true) - end - - it 'should contain the rule' do - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 592 -m comment --comment "592 - test" -j ACCEPT/) + it 'should contain the rule' do + shell('iptables-save -t nat') do |r| + expect(r.stdout).to match(/-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT/) + end end end end @@ -1403,7 +1415,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/8 -m comment --comment "593 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "593 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -1430,7 +1442,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/8 -m comment --comment "594 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "594 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -1459,7 +1471,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/8 -m comment --comment "595 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "595 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -1486,7 +1498,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 20.0.0.0\/8 -m comment --comment "596 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "596 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -1514,7 +1526,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "597 - test" -m recent --set --name list1 --rdest/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "597 - test" -m recent --set --name list1 --rdest/) end end end @@ -1543,7 +1555,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "598 - test" -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 --rsource/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "598 - test" -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 --rsource/) end end end @@ -1567,7 +1579,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "599 - test" -m recent --update/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "599 - test" -m recent --update/) end end end @@ -1591,7 +1603,7 @@ describe 'firewall type' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/8 -m comment --comment "600 - test" -m recent --remove/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "600 - test" -m recent --remove/) end end end diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb index 4d44451..a83c88c 100644 --- a/spec/acceptance/ip6_fragment_spec.rb +++ b/spec/acceptance/ip6_fragment_spec.rb @@ -1,93 +1,113 @@ require 'spec_helper_acceptance' -describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do - before :all do - ip6tables_flush_all_tables - end +if default['platform'] =~ /el-5/ + describe "firewall ip6tables doesn't work on 1.3.5 because --comment is missing" do + before :all do + ip6tables_flush_all_tables + end - shared_examples "is idempotent" do |values, line_match| - it "changes the values to #{values}" do + it "can't use ip6tables" do pp = <<-EOS - class { '::firewall': } - firewall { '599 - test': - ensure => present, - proto => 'tcp', - provider => 'ip6tables', - #{values} - } + class { '::firewall': } + firewall { '599 - test': + ensure => present, + proto => 'tcp', + provider => 'ip6tables', + } EOS - - apply_manifest(pp, :catch_failures => true) - apply_manifest(pp, :catch_changes => true) - - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/#{line_match}/) - end + expect(apply_manifest(pp, :expect_failures => true).stderr).to match(/ip6tables provider is not supported/) end end - shared_examples "doesn't change" do |values, line_match| - it "doesn't change the values to #{values}" do - pp = <<-EOS - class { '::firewall': } - firewall { '599 - test': - ensure => present, - proto => 'tcp', - provider => 'ip6tables', - #{values} - } - EOS +else + describe 'firewall ishasmorefrags/islastfrag/isfirstfrag properties' do + before :all do + ip6tables_flush_all_tables + end - apply_manifest(pp, :catch_changes => true) + shared_examples "is idempotent" do |values, line_match| + it "changes the values to #{values}" do + pp = <<-EOS + class { '::firewall': } + firewall { '599 - test': + ensure => present, + proto => 'tcp', + provider => 'ip6tables', + #{values} + } + EOS - shell('ip6tables-save') do |r| - expect(r.stdout).to match(/#{line_match}/) - end - end - end + apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) - describe 'adding a rule' do - context 'when unset' do - before :all do - ip6tables_flush_all_tables + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/#{line_match}/) + end end - it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "599 - test"/ end - context 'when set to true' do - before :all do - ip6tables_flush_all_tables - end - it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/ - end - context 'when set to false' do - before :all do - ip6tables_flush_all_tables + shared_examples "doesn't change" do |values, line_match| + it "doesn't change the values to #{values}" do + pp = <<-EOS + class { '::firewall': } + firewall { '599 - test': + ensure => present, + proto => 'tcp', + provider => 'ip6tables', + #{values} + } + EOS + + apply_manifest(pp, :catch_changes => true) + + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/#{line_match}/) + end end - it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/ end - end - describe 'editing a rule' do - context 'when unset or false' do - before :each do - ip6tables_flush_all_tables - shell('/sbin/ip6tables -A INPUT -p tcp -m comment --comment "599 - test"') - end - context 'and current value is false' do - it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/ + + describe 'adding a rule' do + context 'when unset' do + before :all do + ip6tables_flush_all_tables + end + it_behaves_like 'is idempotent', '', /-A INPUT -p tcp -m comment --comment "599 - test"/ end - context 'and current value is true' do + context 'when set to true' do + before :all do + ip6tables_flush_all_tables + end it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/ end - end - context 'when set to true' do - before :each do - ip6tables_flush_all_tables - shell('/sbin/ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"') - end - context 'and current value is false' do + context 'when set to false' do + before :all do + ip6tables_flush_all_tables + end it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/ end - context 'and current value is true' do - it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/ + end + describe 'editing a rule' do + context 'when unset or false' do + before :each do + ip6tables_flush_all_tables + shell('/sbin/ip6tables -A INPUT -p tcp -m comment --comment "599 - test"') + end + context 'and current value is false' do + it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/ + end + context 'and current value is true' do + it_behaves_like "is idempotent", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/ + end + end + context 'when set to true' do + before :each do + ip6tables_flush_all_tables + shell('/sbin/ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"') + end + context 'and current value is false' do + it_behaves_like "is idempotent", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', /-A INPUT -p tcp -m comment --comment "599 - test"/ + end + context 'and current value is true' do + it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', /-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"/ + end end end end diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb index 75a1505..cebe753 100644 --- a/spec/acceptance/purge_spec.rb +++ b/spec/acceptance/purge_spec.rb @@ -118,7 +118,7 @@ describe "purge tests:" do apply_manifest(pp, :catch_failures => true) - expect(shell('/sbin/iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1\/32 -p tcp\s?