From a37dcaab6b1d331314383e8799bbc1392ed19022 Mon Sep 17 00:00:00 2001 From: David Schmitt Date: Wed, 16 Dec 2020 13:36:32 +0000 Subject: [PATCH] Add the FrozenStrings magic comment --- lib/facter/ip6tables_version.rb | 2 ++ lib/facter/iptables_persistent_version.rb | 2 ++ lib/facter/iptables_version.rb | 2 ++ lib/puppet/provider/firewall.rb | 2 ++ lib/puppet/provider/firewall/ip6tables.rb | 2 ++ lib/puppet/provider/firewall/iptables.rb | 4 +++- .../provider/firewallchain/iptables_chain.rb | 2 ++ lib/puppet/type/firewall.rb | 2 ++ lib/puppet/type/firewallchain.rb | 2 ++ lib/puppet/util/firewall.rb | 2 ++ lib/puppet/util/ipcidr.rb | 1 + spec/acceptance/class_spec.rb | 2 ++ .../firewall_attributes_exceptions_spec.rb | 6 +++-- .../firewall_attributes_happy_path_spec.rb | 16 ++++++++------ ...irewall_attributes_ipv6_exceptions_spec.rb | 6 +++-- ...irewall_attributes_ipv6_happy_path_spec.rb | 12 +++++----- spec/acceptance/firewallchain_spec.rb | 2 ++ spec/acceptance/resource_cmd_spec.rb | 2 ++ spec/acceptance/rules_spec.rb | 4 +++- spec/acceptance/standard_usage_spec.rb | 2 ++ spec/fixtures/iptables/conversion_hash.rb | 22 +++++++++---------- spec/spec_helper_acceptance_local.rb | 2 ++ spec/spec_helper_local.rb | 2 ++ .../classes/firewall_linux_archlinux_spec.rb | 2 ++ .../classes/firewall_linux_debian_spec.rb | 2 ++ .../classes/firewall_linux_redhat_spec.rb | 2 ++ spec/unit/classes/firewall_linux_spec.rb | 2 ++ spec/unit/classes/firewall_spec.rb | 2 ++ .../iptables_persistent_version_spec.rb | 2 ++ spec/unit/facter/iptables_spec.rb | 2 ++ spec/unit/puppet/provider/ip6tables_spec.rb | 1 + .../puppet/provider/iptables_chain_spec.rb | 1 + spec/unit/puppet/provider/iptables_spec.rb | 1 + spec/unit/puppet/type/firewall_spec.rb | 1 + spec/unit/puppet/type/firewallchain_spec.rb | 1 + spec/unit/puppet/util/firewall_spec.rb | 2 ++ spec/unit/puppet/util/ipcidr_spec.rb | 2 ++ 37 files changed, 95 insertions(+), 29 deletions(-) diff --git a/lib/facter/ip6tables_version.rb b/lib/facter/ip6tables_version.rb index fded4bc..964ae74 100644 --- a/lib/facter/ip6tables_version.rb +++ b/lib/facter/ip6tables_version.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Facter.add(:ip6tables_version) do confine kernel: :Linux setcode do diff --git a/lib/facter/iptables_persistent_version.rb b/lib/facter/iptables_persistent_version.rb index 7e9ffd0..98fb5b0 100644 --- a/lib/facter/iptables_persistent_version.rb +++ b/lib/facter/iptables_persistent_version.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Facter.add(:iptables_persistent_version) do confine operatingsystem: ['Debian', 'Ubuntu'] setcode do diff --git a/lib/facter/iptables_version.rb b/lib/facter/iptables_version.rb index 3253b97..873a37e 100644 --- a/lib/facter/iptables_version.rb +++ b/lib/facter/iptables_version.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Facter.add(:iptables_version) do confine kernel: :Linux setcode do diff --git a/lib/puppet/provider/firewall.rb b/lib/puppet/provider/firewall.rb index 851b4b3..f8403a8 100644 --- a/lib/puppet/provider/firewall.rb +++ b/lib/puppet/provider/firewall.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # # firewall.rb # diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index efab4f8..b4c2b87 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6tables do @doc = 'Ip6tables type provider' diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index c101ddc..2031919 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'puppet/provider/firewall' require 'digest' @@ -858,7 +860,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa }.transpose wrong_values = wrong_values.compact unless wrong_values.empty? - raise "All values of the '#{res}' property must be prefixed with a '!' when inverting, but '#{wrong_values.join("', '")}' #{(wrong_values.length > 1) ? 'are' : 'is'} not prefixed; aborting" # rubocop:disable Metrics/LineLength : Line length cannot be reduced + raise "All values of the '#{res}' property must be prefixed with a '!' when inverting, but '#{wrong_values.join("', '")}' #{(wrong_values.length > 1) ? 'are' : 'is'} not prefixed; aborting" # rubocop:disable Layout/LineLength : Line length cannot be reduced end args.insert(-2, '!') # rubocop:enable Metrics/BlockNesting diff --git a/lib/puppet/provider/firewallchain/iptables_chain.rb b/lib/puppet/provider/firewallchain/iptables_chain.rb index 6182283..ecd4590 100644 --- a/lib/puppet/provider/firewallchain/iptables_chain.rb +++ b/lib/puppet/provider/firewallchain/iptables_chain.