Ken Barber [Fri, 12 Apr 2013 12:48:56 +0000 (13:48 +0100)]
Merge branch '20125'
* 20125:
(#20125) Add persistence support for Archlinux platform
(#20125) Use PATH to find (ip|ip6|eb)tables for chain provider
(#20125) Use PATH to find (ip|ip6)tables for (ip|ip6)tables provider
(#20125) Add archlinux firewall class and unit test
Ken Barber [Wed, 10 Apr 2013 12:44:38 +0000 (13:44 +0100)]
Get rid of examples it isn't being maintained and it belongs in docs
I think the expectation that people should drop to looking at code for examples
is wrong anyway, we should express examples through documentation if we can.
Dan Carley [Mon, 4 Mar 2013 08:08:51 +0000 (08:08 +0000)]
(GH-139) Throw away STDERR from dpkg-query in Fact
Newer versions of dpkg-query, as of Ubuntu 12.10, will make noise on STDERR
if the queried package isn't currently installed. Facter's `exec()` outputs
this without giving us a chance to catch it.
Pipe STDERR to `/dev/null` so that it's not seen by the end-user. STDOUT
will still be `nil` if the package isn't installed. It doesn't seem
reasonable to spec test for this without reaching deep into Facter, so I'm
not going to.
Dan Carley [Sun, 3 Mar 2013 14:32:38 +0000 (14:32 +0000)]
(GH-129) Replace errant return in autoreq block
It's not valid to use `return` within a block. We could use `next []`,
however it's probably better form to just always return the array, whether
it's populated or not. This will stop the error:
err: Got an uncaught exception of type LocalJumpError: unexpected return
When one of the listed providers isn't selected. Which is suitable, because
this autorequire won't be suitable to any other future providers anyway.
Dan Carley [Sat, 2 Mar 2013 18:30:12 +0000 (18:30 +0000)]
Tests for #persist_iptables
Basic coverage of protocol and OS detection. Including older and newer
Debian versions. Nearly all based on expectations since there aren't any
return values.
Dan Carley [Sat, 2 Mar 2013 17:44:34 +0000 (17:44 +0000)]
Typo in #persist_iptables OS normalisation
Debian is upstream of Ubuntu. Not the other way around. Would have affected
users of Facter <1.6.2 which doesn't have osfamily. Discovered while writing
tests, yey tests.
Dan Carley [Fri, 1 Mar 2013 18:55:32 +0000 (18:55 +0000)]
(GH-134) Autorequire iptables related packages
autorequires from firewall and firewallchain resources to iptables and
iptables-persistent packages, when the appropriate provider is selected and
the packages are managed in the catalog. This will prevent failed rule
creation and persistence on fresh nodes where the packages may not be
pre-installed.
- Persistence may fail on the first run if Firewall resources are actioned
before the Package resource.
- Older iptables-persistent doesn't support the restoration of ip6tables.
- ebtables cannot be restored.
Ken Barber [Thu, 28 Feb 2013 21:15:02 +0000 (21:15 +0000)]
(GH-128) Change method_missing to define_method
Previously method_missing was enough to create dynamic methods but Puppet 3.0
broke that functionality. So here we used 'define_method' instead to work
around that.
Dan Carley [Sat, 23 Feb 2013 14:36:17 +0000 (14:36 +0000)]
Mock Resolv.getaddress in #host_to_ip
Add an expect for Resolv.getaddress in Puppet::Util::Firewall#host_to_ip so
that the test can be run when disconnected from the net. Also isolates it
should should puppetlabs.com move to a different address.
Changes in 3e13bf3 broke tests for Ruby 1.9.3 which doesn't support
Enumerable on Strings. Workaround this by casting everything as an array and
flattening to prevent existing arrays from being encapsulated.
Ken Barber [Fri, 22 Feb 2013 16:55:37 +0000 (16:55 +0000)]
Add support for single --sport and --dport parsing
Previously if someone already had a rule with a single --sport or --dport we
would fail the parse. This now accepts parsing in the single variant, while
still supporting the multiport variant.
Ken Barber [Sun, 3 Feb 2013 02:10:35 +0000 (03:10 +0100)]
Merge branch 'standardize_travis'
* standardize_travis:
Fix require of precise puppet library
Update travis and gemfile to be like stdlib travis files
Remove gemfile.lock and add to gitignore
Ken Barber [Mon, 14 Jan 2013 03:22:29 +0000 (03:22 +0000)]
Update test framework to the modern age
* Install puppetalbs_spec_helper and removed the stuff we were using previously
* Get tests running on 3.0.x
* Update gemspecs to more recent revisions of test tooling
Sharif Nassar [Tue, 27 Nov 2012 22:32:46 +0000 (14:32 -0800)]
(#14463) Fix to pass unit tests
* Add default protocol to fix the test for converting a string 'ssh' to a port
number was failing like so:
1) Puppet::Type::Firewall dport should convert a port name for dport to its number
Failure/Error: @resource[port] = 'ssh'
Puppet::Error:
Parameter dport failed: Munging failed for value "ssh" in class dport: no such service ssh/proto
# ./lib/puppet/type/../../puppet/util/firewall.rb:84:in `getservbyname'
# ./lib/puppet/type/../../puppet/util/firewall.rb:84:in `string_to_port'
# ./lib/puppet/type/firewall.rb:164:in `unsafe_munge'
# ./spec/unit/puppet/type/firewall_spec.rb:161
sfozz [Fri, 24 Aug 2012 11:30:39 +0000 (12:30 +0100)]
Add missing class declaration
README.markdown was missing details about declaring 'my_fw::pre'
and 'my_fw::post' which caused folks following the example to see
the following error:
Could not find dependency Class[My_w::Pre] for Firewall[BLAH]
Ken Barber [Tue, 24 Jul 2012 19:29:54 +0000 (20:29 +0100)]
(#10322) Insert order hash included chains from different tables
This fix corrects the insert_order handling to make sure that not only are
rules from the same chain evaulated, but we also check that the table
matches as well.
Dan Carley [Fri, 6 Jul 2012 07:22:32 +0000 (08:22 +0100)]
(#15556) Support for ICMP6 type code resolutions
Add support for IPv6 ICMP code types as strings, which differ in mapping
from IPv4. A subset of the currently supported strings for IPv4 are
supported where applicable to the IPv6 specification.
Currently the only way of determining the protocol family is by whether the
provider is :iptables or :ip6tables. This can be changed within the type in
the future.
Ken Barber [Wed, 20 Jun 2012 17:26:05 +0000 (18:26 +0100)]
(#14755) Stub iptables_version for now so tests run on non-Linux hosts
Without a stub some tests fail on non-Linux hosts. This is because they are
expecting a particular version of iptables to exist which isn't always true.
The right answer for the provider is to actually allow the fact to be set
per test, but for now we are doing a global override just to make tests pass.
Dan Carley [Thu, 24 May 2012 18:02:06 +0000 (19:02 +0100)]
(#9364 #10085) Normalise iptables-save to CIDR
Normalise all source and destination addresses to CIDR notation as they are
reverse-parsed from iptables-save. This ensures that they match how
addresses are forward-parsed by the type with Util::Firewall.host_to_ip.
Fixes two issues which both principally affect EL5 and may affect other
providers in the future.
Issue #9364:
Single IP addresses not representing a range should be qualified in CIDR
notation with /32 for IPv4 and /128 for IPv6.
Issue #10085:
Addresses with a dotted quad netmask representing a range should be
qualifed with in CIDR notation instead.
Code Review / puppet-modules / puppetlabs-firewall.git / log