Changes in 3e13bf3 broke tests for Ruby 1.9.3 which doesn't support
Enumerable on Strings. Workaround this by casting everything as an array and
flattening to prevent existing arrays from being encapsulated.
Ken Barber [Fri, 22 Feb 2013 16:55:37 +0000 (16:55 +0000)]
Add support for single --sport and --dport parsing
Previously if someone already had a rule with a single --sport or --dport we
would fail the parse. This now accepts parsing in the single variant, while
still supporting the multiport variant.
Ken Barber [Sun, 3 Feb 2013 02:10:35 +0000 (03:10 +0100)]
Merge branch 'standardize_travis'
* standardize_travis:
Fix require of precise puppet library
Update travis and gemfile to be like stdlib travis files
Remove gemfile.lock and add to gitignore
Ken Barber [Mon, 14 Jan 2013 03:22:29 +0000 (03:22 +0000)]
Update test framework to the modern age
* Install puppetalbs_spec_helper and removed the stuff we were using previously
* Get tests running on 3.0.x
* Update gemspecs to more recent revisions of test tooling
Sharif Nassar [Tue, 27 Nov 2012 22:32:46 +0000 (14:32 -0800)]
(#14463) Fix to pass unit tests
* Add default protocol to fix the test for converting a string 'ssh' to a port
number was failing like so:
1) Puppet::Type::Firewall dport should convert a port name for dport to its number
Failure/Error: @resource[port] = 'ssh'
Puppet::Error:
Parameter dport failed: Munging failed for value "ssh" in class dport: no such service ssh/proto
# ./lib/puppet/type/../../puppet/util/firewall.rb:84:in `getservbyname'
# ./lib/puppet/type/../../puppet/util/firewall.rb:84:in `string_to_port'
# ./lib/puppet/type/firewall.rb:164:in `unsafe_munge'
# ./spec/unit/puppet/type/firewall_spec.rb:161
sfozz [Fri, 24 Aug 2012 11:30:39 +0000 (12:30 +0100)]
Add missing class declaration
README.markdown was missing details about declaring 'my_fw::pre'
and 'my_fw::post' which caused folks following the example to see
the following error:
Could not find dependency Class[My_w::Pre] for Firewall[BLAH]
Ken Barber [Tue, 24 Jul 2012 19:29:54 +0000 (20:29 +0100)]
(#10322) Insert order hash included chains from different tables
This fix corrects the insert_order handling to make sure that not only are
rules from the same chain evaulated, but we also check that the table
matches as well.
Dan Carley [Fri, 6 Jul 2012 07:22:32 +0000 (08:22 +0100)]
(#15556) Support for ICMP6 type code resolutions
Add support for IPv6 ICMP code types as strings, which differ in mapping
from IPv4. A subset of the currently supported strings for IPv4 are
supported where applicable to the IPv6 specification.
Currently the only way of determining the protocol family is by whether the
provider is :iptables or :ip6tables. This can be changed within the type in
the future.
Ken Barber [Wed, 20 Jun 2012 17:26:05 +0000 (18:26 +0100)]
(#14755) Stub iptables_version for now so tests run on non-Linux hosts
Without a stub some tests fail on non-Linux hosts. This is because they are
expecting a particular version of iptables to exist which isn't always true.
The right answer for the provider is to actually allow the fact to be set
per test, but for now we are doing a global override just to make tests pass.
Dan Carley [Thu, 24 May 2012 18:02:06 +0000 (19:02 +0100)]
(#9364 #10085) Normalise iptables-save to CIDR
Normalise all source and destination addresses to CIDR notation as they are
reverse-parsed from iptables-save. This ensures that they match how
addresses are forward-parsed by the type with Util::Firewall.host_to_ip.
Fixes two issues which both principally affect EL5 and may affect other
providers in the future.
Issue #9364:
Single IP addresses not representing a range should be qualified in CIDR
notation with /32 for IPv4 and /128 for IPv6.
Issue #10085:
Addresses with a dotted quad netmask representing a range should be
qualifed with in CIDR notation instead.
Dan Carley [Thu, 24 May 2012 17:57:46 +0000 (18:57 +0100)]
(#9364 #10085) Convert an existing test to CIDR
Modify an existing test which has a source IP address without CIDR notation.
This will break after normalisation because [:params][:source] is expected
to be CIDR. Updating -s within [:line] too, since we aren't explcitly testing
that behaviour with this fixture.