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + Puppet::Type.type(:firewallchain).provide :iptables_chain do include Puppet::Util::Firewall diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 3901b3e..dbce633 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # See: #10295 for more details. # # This is a workaround for bug: #4248 whereby ruby files outside of the normal diff --git a/lib/puppet/type/firewallchain.rb b/lib/puppet/type/firewallchain.rb index 3a38b7f..4c0215a 100644 --- a/lib/puppet/type/firewallchain.rb +++ b/lib/puppet/type/firewallchain.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + # This is a workaround for bug: #4248 whereby ruby files outside of the normal # provider/type path do not load until pluginsync has occured on the puppet server # diff --git a/lib/puppet/util/firewall.rb b/lib/puppet/util/firewall.rb index add4ac0..b43f7a0 100644 --- a/lib/puppet/util/firewall.rb +++ b/lib/puppet/util/firewall.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'socket' require 'resolv' require 'puppet/util/ipcidr' diff --git a/lib/puppet/util/ipcidr.rb b/lib/puppet/util/ipcidr.rb index d5ab06f..b44ce31 100644 --- a/lib/puppet/util/ipcidr.rb +++ b/lib/puppet/util/ipcidr.rb @@ -1,3 +1,4 @@ +# frozen_string_literal: true require 'ipaddr' diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index d030da2..9695831 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' describe 'firewall class' do diff --git a/spec/acceptance/firewall_attributes_exceptions_spec.rb b/spec/acceptance/firewall_attributes_exceptions_spec.rb index 0d9c4b1..67e59c2 100644 --- a/spec/acceptance/firewall_attributes_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_exceptions_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' describe 'firewall basics', docker: true do @@ -1039,7 +1041,7 @@ describe 'firewall basics', docker: true do it 'contains the rule' do run_shell('iptables-save') do |r| expect(r.stdout).to match( - %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}, # rubocop:disable Metrics/LineLength + %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}, # rubocop:disable Layout/LineLength ) end end @@ -1335,7 +1337,7 @@ describe 'firewall basics', docker: true do end end it 'hashlimit_upto is set' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length + expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Layout/LineLength : Cannot reduce line to required length end end diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index 8bb3a03..fe77619 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' describe 'firewall attribute testing, happy path' do @@ -368,7 +370,7 @@ describe 'firewall attribute testing, happy path' do end # it 'contains the connlimit and connlimit_mask rule' do # expect(result.stdout).to match( - # %r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - connlimit" -j REJECT --reject-with icmp-port-unreachable}, # rubocop:disable Metrics/LineLength + # %r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - connlimit" -j REJECT --reject-with icmp-port-unreachable}, # rubocop:disable Layout/LineLength # ) # end it 'contains connmark' do @@ -432,10 +434,10 @@ describe 'firewall attribute testing, happy path' do expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --dports 583 -m comment --comment "583 - isfragment" -j ACCEPT}) end it 'ipsec_policy ipsec and dir out' do - expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Layout/LineLength end it 'ipsec_policy none and dir in' do - expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Layout/LineLength end it 'set_mss is set' do expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "604 - set_mss" -j TCPMSS --set-mss 1360}) @@ -456,7 +458,7 @@ describe 'firewall attribute testing, happy path' do expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --dports 712 -m comment --comment "712 - physdev_out" -j ACCEPT}) end it 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do - expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Layout/LineLength end it 'gid set to root' do expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT}) @@ -477,16 +479,16 @@ describe 'firewall attribute testing, happy path' do expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) end it 'all the modules with multiple args is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "807 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "807 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Layout/LineLength end it 'all the modules with single args is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "808 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "808 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Layout/LineLength end it 'recent set to set' do expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --set --name list1 (--mask 255.255.255.255 )?