Add a check to see if running Fedora 15 in order to use init scripts
provided by systemd. This adds compatibility for systemd on Fedora,
which currently returns an incorrect failure message when persisting
rules.
Dan Carley [Mon, 4 Mar 2013 08:08:51 +0000 (08:08 +0000)]
(GH-139) Throw away STDERR from dpkg-query in Fact
Newer versions of dpkg-query, as of Ubuntu 12.10, will make noise on STDERR
if the queried package isn't currently installed. Facter's `exec()` outputs
this without giving us a chance to catch it.
Pipe STDERR to `/dev/null` so that it's not seen by the end-user. STDOUT
will still be `nil` if the package isn't installed. It doesn't seem
reasonable to spec test for this without reaching deep into Facter, so I'm
not going to.
Dan Carley [Sun, 3 Mar 2013 14:32:38 +0000 (14:32 +0000)]
(GH-129) Replace errant return in autoreq block
It's not valid to use `return` within a block. We could use `next []`,
however it's probably better form to just always return the array, whether
it's populated or not. This will stop the error:
err: Got an uncaught exception of type LocalJumpError: unexpected return
When one of the listed providers isn't selected. Which is suitable, because
this autorequire won't be suitable to any other future providers anyway.
Dan Carley [Sat, 2 Mar 2013 18:30:12 +0000 (18:30 +0000)]
Tests for #persist_iptables
Basic coverage of protocol and OS detection. Including older and newer
Debian versions. Nearly all based on expectations since there aren't any
return values.
Dan Carley [Sat, 2 Mar 2013 17:44:34 +0000 (17:44 +0000)]
Typo in #persist_iptables OS normalisation
Debian is upstream of Ubuntu. Not the other way around. Would have affected
users of Facter <1.6.2 which doesn't have osfamily. Discovered while writing
tests, yey tests.
Dan Carley [Fri, 1 Mar 2013 18:55:32 +0000 (18:55 +0000)]
(GH-134) Autorequire iptables related packages
autorequires from firewall and firewallchain resources to iptables and
iptables-persistent packages, when the appropriate provider is selected and
the packages are managed in the catalog. This will prevent failed rule
creation and persistence on fresh nodes where the packages may not be
pre-installed.
- Persistence may fail on the first run if Firewall resources are actioned
before the Package resource.
- Older iptables-persistent doesn't support the restoration of ip6tables.
- ebtables cannot be restored.
Ken Barber [Thu, 28 Feb 2013 21:15:02 +0000 (21:15 +0000)]
(GH-128) Change method_missing to define_method
Previously method_missing was enough to create dynamic methods but Puppet 3.0
broke that functionality. So here we used 'define_method' instead to work
around that.
Dan Carley [Sat, 23 Feb 2013 14:36:17 +0000 (14:36 +0000)]
Mock Resolv.getaddress in #host_to_ip
Add an expect for Resolv.getaddress in Puppet::Util::Firewall#host_to_ip so
that the test can be run when disconnected from the net. Also isolates it
should should puppetlabs.com move to a different address.
Changes in 3e13bf3 broke tests for Ruby 1.9.3 which doesn't support
Enumerable on Strings. Workaround this by casting everything as an array and
flattening to prevent existing arrays from being encapsulated.
Ken Barber [Fri, 22 Feb 2013 16:55:37 +0000 (16:55 +0000)]
Add support for single --sport and --dport parsing
Previously if someone already had a rule with a single --sport or --dport we
would fail the parse. This now accepts parsing in the single variant, while
still supporting the multiport variant.
