From 0c3d94b6c282766138f33768b0d3ee91e0b1a35a Mon Sep 17 00:00:00 2001 From: Philipp Frik Date: Wed, 3 May 2017 10:41:59 +0200 Subject: [PATCH] fix MODULES-1988 --- lib/puppet/provider/firewall/ip6tables.rb | 4 +- lib/puppet/provider/firewall/iptables.rb | 4 +- spec/acceptance/connlimit_spec.rb | 4 +- spec/acceptance/connmark_spec.rb | 2 +- spec/acceptance/firewall_mss_spec.rb | 4 +- spec/acceptance/firewall_spec.rb | 34 ++--- spec/acceptance/firewall_time_spec.rb | 4 +- spec/acceptance/invert_spec.rb | 2 +- spec/acceptance/match_mark_spec.rb | 4 +- spec/acceptance/rules_spec.rb | 28 ++-- spec/fixtures/ip6tables/conversion_hash.rb | 2 +- spec/fixtures/iptables/conversion_hash.rb | 160 ++++++++++----------- 12 files changed, 125 insertions(+), 127 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index c6757c2..c8b3f64 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -240,12 +240,12 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out, :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, - :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, + :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, - :src_cc, :dst_cc] + :src_cc, :dst_cc, :name] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 09e5e08..b05ba43 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -282,7 +282,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :physdev_in, :physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out, :proto, :isfragment, :stat_mode, :stat_every, :stat_packet, :stat_probability, :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, - :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, + :src_type, :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, @@ -291,7 +291,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, - :src_cc, :dst_cc ] + :src_cc, :dst_cc, :name] def insert debug 'Inserting rule %s' % resource[:name] diff --git a/spec/acceptance/connlimit_spec.rb b/spec/acceptance/connlimit_spec.rb index 9ec4615..6464900 100644 --- a/spec/acceptance/connlimit_spec.rb +++ b/spec/acceptance/connlimit_spec.rb @@ -27,7 +27,7 @@ describe 'connlimit property' do it 'should contain the rule' do shell('iptables-save') do |r| #connlimit-saddr is added in Ubuntu 14.04. - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m comment --comment "500 - test" -m connlimit --connlimit-above 10 --connlimit-mask 32 (--connlimit-saddr )?-j REJECT --reject-with icmp-port-unreachable/) + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 32 (--connlimit-saddr)? -m comment --comment "500 - test" -j REJECT --reject-with icmp-port-unreachable/) end end end @@ -54,7 +54,7 @@ describe 'connlimit property' do it 'should contain the rule' do shell('iptables-save') do |r| #connlimit-saddr is added in Ubuntu 14.04. - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m comment --comment "501 - test" -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-j REJECT --reject-with icmp-port-unreachable/) + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr)? -m comment --comment "501 - test" -j REJECT --reject-with icmp-port-unreachable/) end end end diff --git a/spec/acceptance/connmark_spec.rb b/spec/acceptance/connmark_spec.rb index ab3b764..6de9414 100644 --- a/spec/acceptance/connmark_spec.rb +++ b/spec/acceptance/connmark_spec.rb @@ -19,7 +19,7 @@ describe 'connmark property' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -m comment --comment "502 - test" -m connmark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable/) + expect(r.stdout).to match(/-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - test" -j REJECT --reject-with icmp-port-unreachable/) end end end diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb index 06390fb..0a01bde 100644 --- a/spec/acceptance/firewall_mss_spec.rb +++ b/spec/acceptance/firewall_mss_spec.rb @@ -28,7 +28,7 @@ describe 'firewall MSS' do it 'should contain the rule' do shell('iptables-save -t mangle') do |r| - expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/) + expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360/) end end end @@ -82,7 +82,7 @@ describe 'firewall MSS' do it 'should contain the rule' do shell('ip6tables-save -t mangle') do |r| - expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/) + expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360/) end end end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index ef54ee8..a5b21a4 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -976,7 +976,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq 5 -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 571 -m hl --hl-eq 5 -m comment --comment "571 - test" -j ACCEPT/) end end end @@ -1390,7 +1390,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "607 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp6-adm-prohibited/) + expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "607 - test" -j REJECT --reject-with icmp6-adm-prohibited/) end end end @@ -1418,7 +1418,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "608 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp6-adm-prohibited/) + expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol none -m comment --comment "608 - test" -j REJECT --reject-with icmp6-adm-prohibited/) end end end @@ -1448,7 +1448,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "609 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp6-adm-prohibited/) + expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "609 - test" -j REJECT --reject-with icmp6-adm-prohibited/) end end end @@ -1476,7 +1476,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "610 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp6-adm-prohibited/) + expect(r.stdout).to match(/-A INPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir in --pol none -m comment --comment "610 - test" -j REJECT --reject-with