Dan Carley [Fri, 25 May 2012 06:41:36 +0000 (07:41 +0100)]
(#10274) Nullify addresses with zero prefixlen
Modify the behaviour of Util::Firewall.host_to_ip, as used by the type to
parse source and destination addresses, to return nil if the resulting CIDR
represented address has a prefix length of zero. Includes type and provider
tests for IPv4 and IPv6.
IPtables silently omits rules with source and destination addresses that
have a prefix length of zero (eg. 0.0.0.0/0) because they are functionally
equivialent to not specifying any address. This was causing rules to be
unecessarily reloaded.
The behaviour of Util::IPcidr remains the same. Now includes some additional
tests for it's identification of zero prefixlen IPv4 and IPv6 addresses.
Sharif Nassar [Sat, 21 Jan 2012 01:22:16 +0000 (17:22 -0800)]
(#14590) Fix for when iptables-save spews out "FATAL" errors.
On some broken Virtuozzo containers, /lib/modules/$(uname -r)/modules.dep is
absent. This causes iptables-save to give some "FATAL" errors. This patch
fixes the parser to ignore them instead of generating garbage rules that make
for errors in the puppet agent run.
Ken Barber [Sun, 13 May 2012 21:52:58 +0000 (22:52 +0100)]
Merge branch 'ticket/master/14455'
* ticket/master/14455:
(#14455) Add tests for interface names containing a "+". Add a few missing tests for VLAN support.
(#14455) Support interface names containing "+"
Dan Carley [Mon, 26 Mar 2012 08:44:38 +0000 (01:44 -0700)]
Merge pull request #69 from kbarber/ticket/10619-Unable_to_purge_rules
* (#10619) Add the table when deleting rules
* (#10619) Fix tests since we are now prefixing -t <table> during delete
* Fix extraneous trailing whitespace
Ken Barber [Mon, 19 Mar 2012 17:44:48 +0000 (17:44 +0000)]
(#13216) Fix README so setup instructions actually work
The old setup instructions were vague, and incorrect. This fixes those
instructions so they actually work, and breaks them out into their own
section.(#13216) Fix README so setup instructions actually work
Dan Carley [Sat, 17 Mar 2012 11:00:56 +0000 (11:00 +0000)]
(#13201) Firewall autorequire Firewallchains
Autorequire Firewallchain resources for Firewall resources that have jump or
chain parameters. Remove require params from README examples now that
they're not essential.
Only deals with iptables and ip6tables providers, which have support for
chains. Doesn't attempt to weed out chains that might be builtin. Just let
Puppet determine which of the resources are really managed.
Ken Barber [Mon, 12 Mar 2012 04:16:33 +0000 (21:16 -0700)]
(#10162) Various fixes for firewallchain resource
* Convert commands to optional_commands to avoid iptables installation chicken
& egg scenarios.
* Downcase tables to match the table names in xtables
* Force fully qualifying the name as <table>:<chain>:<protocol>, we can add
meaningful defaults later.
* puppet resource <name> command wasn't working as expected, but stripping out
some of the meaningful defaults I was able to get this to work.
* Reformat some of the code to avoid overrunning 80 chars where possible
* Remove trailing whitespace
* Add flush to provider so that resource modifications immediately update the
resource in reports and when using puppet resource.
* Removed any commented out code
* Improved documentation
* Change policy so its undefined when not set, instead of being :empty
* Fix test mocking so they will run on a Mac
Daniel Black [Thu, 1 Mar 2012 01:46:02 +0000 (12:46 +1100)]
(#10162) add firewallchain type and iptables_chain provider
Add firewallchain type and iptables_chain provider. This is required
to support the firewall class and it is envisaged that an autorequire
will be used to automatically require the user chain. This type can also set
policies on inbuilt chains.
Dan Carley [Fri, 9 Mar 2012 09:13:33 +0000 (09:13 +0000)]
(#10164) Reject and document icmp => "any"
iptables accepts the string "any" as an ICMP type and stores it behind the
scenes as the fake (IANA reserved) numeric 255. This is functionally
equivalent to not specifying an `--icmp-type` argument.
ip6tables didn't carry this "feature" over. Like many other providers, the
matching of any ICMP packet type is only achieved by omitting the
`--icmpv6-type` arugment.
For the purpose of simpler logic and future provider compatibility we
prevent people from using the value "any" and advise them to omit/undefine
the param instead.
Include a test that somewhat duplicates the prevention of invalid strings
but would preserve this behaviour should icmp_name_to_number() ever change.
Code Review / puppet-modules / puppetlabs-firewall.git / log