freighthop 0.3.3 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Puppetfile +1 -1
- data/Puppetfile.lock +4 -5
- data/README.md +18 -7
- data/Vagrantfile +4 -0
- data/lib/freighthop/cli/help.rb +1 -0
- data/lib/freighthop/cli/init.rb +10 -10
- data/lib/freighthop/cli/version.rb +17 -0
- data/lib/freighthop/cli.rb +3 -1
- data/lib/freighthop/version.rb +1 -1
- data/lib/freighthop.rb +4 -0
- data/modules/apt/CHANGELOG +2 -36
- data/modules/apt/Gemfile +5 -6
- data/modules/apt/Gemfile.lock +7 -40
- data/modules/apt/Modulefile +1 -1
- data/modules/apt/README.md +1 -2
- data/modules/apt/Rakefile +0 -1
- data/modules/apt/manifests/init.pp +2 -5
- data/modules/apt/manifests/params.pp +1 -4
- data/modules/apt/manifests/pin.pp +1 -1
- data/modules/apt/manifests/ppa.pp +10 -24
- data/modules/apt/manifests/update.pp +0 -1
- data/modules/apt/metadata.json +19 -32
- data/modules/apt/spec/defines/ppa_spec.rb +2 -53
- data/modules/apt/spec/defines/source_spec.rb +2 -2
- data/modules/apt/templates/source.list.erb +2 -2
- data/modules/apt/tests/key.pp +3 -3
- data/modules/concat/CHANGELOG +73 -0
- data/modules/concat/Gemfile +20 -0
- data/modules/concat/Gemfile.lock +104 -0
- data/modules/concat/Modulefile +7 -6
- data/modules/concat/README.md +440 -0
- data/modules/concat/Rakefile +5 -1
- data/modules/concat/files/concatfragments.rb +137 -0
- data/modules/concat/files/concatfragments.sh +15 -4
- data/modules/concat/lib/facter/concat_basedir.rb +9 -3
- data/modules/concat/manifests/fragment.pp +108 -48
- data/modules/concat/manifests/init.pp +191 -210
- data/modules/concat/manifests/setup.pp +31 -31
- data/modules/concat/metadata.json +40 -21
- data/modules/{apt → concat}/spec/spec_helper_system.rb +11 -6
- data/modules/{firewall → concat}/spec/system/basic_spec.rb +1 -1
- data/modules/concat/spec/system/concat_spec.rb +154 -0
- data/modules/concat/spec/system/deprecation_warnings_spec.rb +247 -0
- data/modules/concat/spec/system/empty_spec.rb +27 -0
- data/modules/concat/spec/system/fragment_source_spec.rb +142 -0
- data/modules/concat/spec/system/replace_spec.rb +257 -0
- data/modules/concat/spec/system/symbolic_name_spec.rb +35 -0
- data/modules/concat/spec/system/warn_spec.rb +106 -0
- data/modules/concat/spec/unit/classes/concat_setup_spec.rb +42 -0
- data/modules/concat/spec/unit/defines/concat_fragment_spec.rb +267 -0
- data/modules/concat/spec/unit/defines/concat_spec.rb +380 -0
- data/modules/concat/spec/unit/facts/concat_basedir_spec.rb +18 -0
- data/modules/concat/tests/fragment.pp +19 -0
- data/modules/concat/tests/init.pp +7 -0
- data/modules/firewall/Changelog +38 -0
- data/modules/firewall/Gemfile +5 -2
- data/modules/firewall/Gemfile.lock +76 -26
- data/modules/firewall/Modulefile +1 -1
- data/modules/firewall/README.markdown +47 -15
- data/modules/firewall/Rakefile +0 -7
- data/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb +50 -7
- data/modules/firewall/lib/puppet/provider/firewall/iptables.rb +147 -31
- data/modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb +19 -8
- data/modules/firewall/lib/puppet/type/firewall.rb +207 -3
- data/modules/firewall/lib/puppet/type/firewallchain.rb +73 -2
- data/modules/firewall/lib/puppet/util/firewall.rb +14 -0
- data/modules/firewall/metadata.json +181 -76
- data/modules/firewall/spec/acceptance/basic_spec.rb +8 -0
- data/modules/firewall/spec/acceptance/change_source_spec.rb +77 -0
- data/modules/firewall/spec/acceptance/class_spec.rb +27 -0
- data/modules/firewall/spec/acceptance/firewall_spec.rb +1608 -0
- data/modules/firewall/spec/acceptance/firewallchain_spec.rb +125 -0
- data/modules/firewall/spec/acceptance/ip6_fragment_spec.rb +94 -0
- data/modules/firewall/spec/acceptance/isfragment_spec.rb +92 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-fusion.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-70rc1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/fedora-18-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/sles-11sp1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/firewall/spec/{system → acceptance}/params_spec.rb +44 -52
- data/modules/firewall/spec/acceptance/purge_spec.rb +124 -0
- data/modules/firewall/spec/acceptance/resource_cmd_spec.rb +93 -0
- data/modules/firewall/spec/acceptance/rules_spec.rb +248 -0
- data/modules/firewall/spec/acceptance/socket_spec.rb +96 -0
- data/modules/firewall/spec/{system → acceptance}/standard_usage_spec.rb +6 -10
