From 3cfc20581f7d441548991e681e23059c28826e2c Mon Sep 17 00:00:00 2001 From: lionce Date: Fri, 30 Aug 2019 11:37:24 +0300 Subject: [PATCH] update port --- .../firewall_attributes_exceptions_spec.rb | 46 ++++++------- .../firewall_attributes_happy_path_spec.rb | 68 ++++++++----------- ...irewall_attributes_ipv6_exceptions_spec.rb | 54 +++++++-------- ...irewall_attributes_ipv6_happy_path_spec.rb | 48 ++++++------- spec/acceptance/rules_spec.rb | 10 +-- 5 files changed, 109 insertions(+), 117 deletions(-) diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index d0f45db..cf1bb10 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -67,7 +67,7 @@ describe 'firewall basics', docker: true do firewall { '555 - test': ensure => present, proto => tcp, - port => '555', + dport => '555', action => accept, } PUPPETCODE @@ -77,7 +77,7 @@ describe 'firewall basics', docker: true do it 'contains the rule' do run_shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 555 -m comment --comment "555 - test" -j ACCEPT}) + expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 555 -m comment --comment "555 - test" -j ACCEPT}) end end end @@ -88,7 +88,7 @@ describe 'firewall basics', docker: true do firewall { '555 - test': ensure => absent, proto => tcp, - port => '555', + dport => '555', action => accept, } PUPPETCODE @@ -98,7 +98,7 @@ describe 'firewall basics', docker: true do it 'does not contain the rule' do run_shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 555 -m comment --comment "555 - test" -j ACCEPT}) + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 555 -m comment --comment "555 - test" -j ACCEPT}) end end end @@ -455,13 +455,13 @@ describe 'firewall basics', docker: true do end end - describe 'port' do - context 'when invalid ports' do + describe 'dport' do + context 'when invalid dports' do pp25 = <<-PUPPETCODE class { '::firewall': } firewall { '562 - test': proto => tcp, - port => '9999562-563', + dport => '9999562-563', action => accept, } PUPPETCODE @@ -473,7 +473,7 @@ describe 'firewall basics', docker: true do it 'contains the rule' do run_shell('iptables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 9999562-563 -m comment --comment "562 - test" -j ACCEPT}) + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 9999562-563 -m comment --comment "562 - test" -j ACCEPT}) end end end @@ -642,13 +642,13 @@ describe 'firewall basics', docker: true do class { '::firewall': } firewall { '101 test source changes': proto => tcp, - port => '101', + dport => '101', action => accept, source => '8.0.0.1', } firewall { '100 test source static': proto => tcp, - port => '100', + dport => '100', action => accept, source => '8.0.0.2', } @@ -658,18 +658,18 @@ describe 'firewall basics', docker: true do end it 'adds a unmanaged rule without a comment' do - run_shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT') - expect(run_shell('iptables-save').stdout).to match(%r{-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT}) + run_shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --dports 102 -j ACCEPT') + expect(run_shell('iptables-save').stdout).to match(%r{-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --dports 102 -j ACCEPT}) end it 'contains the changable 8.0.0.1 rule' do run_shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT}) + expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --dports 101 -m comment --comment "101 test source changes" -j ACCEPT}) end end it 'contains the static 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ run_shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT}) + expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --dports 100 -m comment --comment "100 test source static" -j ACCEPT}) end end @@ -677,7 +677,7 @@ describe 'firewall basics', docker: true do class { '::firewall': } firewall { '101 test source changes': proto => tcp, - port => '101', + dport => '101', action => accept, source => '8.0.0.4', } @@ -694,12 +694,12 @@ describe 'firewall basics', docker: true do end it 'contains the staic 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ run_shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT}) + expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --dports 100 -m comment --comment "100 test source static" -j ACCEPT}) end end it 'contains the changing new 8.0.0.4 rule' do run_shell('iptables-save') do |r| - expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT}) + expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --dports 101 -m comment --comment "101 test source changes" -j ACCEPT}) end end end @@ -1077,7 +1077,7 @@ describe 'firewall basics', docker: true do firewall { '585 - test': ensure => present, proto => tcp, - port => '585', + dport => '585', action => accept, chain => 'PREROUTING', table => 'nat', @@ -1090,7 +1090,7 @@ describe 'firewall basics', docker: true do it 'contains the rule' do run_shell('iptables-save -t nat') do |r| - expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --ports 585 -m socket -m comment --comment "585 - test" -j ACCEPT}) + expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --dports 585 -m socket -m comment --comment "585 - test" -j ACCEPT}) end end end @@ -1101,7 +1101,7 @@ describe 'firewall basics', docker: true do firewall { '586 - test': ensure => present, proto => tcp, - port => '586', + dport => '586', action => accept, chain => 'PREROUTING', table => 'nat', @@ -1114,7 +1114,7 @@ describe 'firewall basics', docker: true do it 'contains the rule' do run_shell('iptables-save -t nat') do |r| - expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --ports 586 -m comment --comment "586 - test" -j ACCEPT}) + expect(r.stdout).to match(%r{-A PREROUTING -p tcp -m multiport --dports 586 -m comment --comment "586 - test" -j ACCEPT}) end end end @@ -1247,7 +1247,7 @@ describe 'firewall basics', docker: true do ensure => present, chain => 'OUTPUT', proto => tcp, - port => '580', + dport => '580', jump => 'MARK', table => 'mangle', set_mark => '0x3e8/0xffffffff', @@ -1259,7 +1259,7 @@ describe 'firewall basics', docker: true do it 'contains the rule' do run_shell('iptables-save -t mangle') do |r| - expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff}) + expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 580 -m comment --comment "580 - test" -j MARK --set-xmark 0x3e8\/0xffffffff}) end end end diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index 46f3443..ee16ef9 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -32,37 +32,37 @@ describe 'firewall attribute testing, happy path' do } firewall { '550 - destination': proto => tcp, - port => '550', + dport => '550', action => accept, destination => '192.168.2.0/24', } firewall { '551 - destination negated': proto => tcp, - port => '551', + dport => '551', action => accept, destination => '! 192.168.2.0/24', } firewall { '556 - source': proto => tcp, - port => '556', + dport => '556', action => accept, source => '192.168.2.0/24', } firewall { '557 - source negated': proto => tcp, - port => '557', + dport => '557', action => accept, source => '! 192.168.2.0/24', } firewall { '558 - src_range': proto => tcp, - port => '558', + dport => '558', action => accept, src_range => '192.168.1.1-192.168.1.10', } firewall { '559 - dst_range': proto => tcp, - port => '559', + dport => '559', action => accept, dst_range => '192.168.1.1-192.168.1.10', } @@ -76,11 +76,6 @@ describe 'firewall attribute testing, happy path' do dport => '561-562', action => accept, } - firewall { '562 - port range': - proto => tcp, - port => '562-563', - action => accept, - } firewall { '563 - dst_type': proto => tcp, action => accept, @@ -127,14 +122,14 @@ describe 'firewall attribute testing, happy path' do firewall { '572 - limit': ensure => present, proto => tcp, - port => '572', + dport => '572', action => accept, limit => '500/sec', } firewall { '573 - burst': ensure => present, proto => tcp, - port => '573', + dport => '573', action => accept, limit => '500/sec', burst => '1500', @@ -149,14 +144,14 @@ describe 'firewall attribute testing, happy path' do firewall { '581 - pkttype': ensure => present, proto => tcp, - port => '581', + dport => '581', action => accept, pkttype => 'multicast', } firewall { '583 - isfragment': ensure => present, proto => tcp, - port => '583', + dport => '583', action => accept, isfragment => true, } @@ -262,21 +257,21 @@ describe 'firewall attribute testing, happy path' do firewall { '711 - physdev_in': chain => 'FORWARD', proto => tcp, - port => '711', + dport => '711', action => accept, physdev_in => 'eth0', } firewall { '712 - physdev_out': chain => 'FORWARD', proto => tcp, - port => '712', + dport => '712', action => accept, physdev_out => 'eth1', } firewall { '713 - physdev_in physdev_out physdev_is_bridged': chain => 'FORWARD', proto => tcp, - port => '713', + dport => '713', action => accept, physdev_in => 'eth0', physdev_out => 'eth1', @@ -337,14 +332,14 @@ describe 'firewall attribute testing, happy path' do proto => 'tcp', jump => 'DSCP', set_dscp => '0x01', - port => '997', + dport => '997', chain => 'OUTPUT', table => 'mangle', } firewall { '1001 EF - set_dscp_class': proto => 'tcp', jump => 'DSCP', - port => '997', + dport => '997', set_dscp_class => 'EF', chain => 'OUTPUT', table => 'mangle', @@ -368,22 +363,22 @@ describe 'firewall attribute testing, happy path' do expect(result.stdout).to match(%r{-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - connmark" -j REJECT --reject-with icmp-port-unreachable}) end it 'destination is set' do - expect(result.