--rdest -m comment --comment "597 - recent set"}) end it 'recent set to rcheck' do - expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 (--mask 255.255.255.255 )?--rsource -m comment --comment "598 - recent rcheck"}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 (--mask 255.255.255.255 )?--rsource -m comment --comment "598 - recent rcheck"}) # rubocop:disable Layout/LineLength end it 'recent set to update' do expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --update --name DEFAULT (--mask 255.255.255.255 )?--rsource -m comment --comment "599 - recent update"}) diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb index 4dc141c..216c981 100644 --- a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' describe 'firewall ipv6 attribute testing, exceptions' do @@ -245,7 +247,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do it 'contains the rule' do run_shell('ip6tables-save') do |r| expect(r.stdout).to match( - %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Metrics/LineLength + %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Layout/LineLength ) end end @@ -434,7 +436,7 @@ describe 'firewall ipv6 attribute testing, exceptions' do expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu}) end it 'hashlimit_name set to "upto-ip6"' do - expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length + expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Layout/LineLength : Cannot reduce line to required length end it 'match_mark is set' do expect(result.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable}) diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb index 13d7b1e..9db540d 100644 --- a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redhat' && os[:release].start_with?('5', '6')) || (os[:family] == 'sles') do @@ -319,17 +321,17 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh end it 'ipsec_policy when ipsec' do expect(result.stdout).to match( - %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "607 - ipsec_policy ipsec" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Metrics/LineLength + %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "607 - ipsec_policy ipsec" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength ) end it 'ipsec_policy when none' do expect(result.stdout).to match( - %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol none -m comment --comment "608 - ipsec_policy none" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Metrics/LineLength + %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol none -m comment --comment "608 - ipsec_policy none" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength ) end it 'ipsec_dir when out' do expect(result.stdout).to match( - %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "609 - ipsec_dir out" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Metrics/LineLength + %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "609 - ipsec_dir out" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength ) end it 'ipsec_dir when in' do @@ -359,10 +361,10 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype --src-type LOCAL -m addrtype ! --src-type LOCAL -m comment --comment "620 - src_type multiple values" -j ACCEPT}) end it 'all the modules with multiple args is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength end it 'all the modules with single args is set' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength end it 'tee_gateway is set' do expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1}) diff --git a/spec/acceptance/firewallchain_spec.rb b/spec/acceptance/firewallchain_spec.rb index 7f8e25b..facf204 100644 --- a/spec/acceptance/firewallchain_spec.rb +++ b/spec/acceptance/firewallchain_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' describe 