- data/modules/firewall/spec/fixtures/ip6tables/conversion_hash.rb +107 -0
- data/modules/firewall/spec/fixtures/iptables/conversion_hash.rb +56 -2
- data/modules/firewall/spec/spec_helper_acceptance.rb +38 -0
- data/modules/firewall/spec/unit/classes/firewall_spec.rb +2 -2
- data/modules/firewall/spec/unit/facter/iptables_persistent_version_spec.rb +8 -5
- data/modules/firewall/spec/unit/facter/iptables_spec.rb +6 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_chain_spec.rb +14 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_spec.rb +246 -5
- data/modules/firewall/spec/unit/puppet/type/firewall_spec.rb +99 -8
- data/modules/firewall/spec/unit/puppet/type/firewallchain_spec.rb +50 -6
- data/modules/firewall/spec/unit/puppet/util/firewall_spec.rb +21 -0
- data/modules/mysql/CHANGELOG +0 -30
- data/modules/mysql/Gemfile +0 -1
- data/modules/mysql/Gemfile.lock +30 -31
- data/modules/mysql/Modulefile +1 -1
- data/modules/mysql/README.md +2 -49
- data/modules/mysql/files/mysqltuner.pl +1 -1
- data/modules/mysql/lib/puppet/provider/database/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_grant/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_user/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/mysql.rb +1 -2
- data/modules/mysql/lib/puppet/provider/mysql_database/mysql.rb +13 -2
- data/modules/mysql/lib/puppet/provider/mysql_user/mysql.rb +12 -0
- data/modules/mysql/lib/puppet/type/database_user.rb +1 -1
- data/modules/mysql/lib/puppet/type/mysql_grant.rb +3 -5
- data/modules/mysql/manifests/client.pp +0 -7
- data/modules/mysql/manifests/server/root_password.pp +0 -2
- data/modules/mysql/manifests/server.pp +0 -6
- data/modules/mysql/metadata.json +79 -81
- data/modules/mysql/spec/classes/mysql_server_spec.rb +0 -74
- data/modules/mysql/spec/system/mysql_server_root_password_spec.rb +1 -7
- data/modules/mysql/spec/system/mysql_server_spec.rb +3 -6
- data/modules/mysql/spec/system/types/mysql_grant_spec.rb +0 -27
- data/modules/mysql/spec/unit/puppet/functions/mysql_deepmerge_spec.rb +1 -1
- data/modules/mysql/spec/unit/puppet/provider/database/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/database_grant/mysql_spec.rb +15 -15
- data/modules/mysql/spec/unit/puppet/provider/database_user/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/mysql_database/mysql_spec.rb +3 -3
- data/modules/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb +3 -3
- data/modules/mysql/templates/my.cnf.erb +2 -4
- data/modules/mysql/tests/mysql_grant.pp +1 -1
- data/modules/postgresql/Changelog +31 -0
- data/modules/postgresql/Gemfile +4 -2
- data/modules/postgresql/Modulefile +1 -1
- data/modules/postgresql/README.md +10 -4
- data/modules/postgresql/Rakefile +0 -1
- data/modules/postgresql/lib/puppet/provider/postgresql_psql/ruby.rb +25 -3
- data/modules/postgresql/manifests/globals.pp +2 -0
- data/modules/postgresql/manifests/params.pp +21 -0
- data/modules/postgresql/manifests/server/config.pp +0 -5
- data/modules/postgresql/manifests/server/config_entry.pp +1 -1
- data/modules/postgresql/manifests/server/database.pp +2 -1
- data/modules/postgresql/manifests/server/db.pp +2 -0
- data/modules/postgresql/manifests/server/grant.pp +20 -16
- data/modules/postgresql/manifests/server/initdb.pp +27 -3
- data/modules/postgresql/manifests/server/pg_hba_rule.pp +2 -4
- data/modules/postgresql/manifests/server/role.pp +8 -2
- data/modules/postgresql/manifests/server/service.pp +5 -0
- data/modules/postgresql/manifests/server.pp +2 -0
- data/modules/postgresql/metadata.json +88 -65
- data/modules/postgresql/spec/acceptance/client_spec.rb +18 -0
- data/modules/postgresql/spec/{system → acceptance}/common_patterns_spec.rb +8 -14
- data/modules/postgresql/spec/{system → acceptance}/contrib_spec.rb +4 -9
- data/modules/postgresql/spec/acceptance/lib/devel_spec.rb +17 -0
- data/modules/postgresql/spec/acceptance/lib/java_spec.rb +20 -0
- data/modules/postgresql/spec/acceptance/lib/python_spec.rb +19 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-510-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-73-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/postgresql/spec/{system → acceptance}/postgresql_psql_spec.rb +6 -14
- data/modules/postgresql/spec/{system → acceptance}/server/config_entry_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/db_spec.rb +47 -42
- data/modules/postgresql/spec/{system → acceptance}/server/grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/pg_hba_rule_spec.rb +10 -23
