From 8f2bb2567c25f9308ed3956ebd9986f79f39be38 Mon Sep 17 00:00:00 2001
From: adrianiurca <adrian.iurca@gmail.com>
Date: Thu, 16 Jul 2020 19:10:31 +0300
Subject: [PATCH] Add acceptance and unit test for notrack parameter

---
 lib/puppet/provider/firewall/iptables.rb          |  3 +--
 .../firewall_attributes_happy_path_spec.rb        | 15 +++++++++++++++
 spec/fixtures/iptables/conversion_hash.rb         | 11 +++++++++++
 spec/spec_helper_acceptance_local.rb              | 13 +++++++++++++
 4 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 90e0910..ee5daae 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -348,8 +348,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name, :notrack,
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :name, :notrack
   ]
 
   def insert
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index cccc3e3..8bb3a03 100644
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -11,6 +11,9 @@ describe 'firewall attribute testing, happy path' do
 
   describe 'attributes test' do
     before(:all) do
+      notrack_manifest = "jump => 'CT', notrack => true"
+      notrack_manifest = "jump => 'NOTRACK'" if os[:family] == 'redhat' && [5, 6].include?(os[:release].to_i)
+
       pp = <<-PUPPETCODE
           class { '::firewall': }
           firewall { '004 - log_level and log_prefix':
@@ -347,6 +350,13 @@ describe 'firewall attribute testing, happy path' do
             chain          => 'OUTPUT',
             table          => 'mangle',
           }
+          firewall { '004 do not track UDP connections to port 53':
+            chain => 'PREROUTING',
+            table => 'raw',
+            proto  => 'udp',
+            dport => 53,
+            #{notrack_manifest}
+          }
       PUPPETCODE
       idempotent_apply(pp)
     end
@@ -487,5 +497,10 @@ describe 'firewall attribute testing, happy path' do
     it 'jump is set' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST})
     end
+    it 'notrack is set' do
+      notrack_rule = '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j CT --notrack'
+      notrack_rule = '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j NOTRACK' if os[:family] == 'redhat' && [5, 6].include?(os[:release].to_i)
+      expect(result.stdout).to match(%r{#{notrack_rule}})
+    end
   end
 end
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index a3cfb87..89ba685 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -778,6 +778,17 @@ ARGS_TO_HASH = {
       cgroup: '0x100001',
     },
   },
+  'notrack' => {
+    line: '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j CT --notrack',
+    table: 'raw',
+    params: {
+      chain: 'PREROUTING',
+      proto: 'udp',
+      dport: ['53'],
+      jump: 'CT',
+      notrack: true
+    }
+  },
 }.freeze
 
 # This hash is for testing converting a hash to an argument line.
diff --git a/spec/spec_helper_acceptance_local.rb b/spec/spec_helper_acceptance_local.rb
index 4add45d..8e7ee52 100644
--- a/spec/spec_helper_acceptance_local.rb
+++ b/spec/spec_helper_acceptance_local.rb
@@ -49,10 +49,23 @@ RSpec.configure do |c|
         package { 'iptables':
           ensure   => 'latest',
         }
+<<<<<<< HEAD
         PUPPETCODE
+=======
+      PUPPETCODE
+>>>>>>> 7163c3a... Add acceptance and unit test for notrack parameter
       LitmusHelper.instance.apply_manifest(pp)
       LitmusHelper.instance.run_shell('update-alternatives --set iptables /usr/sbin/iptables-legacy', expect_failures: true)
       LitmusHelper.instance.run_shell('update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy', expect_failures: true)
     end
+<<<<<<< HEAD
+=======
+    pp = <<-PUPPETCODE
+      package { 'conntrack-tools':
+        ensure => 'latest',
+      }
+    PUPPETCODE
+    LitmusHelper.instance.apply_manifest(pp)
+>>>>>>> 7163c3a... Add acceptance and unit test for notrack parameter
   end
 end
-- 
2.45.2