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 550 -m comment --comment "550 - destination" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -d 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 550 -m comment --comment "550 - destination" -j ACCEPT}) end it 'destination is negated' do - expect(result.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 551 -m comment --comment "551 - destination negated" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT (! -d|-d !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 551 -m comment --comment "551 - destination negated" -j ACCEPT}) end it 'source is set' do - expect(result.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 556 -m comment --comment "556 - source" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -s 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 556 -m comment --comment "556 - source" -j ACCEPT}) end it 'source is negated' do - expect(result.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --ports 557 -m comment --comment "557 - source negated" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT (! -s|-s !) 192.168.2.0\/(24|255\.255\.255\.0) -p tcp -m multiport --dports 557 -m comment --comment "557 - source negated" -j ACCEPT}) end it 'src_range is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --ports 558 -m comment --comment "558 - src_range" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 192.168.1.1-192.168.1.10 -m multiport --dports 558 -m comment --comment "558 - src_range" -j ACCEPT}) end it 'dst_range is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --ports 559 -m comment --comment "559 - dst_range" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 192.168.1.1-192.168.1.10 -m multiport --dports 559 -m comment --comment "559 - dst_range" -j ACCEPT}) end it 'sport range is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --sports 560:561 -m comment --comment "560 - sport range" -j ACCEPT}) @@ -391,9 +386,6 @@ describe 'firewall attribute testing, happy path' do it 'dport range is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 561:562 -m comment --comment "561 - dport range" -j ACCEPT}) end - it 'port range is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 562:563 -m comment --comment "562 - port range" -j ACCEPT}) - end it 'dst_type is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype --dst-type MULTICAST -m comment --comment "563 - dst_type" -j ACCEPT}) end @@ -416,16 +408,16 @@ describe 'firewall attribute testing, happy path' do expect(result.stdout).to match(%r{-A PREROUTING -p icmp -m comment --comment "574 - toports" -j REDIRECT --to-ports 2222}) end it 'limit is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT}) end it 'burst is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 573 -m limit --limit 500\/sec --limit-burst 1500 -m comment --comment "573 - burst" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 573 -m limit --limit 500\/sec --limit-burst 1500 -m comment --comment "573 - burst" -j ACCEPT}) end it 'pkttype is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 581 -m pkttype --pkt-type multicast -m comment --comment "581 - pkttype" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 581 -m pkttype --pkt-type multicast -m comment --comment "581 - pkttype" -j ACCEPT}) end it 'isfragment is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --ports 583 -m comment --comment "583 - isfragment" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --dports 583 -m comment --comment "583 - isfragment" -j ACCEPT}) end it 'ipsec_policy ipsec and dir out' do expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength @@ -446,13 +438,13 @@ describe 'firewall attribute testing, happy path' do expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid}) end it 'set physdev_in' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 711 -m comment --comment "711 - physdev_in" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 711 -m comment --comment "711 - physdev_in" -j ACCEPT}) end it 'set physdev_out' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 712 -m comment --comment "712 - physdev_out" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --dports 712 -m comment --comment "712 - physdev_out" -j ACCEPT}) end it 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Metrics/LineLength end it 'gid set to root' do expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT}) @@ -467,10 +459,10 @@ describe 'firewall attribute testing, happy path' do expect(result.