icmp6-adm-prohibited/) end end end @@ -1564,7 +1564,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m comment --comment "612 - test" -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -j DROP/) + expect(r.stdout).to match(/-A INPUT -p tcp -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP/) end end end @@ -1593,7 +1593,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A FORWARD -p tcp -m comment --comment "613 - test" -m recent --update --seconds 60 --name test --mask ffff:: --rsource -j DROP/) + expect(r.stdout).to match(/-A FORWARD -p tcp -m recent --update --seconds 60 --name test --mask ffff:: --rsource -m comment --comment "613 - test" -j DROP/) end end end @@ -1695,7 +1695,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 572 -m comment --comment "572 - test" -m limit --limit 500\/sec -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 572 -m limit --limit 500\/sec -m comment --comment "572 - test" -j ACCEPT/) end end end @@ -1721,7 +1721,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 573 -m comment --comment "573 - test" -m limit --limit 500\/sec --limit-burst 1500 -j ACCEPT/) + expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 573 -m limit --limit 500\/sec --limit-burst 1500 -m comment --comment "573 - test" -j ACCEPT/) end end end @@ -2009,7 +2009,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "593 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "593 - test" -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -2036,7 +2036,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "594 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol none -m comment --comment "594 - test" -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -2065,7 +2065,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "595 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - test" -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -2092,7 +2092,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "596 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp-net-unreachable/) + expect(r.stdout).to match(/-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - test" -j REJECT --reject-with icmp-net-unreachable/) end end end @@ -2121,7 +2121,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| # Mask added as of Ubuntu 14.04. - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "597 - test" -m recent --set --name list1 (--mask 255.255.255.255 )?--rdest/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --set --name list1 (--mask 255.255.255.255)? --rdest -m comment --comment "597 - test"/) end end end @@ -2150,7 +2150,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "598 - test" -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 (--mask 255.255.255.255 )?--rsource/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 (--mask 255.255.255.255)? --rsource -m comment --comment "598 - test"/) end end end @@ -2174,7 +2174,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "599 - test" -m recent --update/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --update --name DEFAULT (--mask 255.255.255.255)? --rsource -m comment --comment "599 - test"/) end end end @@ -2198,7 +2198,7 @@ describe 'firewall basics', docker: true do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m comment --comment "600 - test" -m recent --remove/) + expect(r.stdout).to match(/-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --remove --name DEFAULT (--mask 255.255.255.255)? --rsource -m comment --comment "600 - test"/) end end end diff --git a/spec/acceptance/firewall_time_spec.rb b/spec/acceptance/firewall_time_spec.rb index 2569770..5b2ed37 100644 --- a/spec/acceptance/firewall_time_spec.rb +++ b/spec/acceptance/firewall_time_spec.rb @@ -33,7 +33,7 @@ describe 'firewall time' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m comment --comment "805 - test" -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -j ACCEPT/) + expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/) end end end @@ -66,7 +66,7 @@ describe 'firewall time' do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m comment --comment "805 - test" -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -j ACCEPT/) + expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/) end end end diff --git a/spec/acceptance/invert_spec.rb b/spec/acceptance/invert_spec.rb index 5eba941..0924b95 100644 --- a/spec/acceptance/invert_spec.rb +++ b/spec/acceptance/invert_spec.rb @@ -36,7 +36,7 @@ describe 'firewall inverting' do expect(r.stdout).to match(/-A INPUT -s ! 10\.0\.0\.0\/255\.0\.0\.0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --sports ! 80,443 -m comment --comment "602 drop NEW external website packets with FIN\/RST\/ACK set and SYN unset" -m state --state NEW -j DROP/) else expect(r.stdout).to match(/-A INPUT ! -p esp -m comment --comment "601 disallow esp protocol" -j ACCEPT/) - expect(r.stdout).to match(/-A INPUT ! -s 10\.0\.0\.0\/8 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m multiport ! --sports 80,443 -m comment --comment "602 drop NEW external website packets with FIN\/RST\/ACK set and SYN unset" -m state --state NEW -j DROP/) + expect(r.stdout).to match(/-A INPUT ! -s 10\.0\.0\.0\/8 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m multiport ! --sports 80,443 -m state --state NEW -m comment --comment "602 drop NEW external website packets with FIN\/RST\/ACK set and SYN unset" -j DROP/) end end end diff --git a/spec/acceptance/match_mark_spec.rb b/spec/acceptance/match_mark_spec.rb index 17b80b4..22abfea 100644 --- a/spec/acceptance/match_mark_spec.rb +++ b/spec/acceptance/match_mark_spec.rb @@ -24,7 +24,7 @@ describe 'firewall match marks' do it 'should contain the rule' do shell('iptables-save') do |r| - expect(r.stdout).to match(/-A INPUT -m comment --comment "503 match_mark - test" -m