'puppet resource firewallchain command' do diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb index 3c6137e..a8affbf 100644 --- a/spec/acceptance/resource_cmd_spec.rb +++ b/spec/acceptance/resource_cmd_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' # Here we want to test the the resource commands ability to work with different diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index 65f2a50..5b5dfeb 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' require 'spec_helper_acceptance_local' @@ -103,7 +105,7 @@ describe 'rules spec' do %r{INPUT ACCEPT}, %r{FORWARD ACCEPT}, %r{OUTPUT ACCEPT}, %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT}, %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT}, - %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --sports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength + %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --sports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Layout/LineLength %r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --sports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT} ] it 'contains appropriate rules' do diff --git a/spec/acceptance/standard_usage_spec.rb b/spec/acceptance/standard_usage_spec.rb index bcf8197..ccb787d 100644 --- a/spec/acceptance/standard_usage_spec.rb +++ b/spec/acceptance/standard_usage_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper_acceptance' # Some tests for the standard recommended usage diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 3157cc9..d593f93 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -595,7 +595,7 @@ ARGS_TO_HASH = { }, }, 'connlimit_above' => { - line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10"', # rubocop:disable Metrics/LineLength + line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10"', # rubocop:disable Layout/LineLength table: 'filter', params: { proto: 'tcp', @@ -605,7 +605,7 @@ ARGS_TO_HASH = { }, }, 'connlimit_above_with_connlimit_mask' => { - line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10 with mask 24"', # rubocop:disable Metrics/LineLength, + line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10 with mask 24"', # rubocop:disable Layout/LineLength, table: 'filter', params: { proto: 'tcp', @@ -634,7 +634,7 @@ ARGS_TO_HASH = { }, }, 'drop_new_packets_without_syn' => { - line: '-t filter ! -s 10.0.0.0/8 ! -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -m comment --comment "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset"', # rubocop:disable Metrics/LineLength + line: '-t filter ! -s 10.0.0.0/8 ! -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -m comment --comment "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset"', # rubocop:disable Layout/LineLength table: 'filter', params: { name: '064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset', @@ -659,7 +659,7 @@ ARGS_TO_HASH = { }, }, 'match_mark' => { - line: '-A INPUT -p tcp -m mark --mark 0x1 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "066 REJECT connlimit_above 10 with mask 32 and mark matches"', # rubocop:disable Metrics/LineLength + line: '-A INPUT -p tcp -m mark --mark 0x1 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "066 REJECT connlimit_above 10 with mask 32 and mark matches"', # rubocop:disable Layout/LineLength table: 'filter', params: { proto: 'tcp', @@ -811,7 +811,7 @@ HASH_TO_ARGS = { sport: ['7061', '7062'], table: 'filter', }, - args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '1.1.1.1/32', '-p', :tcp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061,7062', '-j', 'ACCEPT', '-m', 'comment', '--comment', '000 allow foo'], # rubocop:disable Metrics/LineLength + args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '1.1.1.1/32', '-p', :tcp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061,7062', '-j', 'ACCEPT', '-m', 'comment', '--comment', '000 allow foo'], # rubocop:disable Layout/LineLength }, 'long_rule_2' => { params: { @@ -826,7 +826,7 @@ HASH_TO_ARGS = { sport: ['7061', '7062'], table: 'filter', }, - args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.10.13.0/24', '-p', :udp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061', '-j', 'my_custom_chain', '-m', 'comment', '--comment', '700 allow bar'], # rubocop:disable Metrics/LineLength + args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.10.13.0/24', '-p', :udp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061', '-j', 'my_custom_chain', '-m', 'comment', '--comment', '700 allow bar'], # rubocop:disable Layout/LineLength }, 'no_action' => { params: { @@ -1286,7 +1286,7 @@ HASH_TO_ARGS = { connlimit_mask: '24', action: 'reject', }, - args: ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '22', '-j', 'REJECT', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '24', '-m', 'comment', '--comment', '061 REJECT connlimit_above 10 with mask 24'], # rubocop:disable Metrics/LineLength + args: ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '22', '-j', 'REJECT', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '24', '-m', 'comment', '--comment', '061 REJECT connlimit_above 10 with mask 24'], # rubocop:disable Layout/LineLength }, 'connmark' => { params: { @@ -1318,7 +1318,7 @@ HASH_TO_ARGS = { source: '! 10.0.0.0/8', tcp_flags: '! FIN,SYN,RST,ACK SYN', }, - args: ['-t', :filter, '!', '-s', '10.0.0.0/8', '!', '-p', :tcp, '-m', 'tcp', '!', '--tcp-flags', 'FIN,SYN,RST,ACK', 'SYN', '-m', 'state', '--state', 'NEW', '-j', 'DROP', '-m', 'comment', '--comment', '064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset'], # rubocop:disable Metrics/LineLength + args: ['-t', :filter, '!', '-s', '10.0.0.0/8', '!', '-p', :tcp, '-m', 'tcp', '!', '--tcp-flags', 'FIN,SYN,RST,ACK', 'SYN', '-m', 'state', '--state', 'NEW', '-j', 'DROP', '-m', 'comment', '--comment', '064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset'], # rubocop:disable Layout/LineLength }, 'negate_dport_and_sport' => { params: { @@ -1332,7 +1332,7 @@ HASH_TO_ARGS = { dport: ['! 67', '! 66'], proto: 'udp', }, - args: ['-t', :filter, '-s', '0.0.0.0/32', '-d', '255.255.255.255/32', '-p', :udp, '-m', 'multiport', '!', '--sports', '68,69', '-m', 'multiport', '!', '--dports', '67,66', '-j', 'ACCEPT', '-m', 'comment', '--comment', '065 negate dport and sport'], # rubocop:disable Metrics/LineLength + args: ['-t', :filter, '-s', '0.0.0.0/32', '-d', '255.255.255.255/32', '-p', :udp, '-m', 'multiport', '!', '--sports', '68,69', '-m', 'multiport', '!', '--dports', '67,66', '-j', 'ACCEPT', '-m', 'comment', '--comment', '065 negate dport and sport'], # rubocop:disable Layout/LineLength }, 'match_mark' => { params: { @@ -1344,7 +1344,7 @@ HASH_TO_ARGS = { match_mark: '0x1', action: 'reject', }, - args: ['-t', :filter, '-p', :tcp, '-j', 'REJECT', '-m', 'mark', '--mark', '0x1', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '32', '-m', 'comment', '--comment', '066 REJECT connlimit_above 10 with mask 32 and mark matches'], # rubocop:disable Metrics/LineLength + args: ['-t', :filter, '-p', :tcp, '-j', 'REJECT', '-m', 'mark', '--mark', '0x1', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '32', '-m', 'comment', '--comment', '066 REJECT connlimit_above 10 with mask 32 and mark matches'], # rubocop:disable Layout/LineLength }, 'clamp_mss_to_pmtu' => { params: { @@ -1432,7 +1432,7 @@ HASH_TO_ARGS = { queue_num: '50', queue_bypass: true, }, - args: ['-t', :filter, '-s', '1.2.3.4/32', '-d', '4.3.2.1/32', '-p', :tcp, '-j', 'NFQUEUE', '--queue-num', '50', '--queue-bypass', '-m', 'comment', '--comment', '002 nfqueue specify queue_num and queue_bypass'], # rubocop:disable Metrics/LineLength + args: ['-t', :filter, '-s', '1.2.3.4/32', '-d', '4.3.2.1/32', '-p', :tcp, '-j', 'NFQUEUE', '--queue-num', '50', '--queue-bypass', '-m', 'comment', '--comment', '002 nfqueue specify queue_num and queue_bypass'], # rubocop:disable Layout/LineLength }, 'nfqueue_jump3' => { params: { diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb index d620d08..461a9a8 100644 --- a/spec/spec_helper_acceptance_local.rb +++ b/spec/spec_helper_acceptance_local.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'singleton' class LitmusHelper diff --git a/spec/spec_helper_local.rb b/spec/spec_helper_local.rb index d2346d3..4cffcab 100644 --- a/spec/spec_helper_local.rb +++ b/spec/spec_helper_local.