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - uid 0 negated" -j ACCEPT}) end it 'set_dscp is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01}) + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01}) end it 'set_dscp_class is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) end it 'all the modules with multiple args is set' do expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "807 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb index c12f76f..2297398 100644 --- a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb @@ -13,7 +13,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do class { '::firewall': } firewall { '602 - test': proto => tcp, - port => '602', + dport => '602', action => accept, provider => 'ip6tables', dst_range => '2001::db8::1-2001:db8::ff', @@ -113,7 +113,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do firewall { '571 - test': ensure => present, proto => tcp, - port => '571', + dport => '571', action => accept, hop_limit => 'invalid', provider => 'ip6tables', @@ -127,7 +127,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do it 'does not contain the rule' do run_shell('ip6tables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --ports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT}) + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT}) end end end @@ -194,7 +194,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do class { '::firewall': } firewall { '601 - test': proto => tcp, - port => '601', + dport => '601', action => accept, provider => 'ip6tables', src_range => '2001::db8::1-2001:db8::ff', @@ -208,7 +208,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do it 'does not contain the rule' do run_shell('ip6tables-save') do |r| - expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - test" -j ACCEPT}) + expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --dports 601 -m comment --comment "601 - test" -j ACCEPT}) end end end @@ -258,7 +258,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '701', + dport => '701', action => accept, physdev_in => 'eth0', } @@ -266,7 +266,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '702', + dport => '702', action => accept, physdev_out => 'eth1', } @@ -274,7 +274,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '703', + dport => '703', action => accept, physdev_in => 'eth0', physdev_out => 'eth1', @@ -283,7 +283,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '704', + dport => '704', action => accept, physdev_is_bridged => true, } @@ -291,7 +291,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '705', + dport => '705', action => accept, physdev_in => 'eth0', physdev_is_bridged => true, @@ -300,7 +300,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '706', + dport => '706', action => accept, physdev_out => 'eth1', physdev_is_bridged => true, @@ -309,7 +309,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '707', + dport => '707', action => accept, physdev_in => 'eth0', physdev_out => 'eth1', @@ -319,7 +319,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '708', + dport => '708', action => accept, physdev_is_in => true, } @@ -327,7 +327,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do provider => 'ip6tables', chain => 'FORWARD', proto => tcp, - port => '709', + dport => '709', action => accept, physdev_is_out => true, } @@ -335,7 +335,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do proto => 'tcp', jump => 'DSCP', set_dscp => '0x01', - port => '997', + dport => '997', chain => 'OUTPUT', table => 'mangle', provider => 'ip6tables', @@ -343,7 +343,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do firewall { '1003 EF - set_dscp_class': proto => 'tcp', jump => 'DSCP', - port => '997', + dport => '997', set_dscp_class => 'EF', chain => 'OUTPUT', table => 'mangle', @@ -393,37 +393,37 @@ describe 'firewall ipv6 attribute testing, exceptions' do let(:result) { run_shell('ip6tables-save') } it 'physdev_in is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --ports 701 -m comment --comment "701 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 701 -m comment --comment "701 - test" -j ACCEPT}) end it 'physdev_out is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --ports 702 -m comment --comment "702 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --dports 702 -m comment --comment "702 - test" -j ACCEPT}) end it 'physdev_in and physdev_out is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --ports 703 -m comment --comment "703 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --dports 703 -m comment --comment "703 - test" -j ACCEPT}) end it 'physdev_is_bridged is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --ports 704 -m comment --comment "704 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --dports 704 -m comment --comment "704 - test" -j ACCEPT}) end it 'physdev_in and physdev_is_bridged is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --ports 705 -m comment --comment "705 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --dports 705 -m comment --comment "705 - test" -j ACCEPT}) end it 'physdev_out and physdev_is_bridged is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --ports 