\n-A INPUT -s 1\.2\.1\.1\/32 -p udp/) + expect(shell('/sbin/iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/) end end end diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index df6dc3a..b0e66ae 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -103,10 +103,10 @@ describe 'complex ruleset 1' do /INPUT ACCEPT/, /FORWARD ACCEPT/, /OUTPUT ACCEPT/, - /-A FORWARD -s 10.0.0.0\/8 -d 10.0.0.0\/8 -m comment --comment \"090 forward allow local\" -j ACCEPT/, - /-A FORWARD -s 10.0.0.0\/8 ! -d 10.0.0.0\/8 -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/, - /-A FORWARD -s 10.0.0.0\/8 ! -d 10.0.0.0\/8 -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/, - /-A FORWARD -s 10.0.0.0\/8 ! -d 10.0.0.0\/8 -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/ + /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/, + /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/, + /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/, + /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/ ].each do |line| expect(r.stdout).to match(line) end @@ -238,7 +238,7 @@ describe 'complex ruleset 2' do /-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/, /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/, /-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/, - /-A INPUT -s 10.0.0.0\/8 -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/, + /-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/, /-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/, /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/, /-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/, diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb index 80ceafb..2436503 100644 --- a/spec/acceptance/socket_spec.rb +++ b/spec/acceptance/socket_spec.rb @@ -1,95 +1,98 @@ require 'spec_helper_acceptance' -describe 'firewall socket property' do - before :all do - iptables_flush_all_tables - end +# RHEL5 does not support -m socket +if default['platform'] !~ /el-5/ + describe 'firewall socket property' do + before :all do + iptables_flush_all_tables + end - shared_examples "is idempotent" do |value, line_match| - it "changes the value to #{value}" do - pp = <<-EOS - class { '::firewall': } - firewall { '598 - test': - ensure => present, - proto => 'tcp', - chain => 'PREROUTING', - table => 'raw', - #{value} - } - EOS + shared_examples "is idempotent" do |value, line_match| + it "changes the value to #{value}" do + pp = <<-EOS + class { '::firewall': } + firewall { '598 - test': + ensure => present, + proto => 'tcp', + chain => 'PREROUTING', + table => 'raw', + #{value} + } + EOS - apply_manifest(pp, :catch_failures => true) - apply_manifest(pp, :catch_changes => true) + apply_manifest(pp, :catch_failures => true) + apply_manifest(pp, :catch_changes => true) - shell('iptables-save -t raw') do |r| - expect(r.stdout).to match(/#{line_match}/) + shell('iptables-save -t raw') do |r| + expect(r.stdout).to match(/#{line_match}/) + end end end - end - shared_examples "doesn't change" do |value, line_match| - it "doesn't change the value to #{value}" do - pp = <<-EOS - class { '::firewall': } - firewall { '598 - test': - ensure => present, - proto => 'tcp', - chain => 'PREROUTING', - table => 'raw', - #{value} - } - EOS + shared_examples "doesn't change" do |value, line_match| + it "doesn't change the value to #{value}" do + pp = <<-EOS + class { '::firewall': } + firewall { '598 - test': + ensure => present, + proto => 'tcp', + chain => 'PREROUTING', + table => 'raw', + #{value} + } + EOS - apply_manifest(pp, :catch_changes => true) + apply_manifest(pp, :catch_changes => true) - shell('iptables-save -t raw') do |r| - expect(r.stdout).to match(/#{line_match}/) + shell('iptables-save -t raw') do |r| + expect(r.stdout).to match(/#{line_match}/) + end end end - end - describe 'adding a rule' do - context 'when unset' do - before :all do - iptables_flush_all_tables - end - it_behaves_like 'is idempotent', '', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ - end - context 'when set to true' do - before :all do - iptables_flush_all_tables - end - it_behaves_like 'is idempotent', 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/ - end - context 'when set to false' do - before :all do - iptables_flush_all_tables - end - it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ - end - end - describe 'editing a rule' do - context 'when unset or false' do - before :each do - iptables_flush_all_tables - shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"') + describe 'adding a rule' do + context 'when unset' do + before :all do + iptables_flush_all_tables + end + it_behaves_like 'is idempotent', '', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ end - context 'and current value is false' do - it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ + context 'when set to true' do + before :all do + iptables_flush_all_tables + end + it_behaves_like 'is idempotent', 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/ end - context 'and current value is true' do - it_behaves_like "is idempotent", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/ + context 'when set to false' do + before :all do + iptables_flush_all_tables + end + it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ end end - context 'when set to true' do - before :each do - iptables_flush_all_tables - shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"') - end - context 'and current value is false' do - it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ + describe 'editing a rule' do + context 'when unset or false' do + before :each do + iptables_flush_all_tables + shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m comment --comment "598 - test"') + end + context 'and current value is false' do + it_behaves_like "doesn't change", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ + end + context 'and current value is true' do + it_behaves_like "is idempotent", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/ + end end - context 'and current value is true' do - it_behaves_like "doesn't change", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/ + context 'when set to true' do + before :each do + iptables_flush_all_tables + shell('/sbin/iptables -t raw -A PREROUTING -p tcp -m socket -m comment --comment "598 - test"') + end + context 'and current value is false' do + it_behaves_like "is idempotent", 'socket => false,', /-A PREROUTING -p tcp -m comment --comment "598 - test"/ + end + context 'and current value is true' do + it_behaves_like "doesn't change", 'socket => true,', /-A PREROUTING -p tcp -m socket -m comment --comment "598 - test"/ + end end end end