mark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable/) + expect(r.stdout).to match(/-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark - test" -j REJECT --reject-with icmp-port-unreachable/) end end end @@ -48,7 +48,7 @@ describe 'firewall match marks' do it 'should contain the rule' do shell('ip6tables-save') do |r| - expect(r.stdout).to match(/-A INPUT -m comment --comment "503 match_mark ip6tables - test" -m mark --mark 0x1 -j REJECT --reject-with icmp6-port-unreachable/) + expect(r.stdout).to match(/-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable/) end end end diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index 3b27bd5..af144ae 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -106,7 +106,7 @@ describe 'complex ruleset 1' do /OUTPUT ACCEPT/, /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/, /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/, - /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/, + /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m state --state NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT/, /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/ ].each do |line| expect(r.stdout).to match(line) @@ -259,19 +259,19 @@ describe 'complex ruleset 2' do /OUTPUT ACCEPT/, /LOCAL_INPUT/, /LOCAL_INPUT_PRE/, - /-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/, - /-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/, - /-A INPUT -d 127.0.0.0\/(8|255\.0\.0\.0) (! -i|-i !) lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable/, - /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/, - /-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/, - /-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/, - /-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/, - /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/, - /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"001 ssh needed for beaker testing\" -j ACCEPT/, - /-A OUTPUT (! -o|-o !) eth0:2 -p tcp -m multiport --dports 25 -m comment --comment \"025 smtp\" -m state --state NEW -j ACCEPT/, - /-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m comment --comment \"443 ssl on aliased interface\" -m state --state NEW -j ACCEPT/, - /-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/, - /-A FORWARD -m comment --comment \"010 allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/ + /-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/, + /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"001 ssh needed for beaker testing\" -j ACCEPT/, + /-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment \"010 INPUT allow established and related\" -j ACCEPT/, + /-A INPUT -d 127.0.0.0\/(8|255\.0\.0\.0) (! -i|-i !) lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable/, + /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/, + /-A INPUT -p icmp -m icmp --icmp-type 3 -m comment --comment \"013 icmp destination-unreachable\" -j ACCEPT/, + /-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m icmp --icmp-type 8 -m comment --comment \"013 icmp echo-request\" -j ACCEPT/, + /-A INPUT -p icmp -m icmp --icmp-type 11 -m comment --comment \"013 icmp time-exceeded\" -j ACCEPT/, + /-A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment \"020 ssh\" -j ACCEPT/, + /-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m state --state NEW -m comment --comment \"443 ssl on aliased interface\" -j ACCEPT/, + /-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/, + /-A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment \"010 allow established and related\" -j ACCEPT/, + /-A OUTPUT (! -o|-o !) eth0:2 -p tcp -m multiport --dports 25 -m state --state NEW -m comment --comment \"025 smtp\" -j ACCEPT/ ].each do |line| expect(r.stdout).to match(line) end diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb index d752378..8174875 100644 --- a/spec/fixtures/ip6tables/conversion_hash.rb +++ b/spec/fixtures/ip6tables/conversion_hash.rb @@ -112,6 +112,6 @@ HASH_TO_ARGS6 = { :provider => 'ip6tables', :table => "filter", }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 hop limit", "-m", "hl", "--hl-eq", 255], + :args => ["-t", :filter, "-p", :tcp, "-m", "hl", "--hl-eq", 255, "-m", "comment", "--comment", "100 hop limit"], }, } diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 164f67d..78dfee9 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -29,7 +29,7 @@ ARGS_TO_HASH = { }, }, 'long_rule_1' => { - :line => '-A INPUT -s 1.1.1.1/32 -d 1.1.1.1/32 -p tcp -m multiport --dports 7061,7062 -m multiport --sports 7061,7062 -m comment --comment "000 allow foo" -j ACCEPT', + :line => '-A INPUT -s 1.1.1.1/32 -d 1.1.1.1/32 -p tcp -m multiport --dports 7061,7062 -m multiport --sports 7061,7062 -j ACCEPT -m comment --comment "000 allow foo"', :table => 'filter', :compare_all => true, :params => { @@ -38,7 +38,7 @@ ARGS_TO_HASH = { :destination => "1.1.1.1/32", :dport => ["7061","7062"], :ensure => :present, - :line => '-A INPUT -s 1.1.1.1/32 -d 1.1.1.1/32 -p tcp -m multiport --dports 7061,7062 -m multiport --sports 7061,7062 -m comment --comment "000 allow foo" -j ACCEPT', + :line => '-A INPUT -s 1.1.1.1/32 -d 1.1.1.1/32 -p tcp -m multiport --dports 7061,7062 -m multiport --sports 7061,7062 -j ACCEPT -m comment --comment "000 allow foo"', :name => "000 allow foo", :proto => "tcp", :provider => "iptables", @@ -48,7 +48,7 @@ ARGS_TO_HASH = { }, }, 'action_drop_1' => { - :line => '-A INPUT -m comment --comment "000 allow foo" -j DROP', + :line => '-A INPUT -j DROP -m comment --comment "000 allow foo"', :table => 'filter', :params => { :jump => nil, @@ -56,7 +56,7 @@ ARGS_TO_HASH = { }, }, 'action_reject_1' => { - :line => '-A INPUT -m comment --comment "000 allow foo" -j REJECT', + :line => '-A INPUT -j REJECT -m comment --comment "000 allow foo"', :table => 'filter', :params => { :jump => nil, @@ -72,7 +72,7 @@ ARGS_TO_HASH = { }, }, 'jump_custom_chain_1' => { - :line => '-A INPUT -m comment --comment "000 allow foo" -j custom_chain', + :line => '-A INPUT -j custom_chain -m comment --comment "000 allow foo"', :table => 'filter', :params => { :jump => "custom_chain", @@ -248,7 +248,7 @@ ARGS_TO_HASH = { }, }, 'log_level_debug' => { - :line => '-A INPUT -m comment --comment "956 INPUT log-level" -m state --state NEW -j LOG --log-level 7', + :line => '-A INPUT -m state --state NEW -j LOG --log-level 7 -m comment --comment "956 INPUT log-level"', :table => 'filter', :params => { :state => ['NEW'], @@ -257,7 +257,7 @@ ARGS_TO_HASH = { }, }, 'log_level_warn' => { - :line => '-A INPUT -m comment --comment "956 INPUT log-level" -m state --state NEW -j LOG', + :line => '-A INPUT -m state --state NEW -j LOG -m comment --comment "956 INPUT log-level"', :table => 'filter', :params => { :state => ['NEW'], @@ -266,7 +266,7 @@ ARGS_TO_HASH = { }, }, 'load_limit_module_and_implicit_burst' => { - :line => '-A INPUT -m multiport --dports 123 -m comment --comment "057 INPUT limit NTP" -m limit --limit 15/hour', + :line => '-A INPUT -m multiport --dports 123 -m limit --limit 15/hour -m comment --comment "057 INPUT limit NTP"', :table => 'filter', :params => { :dport => ['123'], @@ -275,7 +275,7 @@ ARGS_TO_HASH = { }, }, 'limit_with_explicit_burst' => { - :line => '-A INPUT -m multiport --dports 123 -m comment --comment "057 INPUT limit NTP" -m limit --limit 30/hour --limit-burst 10', + :line => '-A INPUT -m multiport --dports 123 -m limit --limit 30/hour --limit-burst 10 -m comment --comment "057 INPUT limit NTP"', :table => 'filter', :params => { :dport => ['123'], @@ -291,7 +291,7 @@ ARGS_TO_HASH = { } }, 'load_uid_owner_filter_module' => { - :line => '-A OUTPUT -m owner --uid-owner root -m comment --comment "057 OUTPUT uid root only" -j ACCEPT', + :line => '-A OUTPUT -m owner --uid-owner root -j ACCEPT -m comment --comment "057 OUTPUT uid root only"', :table => 'filter', :params => { :action => 'accept', @@ -300,7 +300,7 @@ ARGS_TO_HASH = { }, }, 'load_uid_owner_postrouting_module' => { - :line => '-t mangle -A POSTROUTING -m owner --uid-owner root -m comment --comment "057 POSTROUTING uid root only" -j ACCEPT', + :line => '-t mangle -A POSTROUTING -m owner --uid-owner root -j ACCEPT -m comment --comment "057 POSTROUTING uid root only"', :table => 'mangle', :params => { :action => 'accept', @@ -309,7 +309,7 @@ ARGS_TO_HASH = { }, }, 'load_gid_owner_filter_module' => { - :line => '-A OUTPUT -m owner --gid-owner root -m comment --comment "057 OUTPUT gid root only" -j ACCEPT', + :line => '-A OUTPUT -m owner --gid-owner root -j ACCEPT -m comment --comment "057 OUTPUT gid root only"', :table => 'filter', :params => { :action => 'accept', @@ -318,7 +318,7 @@ ARGS_TO_HASH = { }, }, 'load_gid_owner_postrouting_module' => { - :line => '-t mangle -A POSTROUTING -m owner --gid-owner root -m comment --comment "057 POSTROUTING gid root only" -j ACCEPT', + :line => '-t mangle -A POSTROUTING -m owner --gid-owner root -j ACCEPT -m comment --comment "057 POSTROUTING gid root only"', :table => 'mangle', :params => { :action => 'accept', @@ -336,7 +336,7 @@ ARGS_TO_HASH = { } }, 'iniface_1' => { - :line => '-A INPUT -i eth0 -m comment --comment "060 iniface" -j DROP', + :line => '-A INPUT -i eth0 -j DROP -m comment --comment "060 iniface"', :table => 'filter', :params => { :action => 'drop', @@ -345,7 +345,7 @@ ARGS_TO_HASH = { }, }, 'iniface_1_negated' => { - :line => '-A INPUT ! -i eth0 -m comment --comment "060 iniface" -j DROP', + :line => '-A INPUT ! -i eth0 -j DROP -m comment --comment "060 iniface"', :table => 'filter', :params => { :action => 'drop', @@ -354,7 +354,7 @@ ARGS_TO_HASH = { }, }, 'iniface_1_aliased' => { - :line => '-A INPUT -i eth0:1 -m comment --comment "060 iniface" -j DROP', + :line => '-A INPUT -i eth0:1 -j DROP -m comment --comment "060 iniface"', :table => 'filter', :params => { :action => 'drop', @@ -363,7 +363,7 @@ ARGS_TO_HASH = { }, }, 'iniface_with_vlans_1' => { - :line => '-A INPUT -i eth0.234 -m comment --comment "060 iniface" -j DROP', + :line => '-A INPUT -i eth0.234 -j DROP -m comment --comment "060 iniface"', :table => 'filter', :params => { :action => 'drop', @@ -372,7 +372,7 @@ ARGS_TO_HASH = { }, }, 'iniface_with_plus_1' => { - :line => '-A INPUT -i eth+ -m comment --comment "060 iniface" -j DROP', + :line => '-A INPUT -i eth+ -j DROP -m comment --comment "060 iniface"', :table => 'filter', :params => { :action => 'drop', @@ -381,7 +381,7 @@ ARGS_TO_HASH = { }, }, 'outiface_1' => { - :line => '-A OUTPUT -o eth0 -m comment --comment "060 outiface" -j DROP', + :line => '-A OUTPUT -o eth0 -j DROP -m comment --comment "060 outiface"', :table => 'filter', :params => { :action => 'drop', @@ -390,7 +390,7 @@ ARGS_TO_HASH = { }, }, 'outiface_1_negated' => { - :line => '-A OUTPUT ! -o eth0 -m comment --comment "060 outiface" -j DROP', + :line => '-A OUTPUT ! -o eth0 -j DROP -m comment --comment "060 outiface"', :table => 'filter', :params => { :action => 'drop', @@ -399,7 +399,7 @@ ARGS_TO_HASH = { }, }, 'outiface_1_aliased' => { - :line => '-A OUTPUT -o eth0:2 -m comment --comment "060 outiface" -j DROP', + :line => '-A OUTPUT -o eth0:2 -j DROP -m comment --comment "060 outiface"', :table => 'filter', :params => { :action => 'drop', @@ -408,7 +408,7 @@ ARGS_TO_HASH = { }, }, 'outiface_with_vlans_1' => { - :line => '-A OUTPUT -o eth0.234 -m comment --comment "060 outiface" -j DROP', + :line => '-A OUTPUT -o eth0.234 -j DROP -m comment --comment "060 outiface"', :table => 'filter', :params => { :action => 'drop', @@ -417,7 +417,7 @@ ARGS_TO_HASH = { }, }, 'outiface_with_plus_1' => { - :line => '-A OUTPUT -o eth+ -m comment --comment "060 outiface" -j DROP', + :line => '-A OUTPUT -o eth+ -j DROP -m comment --comment "060 outiface"', :table => 'filter', :params => { :action => 'drop', @@ -443,7 +443,7 @@ ARGS_TO_HASH = { }, }, 'isfragment_option' => { - :line => '-A INPUT -f -m comment --comment "010 a-f comment with dashf" -j ACCEPT', + :line => '-A INPUT -f -j ACCEPT -m comment --comment "010 a-f comment with dashf"', :table => 'filter', :params => { :name => '010 a-f comment with dashf', @@ -496,7 +496,7 @@ ARGS_TO_HASH = { }, }, 'connlimit_above' => { - :line => '-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "061 REJECT connlimit_above 10" -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable', + :line => '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10"', :table => 'filter', :params => { :proto => 'tcp', @@ -506,7 +506,7 @@ ARGS_TO_HASH = { }, }, 'connlimit_above_with_connlimit_mask' => { - :line => '-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "061 REJECT connlimit_above 10 with mask 24" -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable', + :line => '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10 with mask 24"', :table => 'filter', :params => { :proto => 'tcp', @@ -517,7 +517,7 @@ ARGS_TO_HASH = { }, }, 'connmark' => { - :line => '-A INPUT -m comment --comment "062 REJECT connmark" -m connmark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable', + :line => '-A INPUT -m connmark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "062 REJECT connmark"', :table => 'filter', :params => { :proto => 'all', @@ -526,7 +526,7 @@ ARGS_TO_HASH = { }, }, 'disallow_esp_protocol' => { - :line => '-t filter ! -p esp -m comment --comment "063 disallow esp protocol" -j ACCEPT', + :line => '-t filter ! -p esp -j ACCEPT -m comment --comment "063 disallow esp protocol"', :table => 'filter', :params => { :name => '063 disallow esp protocol', @@ -535,7 +535,7 @@ ARGS_TO_HASH = { }, }, 'drop_new_packets_without_syn' => { - :line => '-t filter ! -s 10.0.0.0/8 ! -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset" -m state --state NEW -j DROP', + :line => '-t filter ! -s 10.0.0.0/8 ! -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -m comment --comment "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset"', :table => 'filter', :params => { :name => '064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset', @@ -560,7 +560,7 @@ ARGS_TO_HASH = { }, }, 'match_mark' => { - :line => '-A INPUT -p tcp -m comment --comment "066 REJECT connlimit_above 10 with mask 32 and mark matches" -m mark --mark 0x1 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable', + :line => '-A INPUT -p tcp -m mark --mark 0x1 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "066 REJECT connlimit_above 10 with mask 32 and mark matches"', :table => 'filter', :params => { :proto => 'tcp', @@ -571,7 +571,7 @@ ARGS_TO_HASH = { }, }, 'clamp_mss_to_pmtu' => { - :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "067 change max segment size" -j TCPMSS --clamp-mss-to-pmtu', + :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -m comment --comment "067 change max segment size"', :table => 'filter', :params => { :name => '067 change max segment size', @@ -583,7 +583,7 @@ ARGS_TO_HASH = { }, }, 'mangled_chain_name_with_-f' => { - :line => '-A foo-filter -p tcp -m comment --comment "068 chain name containing -f" -j ACCEPT', + :line => '-A foo-filter -p tcp -j ACCEPT -m comment --comment "068 chain name containing -f"', :params => { :name => '068 chain name containing -f', :action => 'accept', @@ -628,7 +628,7 @@ ARGS_TO_HASH = { }, }, 'nfqueue_jump1' => { - :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "000 nfqueue specify queue_num" -j NFQUEUE --queue-num 50', + :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -j NFQUEUE --queue-num 50 -m comment --comment "000 nfqueue specify queue_num"', :table => 'filter', :params => { :name => "000 nfqueue specify queue_num", @@ -640,7 +640,7 @@ ARGS_TO_HASH = { }, }, 'nfqueue_jump2' => { - :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "002 nfqueue specify queue_num and queue_bypass" -j NFQUEUE --queue-num 50 --queue-bypass', + :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -j NFQUEUE --queue-num 50 --queue-bypass -m comment --comment "002 nfqueue specify queue_num and queue_bypass"', :table => "filter", :params => { :name => "002 nfqueue specify queue_num and queue_bypass", @@ -653,7 +653,7 @@ ARGS_TO_HASH = { }, }, 'nfqueue_jump3' => { - :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "003 nfqueue dont specify queue_num or queue_bypass" -j NFQUEUE', + :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -j NFQUEUE -m comment --comment "003 nfqueue dont specify queue_num or queue_bypass"', :table => "filter", :params => { :name => "003 nfqueue dont specify queue_num or queue_bypass", @@ -680,7 +680,7 @@ HASH_TO_ARGS = { :sport => ["7061","7062"], :table => "filter", }, - :args => ["-t", :filter, "-s", "1.1.1.1/32", "-d", "1.1.1.1/32", "-p", :tcp, "-m", "multiport", "--sports", "7061,7062", "-m", "multiport", "--dports", "7061,7062", "-m", "comment", "--comment", "000 allow foo", "-j", "ACCEPT"], + :args => ["-t", :filter, "-s", "1.1.1.1/32", "-d", "1.1.1.1/32", "-p", :tcp, "-m", "multiport", "--sports", "7061,7062", "-m", "multiport", "--dports", "7061,7062", "-j", "ACCEPT", "-m", "comment", "--comment", "000 allow foo"], }, 'long_rule_2' => { :params => { @@ -695,7 +695,7 @@ HASH_TO_ARGS = { :sport => ["7061","7062"], :table => "filter", }, - :args => ["-t", :filter, "-s", "1.1.1.1/32", "-d", "2.10.13.0/24", "-p", :udp, "-m", "multiport", "--sports", "7061,7062", "-m", "multiport", "--dports", "7061", "-m", "comment", "--comment", "700 allow bar", "-j", "my_custom_chain"], + :args => ["-t", :filter, "-s", "1.1.1.1/32", "-d", "2.10.13.0/24", "-p", :udp, "-m", "multiport", "--sports", "7061,7062", "-m", "multiport", "--dports", "7061", "-j", "my_custom_chain", "-m", "comment", "--comment", "700 