706 -m comment --comment "706 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --dports 706 -m comment --comment "706 - test" -j ACCEPT}) end it 'physdev_in and physdev_out and physdev_is_bridged is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --ports 707 -m comment --comment "707 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 707 -m comment --comment "707 - test" -j ACCEPT}) end it 'physdev_is_in is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --ports 708 -m comment --comment "708 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --dports 708 -m comment --comment "708 - test" -j ACCEPT}) end it 'physdev_is_out is set' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --ports 709 -m comment --comment "709 - test" -j ACCEPT}) + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --dports 709 -m comment --comment "709 - test" -j ACCEPT}) end it 'set_dscp is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01}) + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01}) end it 'set_dscp_class is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) end it 'set_mss and mss is set' do expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360}) diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb index 309930e..6df0a56 100644 --- a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb @@ -13,7 +13,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '571 - hop_limit': ensure => present, proto => tcp, - port => '571', + dport => '571', action => accept, hop_limit => '5', provider => 'ip6tables', @@ -31,7 +31,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '587 - ishasmorefrags true': ensure => present, proto => tcp, - port => '587', + dport => '587', action => accept, ishasmorefrags => true, provider => 'ip6tables', @@ -39,7 +39,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '588 - ishasmorefrags false': ensure => present, proto => tcp, - port => '588', + dport => '588', action => accept, ishasmorefrags => false, provider => 'ip6tables', @@ -47,7 +47,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '589 - islastfrag true': ensure => present, proto => tcp, - port => '589', + dport => '589', action => accept, islastfrag => true, provider => 'ip6tables', @@ -55,7 +55,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '590 - islastfrag false': ensure => present, proto => tcp, - port => '590', + dport => '590', action => accept, islastfrag => false, provider => 'ip6tables', @@ -63,7 +63,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '591 - isfirstfrag true': ensure => present, proto => tcp, - port => '591', + dport => '591', action => accept, isfirstfrag => true, provider => 'ip6tables', @@ -71,7 +71,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '592 - isfirstfrag false': ensure => present, proto => tcp, - port => '592', + dport => '592', action => accept, isfirstfrag => false, provider => 'ip6tables', @@ -84,14 +84,14 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh } firewall { '601 - src_range': proto => tcp, - port => '601', + dport => '601', action => accept, src_range => '2001:db8::1-2001:db8::ff', provider => 'ip6tables', } firewall { '602 - dst_range': proto => tcp, - port => '602', + dport => '602', action => accept, dst_range => '2001:db8::1-2001:db8::ff', provider => 'ip6tables', @@ -106,7 +106,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '605 - socket true': ensure => present, proto => tcp, - port => '605', + dport => '605', action => accept, chain => 'INPUT', socket => true, @@ -115,7 +115,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh firewall { '606 - socket false': ensure => present, proto => tcp, - port => '606', + dport => '606', action => accept, chain => 'INPUT', socket => false, @@ -173,7 +173,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh ensure => present, chain => 'OUTPUT', proto => tcp, - port => '611', + dport => '611', jump => 'MARK', table => 'mangle', set_mark => '0x3e8/0xffffffff', @@ -268,46 +268,46 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh let(:result) { run_shell('ip6tables-save') } it 'hop_limit is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 571 -m hl --hl-eq 5 -m comment --comment "571 - hop_limit" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 571 -m hl --hl-eq 5 -m comment --comment "571 - hop_limit" -j ACCEPT}) end it 'checksum_fill is set' do expect(result.stdout).to match(%r{-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - checksum_fill" -j CHECKSUM --checksum-fill}) end it 'ishasmorefrags when true' do - expect(result.stdout).to match(%r{A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --ports 587 -m comment --comment "587 - ishasmorefrags true" -j ACCEPT}) + expect(result.stdout).to match(%r{A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --dports 