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + if ENV['COVERAGE'] == 'yes' require 'simplecov' require 'simplecov-console' diff --git a/spec/unit/classes/firewall_linux_archlinux_spec.rb b/spec/unit/classes/firewall_linux_archlinux_spec.rb index 5c69ae3..eea80e1 100644 --- a/spec/unit/classes/firewall_linux_archlinux_spec.rb +++ b/spec/unit/classes/firewall_linux_archlinux_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'firewall::linux::archlinux', type: :class do diff --git a/spec/unit/classes/firewall_linux_debian_spec.rb b/spec/unit/classes/firewall_linux_debian_spec.rb index 38fc7ed..4f74d21 100644 --- a/spec/unit/classes/firewall_linux_debian_spec.rb +++ b/spec/unit/classes/firewall_linux_debian_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'firewall::linux::debian', type: :class do diff --git a/spec/unit/classes/firewall_linux_redhat_spec.rb b/spec/unit/classes/firewall_linux_redhat_spec.rb index 3f00e7c..d9b720d 100644 --- a/spec/unit/classes/firewall_linux_redhat_spec.rb +++ b/spec/unit/classes/firewall_linux_redhat_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' RSpec.shared_examples 'ensures iptables service' do diff --git a/spec/unit/classes/firewall_linux_spec.rb b/spec/unit/classes/firewall_linux_spec.rb index c44600d..b45982e 100644 --- a/spec/unit/classes/firewall_linux_spec.rb +++ b/spec/unit/classes/firewall_linux_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'firewall::linux', type: :class do diff --git a/spec/unit/classes/firewall_spec.rb b/spec/unit/classes/firewall_spec.rb index a26ddb5..5293613 100644 --- a/spec/unit/classes/firewall_spec.rb +++ b/spec/unit/classes/firewall_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'firewall', type: :class do diff --git a/spec/unit/facter/iptables_persistent_version_spec.rb b/spec/unit/facter/iptables_persistent_version_spec.rb index 880487c..e9503a8 100644 --- a/spec/unit/facter/iptables_persistent_version_spec.rb +++ b/spec/unit/facter/iptables_persistent_version_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'Facter::Util::Fact iptables_persistent_version' do diff --git a/spec/unit/facter/iptables_spec.rb b/spec/unit/facter/iptables_spec.rb index 0187540..f965002 100644 --- a/spec/unit/facter/iptables_spec.rb +++ b/spec/unit/facter/iptables_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'Facter::Util::Fact' do diff --git a/spec/unit/puppet/provider/ip6tables_spec.rb b/spec/unit/puppet/provider/ip6tables_spec.rb index cf1ebfd..a991e46 100644 --- a/spec/unit/puppet/provider/ip6tables_spec.rb +++ b/spec/unit/puppet/provider/ip6tables_spec.rb @@ -1,4 +1,5 @@ #!/usr/bin/env rspec # rubocop:disable Lint/ScriptPermission : Puppet error? +# frozen_string_literal: true require 'spec_helper' if Puppet::Util::Package.versioncmp(Puppet.version, '3.4.0') < 0 diff --git a/spec/unit/puppet/provider/iptables_chain_spec.rb b/spec/unit/puppet/provider/iptables_chain_spec.rb index 1aacb6b..f7ccb9f 100755 --- a/spec/unit/puppet/provider/iptables_chain_spec.rb +++ b/spec/unit/puppet/provider/iptables_chain_spec.rb @@ -1,4 +1,5 @@ #!/usr/bin/env rspec +# frozen_string_literal: true require 'spec_helper' if Puppet::Util::Package.versioncmp(Puppet.version, '3.4.0') < 0 diff --git a/spec/unit/puppet/provider/iptables_spec.rb b/spec/unit/puppet/provider/iptables_spec.rb index e344773..5aaf9b8 100644 --- a/spec/unit/puppet/provider/iptables_spec.rb +++ b/spec/unit/puppet/provider/iptables_spec.rb @@ -1,4 +1,5 @@ #!/usr/bin/env rspec # rubocop:disable Lint/ScriptPermission : Puppet error? +# frozen_string_literal: true require 'spec_helper' if Puppet::Util::Package.versioncmp(Puppet.version, '3.4.0') < 0 diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb index 70d026f..b35a273 100755 --- a/spec/unit/puppet/type/firewall_spec.rb +++ b/spec/unit/puppet/type/firewall_spec.rb @@ -1,4 +1,5 @@ #!/usr/bin/env rspec +# frozen_string_literal: true require 'spec_helper' diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb index 4ef2743..d85332a 100755 --- a/spec/unit/puppet/type/firewallchain_spec.rb +++ b/spec/unit/puppet/type/firewallchain_spec.rb @@ -1,4 +1,5 @@ #!/usr/bin/env rspec +# frozen_string_literal: true require 'spec_helper' diff --git a/spec/unit/puppet/util/firewall_spec.rb b/spec/unit/puppet/util/firewall_spec.rb index dc9580f..aae3290 100644 --- a/spec/unit/puppet/util/firewall_spec.rb +++ b/spec/unit/puppet/util/firewall_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'Puppet::Util::Firewall' do diff --git a/spec/unit/puppet/util/ipcidr_spec.rb b/spec/unit/puppet/util/ipcidr_spec.rb index 01f79e4..8551928 100644 --- a/spec/unit/puppet/util/ipcidr_spec.rb +++ b/spec/unit/puppet/util/ipcidr_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' require 'puppet/util/ipcidr' -- 2.45.2