Ken Barber [Sun, 3 Feb 2013 02:10:35 +0000 (03:10 +0100)]
Merge branch 'standardize_travis'
* standardize_travis:
Fix require of precise puppet library
Update travis and gemfile to be like stdlib travis files
Remove gemfile.lock and add to gitignore
Ken Barber [Mon, 14 Jan 2013 03:22:29 +0000 (03:22 +0000)]
Update test framework to the modern age
* Install puppetalbs_spec_helper and removed the stuff we were using previously
* Get tests running on 3.0.x
* Update gemspecs to more recent revisions of test tooling
Sharif Nassar [Tue, 27 Nov 2012 22:32:46 +0000 (14:32 -0800)]
(#14463) Fix to pass unit tests
* Add default protocol to fix the test for converting a string 'ssh' to a port
number was failing like so:
1) Puppet::Type::Firewall dport should convert a port name for dport to its number
Failure/Error: @resource[port] = 'ssh'
Puppet::Error:
Parameter dport failed: Munging failed for value "ssh" in class dport: no such service ssh/proto
# ./lib/puppet/type/../../puppet/util/firewall.rb:84:in `getservbyname'
# ./lib/puppet/type/../../puppet/util/firewall.rb:84:in `string_to_port'
# ./lib/puppet/type/firewall.rb:164:in `unsafe_munge'
# ./spec/unit/puppet/type/firewall_spec.rb:161
sfozz [Fri, 24 Aug 2012 11:30:39 +0000 (12:30 +0100)]
Add missing class declaration
README.markdown was missing details about declaring 'my_fw::pre'
and 'my_fw::post' which caused folks following the example to see
the following error:
Could not find dependency Class[My_w::Pre] for Firewall[BLAH]
Ken Barber [Tue, 24 Jul 2012 19:29:54 +0000 (20:29 +0100)]
(#10322) Insert order hash included chains from different tables
This fix corrects the insert_order handling to make sure that not only are
rules from the same chain evaulated, but we also check that the table
matches as well.
Dan Carley [Fri, 6 Jul 2012 07:22:32 +0000 (08:22 +0100)]
(#15556) Support for ICMP6 type code resolutions
Add support for IPv6 ICMP code types as strings, which differ in mapping
from IPv4. A subset of the currently supported strings for IPv4 are
supported where applicable to the IPv6 specification.
Currently the only way of determining the protocol family is by whether the
provider is :iptables or :ip6tables. This can be changed within the type in
the future.
Ken Barber [Wed, 20 Jun 2012 17:26:05 +0000 (18:26 +0100)]
(#14755) Stub iptables_version for now so tests run on non-Linux hosts
Without a stub some tests fail on non-Linux hosts. This is because they are
expecting a particular version of iptables to exist which isn't always true.
The right answer for the provider is to actually allow the fact to be set
per test, but for now we are doing a global override just to make tests pass.
Dan Carley [Thu, 24 May 2012 18:02:06 +0000 (19:02 +0100)]
(#9364 #10085) Normalise iptables-save to CIDR
Normalise all source and destination addresses to CIDR notation as they are
reverse-parsed from iptables-save. This ensures that they match how
addresses are forward-parsed by the type with Util::Firewall.host_to_ip.
Fixes two issues which both principally affect EL5 and may affect other
providers in the future.
Issue #9364:
Single IP addresses not representing a range should be qualified in CIDR
notation with /32 for IPv4 and /128 for IPv6.
Issue #10085:
Addresses with a dotted quad netmask representing a range should be
qualifed with in CIDR notation instead.
Dan Carley [Thu, 24 May 2012 17:57:46 +0000 (18:57 +0100)]
(#9364 #10085) Convert an existing test to CIDR
Modify an existing test which has a source IP address without CIDR notation.
This will break after normalisation because [:params][:source] is expected
to be CIDR. Updating -s within [:line] too, since we aren't explcitly testing
that behaviour with this fixture.
Dan Carley [Fri, 25 May 2012 06:41:36 +0000 (07:41 +0100)]
(#10274) Nullify addresses with zero prefixlen
Modify the behaviour of Util::Firewall.host_to_ip, as used by the type to
parse source and destination addresses, to return nil if the resulting CIDR
represented address has a prefix length of zero. Includes type and provider
tests for IPv4 and IPv6.
IPtables silently omits rules with source and destination addresses that
have a prefix length of zero (eg. 0.0.0.0/0) because they are functionally
equivialent to not specifying any address. This was causing rules to be
unecessarily reloaded.
The behaviour of Util::IPcidr remains the same. Now includes some additional
tests for it's identification of zero prefixlen IPv4 and IPv6 addresses.
Code Review / puppet-modules / puppetlabs-firewall.git / log