allow bar"], }, 'no_action' => { :params => { @@ -838,8 +838,7 @@ HASH_TO_ARGS = { :table => "filter", :state => ['ESTABLISHED', 'INVALID'] }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 states_set_from_array", - "-m", "state", "--state", "ESTABLISHED,INVALID"], + :args => ["-t", :filter, "-p", :tcp, "-m", "state", "--state", "ESTABLISHED,INVALID", "-m", "comment", "--comment", "100 states_set_from_array"], }, 'ctstates_set_from_array' => { :params => { @@ -847,8 +846,7 @@ HASH_TO_ARGS = { :table => "filter", :ctstate => ['ESTABLISHED', 'INVALID'] }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 ctstates_set_from_array", - "-m", "conntrack", "--ctstate", "ESTABLISHED,INVALID"], + :args => ["-t", :filter, "-p", :tcp, "-m", "conntrack", "--ctstate", "ESTABLISHED,INVALID", "-m", "comment", "--comment", "100 ctstates_set_from_array"], }, 'comment_string_character_validation' => { :params => { @@ -873,7 +871,7 @@ HASH_TO_ARGS = { :jump => 'LOG', :log_level => 'debug' }, - :args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '956 INPUT log-level', '-m', 'state', '--state', 'NEW', '-j', 'LOG', '--log-level', '7'], + :args => ['-t', :filter, '-p', :tcp, '-m', 'state', '--state', 'NEW', '-j', 'LOG', '--log-level', '7', '-m', 'comment', '--comment', '956 INPUT log-level'], }, 'log_level_warn' => { :params => { @@ -883,7 +881,7 @@ HASH_TO_ARGS = { :jump => 'LOG', :log_level => 'warn' }, - :args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '956 INPUT log-level', '-m', 'state', '--state', 'NEW', '-j', 'LOG', '--log-level', '4'], + :args => ['-t', :filter, '-p', :tcp, '-m', 'state', '--state', 'NEW', '-j', 'LOG', '--log-level', '4', '-m', 'comment', '--comment', '956 INPUT log-level'], }, 'load_limit_module_and_implicit_burst' => { :params => { @@ -892,7 +890,7 @@ HASH_TO_ARGS = { :dport => '123', :limit => '15/hour' }, - :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '123', '-m', 'comment', '--comment', '057 INPUT limit NTP', '-m', 'limit', '--limit', '15/hour'], + :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '123', '-m', 'limit', '--limit', '15/hour', '-m', 'comment', '--comment', '057 INPUT limit NTP'], }, 'limit_with_explicit_burst' => { :params => { @@ -902,7 +900,7 @@ HASH_TO_ARGS = { :limit => '30/hour', :burst => '10' }, - :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '123', '-m', 'comment', '--comment', '057 INPUT limit NTP', '-m', 'limit', '--limit', '30/hour', '--limit-burst', '10'], + :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '123', '-m', 'limit', '--limit', '30/hour', '--limit-burst', '10', '-m', 'comment', '--comment', '057 INPUT limit NTP'], }, 'proto_ipencap' => { :params => { @@ -921,7 +919,7 @@ HASH_TO_ARGS = { :chain => 'OUTPUT', :proto => 'all', }, - :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-m', 'comment', '--comment', '057 OUTPUT uid root only', '-j', 'ACCEPT'], + :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-j', 'ACCEPT', '-m', 'comment', '--comment', '057 OUTPUT uid root only'], }, 'load_uid_owner_postrouting_module' => { :params => { @@ -932,7 +930,7 @@ HASH_TO_ARGS = { :chain => 'POSTROUTING', :proto => 'all', }, - :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING uid root only', '-j', 'ACCEPT'], + :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-j', 'ACCEPT', '-m', 'comment', '--comment', '057 POSTROUTING uid root only'], }, 'load_gid_owner_filter_module' => { :params => { @@ -943,7 +941,7 @@ HASH_TO_ARGS = { :action => 'accept', :proto => 'all', }, - :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 OUTPUT gid root only', '-j', 'ACCEPT'], + :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-j', 'ACCEPT', '-m', 'comment', '--comment', '057 OUTPUT gid root only'], }, 'load_gid_owner_postrouting_module' => { :params => { @@ -954,7 +952,7 @@ HASH_TO_ARGS = { :chain => 'POSTROUTING', :proto => 'all', }, - :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING gid root only', '-j', 'ACCEPT'], + :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-j', 'ACCEPT', '-m', 'comment', '--comment', '057 POSTROUTING gid root only'], }, 'mark_set-mark_int' => { :params => { @@ -964,7 +962,7 @@ HASH_TO_ARGS = { :chain => 'PREROUTING', :set_mark => '1000', }, - :args => ['-t', :mangle, '-p', :tcp, '-m', 'comment', '--comment', '058 set-mark 1000', '-j', 'MARK', '--set-xmark', '0x3e8/0xffffffff'], + :args => ['-t', :mangle, '-p', :tcp, '-j', 'MARK', '--set-xmark', '0x3e8/0xffffffff', '-m', 'comment', '--comment', '058 set-mark 1000'], }, 'mark_set-mark_hex' => { :params => { @@ -974,7 +972,7 @@ HASH_TO_ARGS = { :chain => 'PREROUTING', :set_mark => '0x32', }, - :args => ['-t', :mangle, '-p', :tcp, '-m', 'comment', '--comment', '058 set-mark 0x32', '-j', 'MARK', '--set-xmark', '0x32/0xffffffff'], + :args => ['-t', :mangle, '-p', :tcp, '-j', 'MARK', '--set-xmark', '0x32/0xffffffff', '-m', 'comment', '--comment', '058 set-mark 0x32'], }, 'mark_set-mark_hex_with_hex_mask' => { :params => { @@ -984,7 +982,7 @@ HASH_TO_ARGS = { :chain => 'PREROUTING', :set_mark => '0x32/0xffffffff', }, - :args => ['-t', :mangle, '-p', :tcp, '-m', 'comment', '--comment', '058 set-mark 0x32/0xffffffff', '-j', 'MARK', '--set-xmark', '0x32/0xffffffff'], + :args => ['-t', :mangle, '-p', :tcp, '-j', 'MARK', '--set-xmark', '0x32/0xffffffff', '-m', 'comment', '--comment', '058 set-mark 0x32/0xffffffff'], }, 'mark_set-mark_hex_with_mask' => { :params => { @@ -994,7 +992,7 @@ HASH_TO_ARGS = { :chain => 'PREROUTING', :set_mark => '0x32/4', }, - :args => ['-t', :mangle, '-p', :tcp, '-m', 'comment', '--comment', '058 set-mark 0x32/4', '-j', 'MARK', '--set-xmark', '0x32/0x4'], + :args => ['-t', :mangle, '-p', :tcp, '-j', 'MARK', '--set-xmark', '0x32/0x4', '-m', 'comment', '--comment', '058 set-mark 0x32/4'], }, 'iniface_1' => { :params => { @@ -1004,7 +1002,7 @@ HASH_TO_ARGS = { :chain => 'INPUT', :iniface => 'eth0', }, - :args => ["-t", :filter, "-i", "eth0", "-p", :tcp, "-m", "comment", "--comment", "060 iniface", "-j", "DROP"], + :args => ["-t", :filter, "-i", "eth0", "-p", :tcp, "-j", "DROP", "-m", "comment", "--comment", "060 iniface"], }, 'iniface_with_vlans_1' => { :params => { @@ -1014,7 +1012,7 @@ HASH_TO_ARGS = { :chain => 'INPUT', :iniface => 'eth0.234', }, - :args => ["-t", :filter, "-i", "eth0.234", "-p", :tcp, "-m", "comment", "--comment", "060 iniface", "-j", "DROP"], + :args => ["-t", :filter, "-i", "eth0.234", "-p", :tcp, "-j", "DROP", "-m", "comment", "--comment", "060 iniface"], }, 'iniface_with_plus_1' => { :params => { @@ -1024,7 +1022,7 @@ HASH_TO_ARGS = { :chain => 'INPUT', :iniface => 'eth+', }, - :args => ["-t", :filter, "-i", "eth+", "-p", :tcp, "-m", "comment", "--comment", "060 iniface", "-j", "DROP"], + :args => ["-t", :filter, "-i", "eth+", "-p", :tcp, "-j", "DROP", "-m", "comment", "--comment", "060 iniface"], }, 'outiface_1' => { :params => { @@ -1034,7 +1032,7 @@ HASH_TO_ARGS = { :chain => 'OUTPUT', :outiface => 'eth0', }, - :args => ["-t", :filter, "-o", "eth0", "-p", :tcp, "-m", "comment", "--comment", "060 outiface", "-j", "DROP"], + :args => ["-t", :filter, "-o", "eth0", "-p", :tcp, "-j", "DROP", "-m", "comment", "--comment", "060 outiface"], }, 'outiface_with_vlans_1' => { :params => { @@ -1044,7 +1042,7 @@ HASH_TO_ARGS = { :chain => 'OUTPUT', :outiface => 'eth0.234', }, - :args => ["-t", :filter, "-o", "eth0.234", "-p", :tcp, "-m", "comment", "--comment", "060 outiface", "-j", "DROP"], + :args => ["-t", :filter, "-o", "eth0.234", "-p", :tcp, "-j", "DROP", "-m", "comment", "--comment", "060 outiface"], }, 'outiface_with_plus_1' => { :params => { @@ -1054,7 +1052,7 @@ HASH_TO_ARGS = { :chain => 'OUTPUT', :outiface => 'eth+', }, - :args => ["-t", :filter, "-o", "eth+", "-p", :tcp, "-m", "comment", "--comment", "060 outiface", "-j", "DROP"], + :args => ["-t", :filter, "-o", "eth+", "-p", :tcp, "-j", "DROP", "-m", "comment", "--comment", "060 outiface"], }, 'pkttype multicast' => { :params => { @@ -1065,7 +1063,7 @@ HASH_TO_ARGS = { :iniface => 'eth0', :pkttype => 'multicast', }, - :args => ["-t", :filter, "-i", "eth0", "-p", :tcp, "-m", "pkttype", "--pkt-type", :multicast, "-m", "comment", "--comment", "062 pkttype multicast", "-j", "ACCEPT"], + :args => ["-t", :filter, "-i", "eth0", "-p", :tcp, "-m", "pkttype", "--pkt-type", :multicast, "-j", "ACCEPT", "-m", "comment", "--comment", "062 pkttype multicast"], }, 'socket_option' => { :params => { @@ -1075,7 +1073,7 @@ HASH_TO_ARGS = { :chain => 'PREROUTING', :socket => true, }, - :args => ['-t', :mangle, '-p', :tcp, '-m', 'socket', '-m', 'comment', '--comment', '050 socket option', '-j', 'ACCEPT'], + :args => ['-t', :mangle, '-p', :tcp, '-m', 'socket', '-j', 'ACCEPT', '-m', 'comment', '--comment', '050 socket option'], }, 'isfragment_option' => { :params => { @@ -1085,7 +1083,7 @@ HASH_TO_ARGS = { :action => 'accept', :isfragment => true, }, - :args => ['-t', :filter, '-p', :all, '-f', '-m', 'comment', '--comment', '050 isfragment option', '-j', 'ACCEPT'], + :args => ['-t', :filter, '-p', :all, '-f', '-j', 'ACCEPT', '-m', 'comment', '--comment', '050 isfragment option'], }, 'isfragment_option not changing -f in comment' => { :params => { @@ -1094,7 +1092,7 @@ HASH_TO_ARGS = { :proto => :all, :action => 'accept', }, - :args => ['-t', :filter, '-p', :all, '-m', 'comment', '--comment', '050 testcomment-with-fdashf', '-j', 'ACCEPT'], + :args => ['-t', :filter, '-p', :all, '-j', 'ACCEPT', '-m', 'comment', '--comment', '050 testcomment-with-fdashf'], }, 'connlimit_above' => { :params => { @@ -1105,7 +1103,7 @@ HASH_TO_ARGS = { :connlimit_above => '10', :action => 'reject', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "22", "-m", "comment", "--comment", "061 REJECT connlimit_above 10", "-j", "REJECT", "-m", "connlimit", "--connlimit-above", "10"], + :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "22", "-j", "REJECT", "-m", "connlimit", "--connlimit-above", "10", "-m", "comment", "--comment", "061 REJECT connlimit_above 10"], }, 'connlimit_above_with_connlimit_mask' => { :params => { @@ -1117,7 +1115,7 @@ HASH_TO_ARGS = { :connlimit_mask => '24', :action => 'reject', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "22", "-m", "comment", "--comment", "061 REJECT connlimit_above 10 with mask 24", "-j", "REJECT", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "24"], + :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "22", "-j", "REJECT", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "24", "-m", "comment", "--comment", "061 REJECT connlimit_above 10 with mask 24"], }, 'connmark' => { :params => { @@ -1127,7 +1125,7 @@ HASH_TO_ARGS = { :connmark => '0x1', :action => 'reject', }, - :args => ["-t", :filter, "-p", :all, "-m", "comment", "--comment", "062 REJECT connmark", "-j", "REJECT", "-m", "connmark", "--mark", "0x1"], + :args => ["-t", :filter, "-p", :all, "-j", "REJECT", "-m", "connmark", "--mark", "0x1", "-m", "comment", "--comment", "062 REJECT connmark"], }, 'disallow_esp_protocol' => { :params => { @@ -1136,7 +1134,7 @@ HASH_TO_ARGS = { :action => 'accept', :proto => '! esp', }, - :args => ["-t", :filter, "!", "-p", :esp, "-m", "comment", "--comment", "063 disallow esp protocol", "-j", "ACCEPT"], + :args => ["-t", :filter, "!", "-p", :esp, "-j", "ACCEPT", "-m", "comment", "--comment", "063 disallow esp protocol"], }, 'drop_new_packets_without_syn' => { :params => { @@ -1149,7 +1147,7 @@ HASH_TO_ARGS = { :source => '! 