587 -m comment --comment "587 - ishasmorefrags true" -j ACCEPT}) end it 'ishasmorefrags when false' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 588 -m comment --comment "588 - ishasmorefrags false" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 588 -m comment --comment "588 - ishasmorefrags false" -j ACCEPT}) end it 'islastfrag when true' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --ports 589 -m comment --comment "589 - islastfrag true" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --dports 589 -m comment --comment "589 - islastfrag true" -j ACCEPT}) end it 'islastfrag when false' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 590 -m comment --comment "590 - islastfrag false" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 590 -m comment --comment "590 - islastfrag false" -j ACCEPT}) end it 'isfirstfrag when true' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --ports 591 -m comment --comment "591 - isfirstfrag true" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --dports 591 -m comment --comment "591 - isfirstfrag true" -j ACCEPT}) end it 'isfirstfrag when false' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 592 -m comment --comment "592 - isfirstfrag false" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 592 -m comment --comment "592 - isfirstfrag false" -j ACCEPT}) end it 'tcp_flags is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN ACK -m comment --comment "593 - tcpfrags" -j ACCEPT}) end it 'src_range is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 2001:db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - src_range" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 2001:db8::1-2001:db8::ff -m multiport --dports 601 -m comment --comment "601 - src_range" -j ACCEPT}) end it 'dst_range is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 2001:db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - dst_range" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 2001:db8::1-2001:db8::ff -m multiport --dports 602 -m comment --comment "602 - dst_range" -j ACCEPT}) end it 'mac_source is set' do expect(result.stdout).to match(%r{-A INPUT -s 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "604 - mac_source"}) end it 'socket when true' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 605 -m socket -m comment --comment "605 - socket true" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 605 -m socket -m comment --comment "605 - socket true" -j ACCEPT}) end it 'socket when false' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --ports 606 -m comment --comment "606 - socket false" -j ACCEPT}) + expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 606 -m comment --comment "606 - socket false" -j ACCEPT}) end it 'ipsec_policy when ipsec' do expect(result.stdout).to match( @@ -330,7 +330,7 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh ) end it 'set_mark is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 611 -m comment --comment "611 - set_mark" -j MARK --set-xmark 0x3e8\/0xffffffff}) + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 611 -m comment --comment "611 - set_mark" -j MARK --set-xmark 0x3e8\/0xffffffff}) end it 'dst_type when MULTICAST' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s--dst-type\sMULTICAST -m comment --comment "613 - dst_type MULTICAST" -j ACCEPT}) diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index 3ee599c..ff86d11 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -29,7 +29,7 @@ describe 'rules spec' do destination => '!10.0.0.0/8', proto => 'tcp', ctstate => 'NEW', - port => [80,443,21,20,22,53,123,43,873,25,465], + sport => [80,443,21,20,22,53,123,43,873,25,465], action => 'accept', } firewall { '100 forward standard allow udp': @@ -37,7 +37,7 @@ describe 'rules spec' do source => '10.0.0.0/8', destination => '!10.0.0.0/8', proto => 'udp', - port => [53,123], + sport => [53,123], action => 'accept', } firewall { '100 forward standard allow icmp': @@ -88,7 +88,7 @@ describe 'rules spec' do chain => 'PREROUTING', iniface => 'eth0', proto => 'tcp', - dport => '1', + sport => '1', toports => '22', jump => 'REDIRECT', } @@ -101,8 +101,8 @@ describe 'rules spec' do %r{INPUT ACCEPT}, %r{FORWARD ACCEPT}, %r{OUTPUT ACCEPT}, %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT}, %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT}, - %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength - %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT} + %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --sports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength + %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --sports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT} ] it 'contains appropriate rules' do run_shell('iptables-save') do |r| -- 2.45.2