10.0.0.0/8', :tcp_flags => '! FIN,SYN,RST,ACK SYN', }, - :args => ["-t", :filter, "!", "-s", "10.0.0.0/8", "!", "-p", :tcp, "-m", "tcp", "!", "--tcp-flags", "FIN,SYN,RST,ACK", "SYN", "-m", "comment", "--comment", "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset", "-m", "state", "--state", "NEW", "-j", "DROP"] + :args => ["-t", :filter, "!", "-s", "10.0.0.0/8", "!", "-p", :tcp, "-m", "tcp", "!", "--tcp-flags", "FIN,SYN,RST,ACK", "SYN", "-m", "state", "--state", "NEW", "-j", "DROP", "-m", "comment", "--comment", "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset"] }, 'negate_dport_and_sport' => { :params => { @@ -1163,7 +1161,7 @@ HASH_TO_ARGS = { :dport => ['! 67','! 66'], :proto => 'udp', }, - :args => ["-t", :filter, "-s", "0.0.0.0/32", "-d", "255.255.255.255/32", "-p", :udp, "-m", "multiport", "!", "--sports", "68,69", "-m", "multiport", "!", "--dports", "67,66", "-m", "comment", "--comment", "065 negate dport and sport", "-j", "ACCEPT"], + :args => ["-t", :filter, "-s", "0.0.0.0/32", "-d", "255.255.255.255/32", "-p", :udp, "-m", "multiport", "!", "--sports", "68,69", "-m", "multiport", "!", "--dports", "67,66", "-j", "ACCEPT", "-m", "comment", "--comment", "065 negate dport and sport"], }, 'match_mark' => { :params => { @@ -1175,7 +1173,7 @@ HASH_TO_ARGS = { :match_mark => '0x1', :action => 'reject', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "066 REJECT connlimit_above 10 with mask 32 and mark matches", "-j", "REJECT", "-m", "mark", "--mark", "0x1", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "32"], + :args => ["-t", :filter, "-p", :tcp, "-j", "REJECT", "-m", "mark", "--mark", "0x1", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "32", "-m", "comment", "--comment", "066 REJECT connlimit_above 10 with mask 32 and mark matches"], }, 'clamp_mss_to_pmtu' => { :params => { @@ -1186,7 +1184,7 @@ HASH_TO_ARGS = { :jump => 'TCPMSS', :clamp_mss_to_pmtu => true, }, - :args => ["-t", :filter, "-p", :tcp, "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-m", "comment", "--comment", "067 change max segment size", "-j", "TCPMSS", "--clamp-mss-to-pmtu"], + :args => ["-t", :filter, "-p", :tcp, "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu", "-m", "comment", "--comment", "067 change max segment size"], }, 'set_dscp_class' => { :params => { @@ -1197,7 +1195,7 @@ HASH_TO_ARGS = { :jump => 'DSCP', :set_dscp_class => 'ef', }, - :args => ["-t", :mangle, "-p", :tcp, "-m", "multiport", '--ports', '997', "-m", "comment", "--comment", "068 set dscp class to EF", "-j", "DSCP", "--set-dscp-class", "ef"], + :args => ["-t", :mangle, "-p", :tcp, "-m", "multiport", '--ports', '997', "-j", "DSCP", "--set-dscp-class", "ef", "-m", "comment", "--comment", "068 set dscp class to EF"], }, 'length_1' => { :params => { @@ -1205,7 +1203,7 @@ HASH_TO_ARGS = { :table => 'filter', :length => '42000', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "000 length", "-m", "length", "--length", "42000"], + :args => ["-t", :filter, "-p", :tcp, "-m", "length", "--length", "42000", "-m", "comment", "--comment", "000 length"], }, 'length_2' => { :params => { @@ -1213,7 +1211,7 @@ HASH_TO_ARGS = { :table => 'filter', :length => '1492-65535', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "000 length", "-m", "length", "--length", "1492:65535"], + :args => ["-t", :filter, "-p", :tcp, "-m", "length", "--length", "1492:65535", "-m", "comment", "--comment", "000 length"], }, 'string_matching_1' => { :params => { @@ -1221,7 +1219,7 @@ HASH_TO_ARGS = { :table => 'filter', :string => 'GET /index.html', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "000 string_matching", "-m", "string", "--string", "'GET /index.html'"], + :args => ["-t", :filter, "-p", :tcp, "-m", "string", "--string", "'GET /index.html'", "-m", "comment", "--comment", "000 string_matching"], }, 'string_matching_2' => { :params => { @@ -1230,7 +1228,7 @@ HASH_TO_ARGS = { :string => 'GET /index.html', :string_algo => 'bm', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "000 string_matching", "-m", "string", "--string", "'GET /index.html'", "--algo", :bm], + :args => ["-t", :filter, "-p", :tcp, "-m", "string", "--string", "'GET /index.html'", "--algo", :bm, "-m", "comment", "--comment", "000 string_matching"], }, 'string_matching_3' => { :params => { @@ -1240,7 +1238,7 @@ HASH_TO_ARGS = { :string_from => '1', :string_to => '65535', }, - :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "000 string_matching", "-m", "string", "--string", "'GET /index.html'", "--from", "1", "--to", "65535"], + :args => ["-t", :filter, "-p", :tcp, "-m", "string", "--string", "'GET /index.html'", "--from", "1", "--to", "65535", "-m", "comment", "--comment", "000 string_matching"], }, 'nfqueue_jump1' => { :params => { @@ -1251,7 +1249,7 @@ HASH_TO_ARGS = { :destination => "4.3.2.1/32", :queue_num => "50", }, - :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "000 nfqueue specify queue_num", "-j", "NFQUEUE", "--queue-num", "50"] + :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-j", "NFQUEUE", "--queue-num", "50", "-m", "comment", "--comment", "000 nfqueue specify queue_num"] }, 'nfqueue_jump2' => { :params => { @@ -1263,7 +1261,7 @@ HASH_TO_ARGS = { :queue_num => "50", :queue_bypass => true, }, - :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "002 nfqueue specify queue_num and queue_bypass", "-j", "NFQUEUE", "--queue-num", "50", "--queue-bypass"] + :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-j", "NFQUEUE", "--queue-num", "50", "--queue-bypass", "-m", "comment", "--comment", "002 nfqueue specify queue_num and queue_bypass"] }, 'nfqueue_jump3' => { :params => { @@ -1273,6 +1271,6 @@ HASH_TO_ARGS = { :source => '1.2.3.4/32', :destination => '4.3.2.1/32', }, - :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "003 nfqueue dont specify queue_num or queue_bypass", "-j", "NFQUEUE"] + :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-j", "NFQUEUE", "-m", "comment", "--comment", "003 nfqueue dont specify queue_num or queue_bypass"] } -} \ No newline at end of file +} -- 2.45.2