- data/modules/postgresql/spec/{system → acceptance}/server/plperl_spec.rb +6 -10
- data/modules/postgresql/spec/{system → acceptance}/server/role_spec.rb +13 -28
- data/modules/postgresql/spec/acceptance/server/table_grant_spec.rb +124 -0
- data/modules/postgresql/spec/{system → acceptance}/server/tablespace_spec.rb +8 -22
- data/modules/postgresql/spec/{system → acceptance}/server_spec.rb +38 -61
- data/modules/postgresql/spec/{system → acceptance}/validate_db_connection_spec.rb +8 -20
- data/modules/postgresql/spec/spec_helper_acceptance.rb +70 -0
- data/modules/postgresql/spec/unit/classes/globals_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/lib/devel_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/params_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/repo_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/server/initdb_spec.rb +2 -1
- data/modules/postgresql/spec/unit/classes/server/plperl_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/server_spec.rb +9 -2
- data/modules/postgresql/spec/unit/puppet/provider/postgresql_psql/ruby_spec.rb +15 -17
- data/modules/rbenv/bin/autospec +0 -0
- data/modules/rbenv/bin/facter +0 -0
- data/modules/rbenv/bin/filebucket +0 -0
- data/modules/rbenv/bin/hiera +0 -0
- data/modules/rbenv/bin/htmldiff +0 -0
- data/modules/rbenv/bin/ldiff +0 -0
- data/modules/rbenv/bin/pi +0 -0
- data/modules/rbenv/bin/puppet +0 -0
- data/modules/rbenv/bin/puppet-lint +0 -0
- data/modules/rbenv/bin/puppet-module +0 -0
- data/modules/rbenv/bin/puppetca +0 -0
- data/modules/rbenv/bin/puppetd +0 -0
- data/modules/rbenv/bin/puppetdoc +0 -0
- data/modules/rbenv/bin/puppetmasterd +0 -0
- data/modules/rbenv/bin/puppetqd +0 -0
- data/modules/rbenv/bin/puppetrun +0 -0
- data/modules/rbenv/bin/rake +0 -0
- data/modules/rbenv/bin/ralsh +0 -0
- data/modules/rbenv/bin/rspec +0 -0
- data/modules/rbenv/bin/rspec-puppet-init +0 -0
- data/modules/stdlib/spec/monkey_patches/alias_should_to_must.rb +0 -0
- data/modules/stdlib/spec/monkey_patches/publicize_methods.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/abs_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/bool2num_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/capitalize_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chomp_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chop_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_at_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/dirname_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/downcase_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/empty_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/flatten_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/grep_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_interface_with_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_address_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_network_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/max_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/min_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/reject_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/to_bytes_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/validate_slength_spec.rb +0 -0
- metadata +92 -77
- data/modules/apt/manifests/unattended_upgrades.pp +0 -68
- data/modules/apt/spec/classes/unattended_upgrades_spec.rb +0 -204
- data/modules/apt/spec/system/apt_builddep_spec.rb +0 -38
- data/modules/apt/spec/system/apt_key_spec.rb +0 -53
- data/modules/apt/spec/system/apt_ppa_spec.rb +0 -59
- data/modules/apt/spec/system/apt_source_spec.rb +0 -51
- data/modules/apt/spec/system/basic_spec.rb +0 -10
- data/modules/apt/spec/system/class_spec.rb +0 -20
- data/modules/apt/templates/10periodic.erb +0 -12
- data/modules/apt/templates/50unattended-upgrades.erb +0 -53
- data/modules/apt/tests/unattended-upgrades.pp +0 -1
- data/modules/concat/README.markdown +0 -150
- data/modules/concat/spec/defines/init_spec.rb +0 -115
- data/modules/concat/spec/fixtures/manifests/site.pp +0 -0
- data/modules/firewall/spec/spec_helper_system.rb +0 -49
- data/modules/firewall/spec/system/class_spec.rb +0 -39
- data/modules/firewall/spec/system/purge_spec.rb +0 -29
- data/modules/firewall/spec/system/resource_cmd_spec.rb +0 -53
- data/modules/mysql/manifests/server/providers.pp +0 -8
- data/modules/mysql/tests/bindings.pp +0 -3
- data/modules/postgresql/Gemfile.lock +0 -74
- data/modules/postgresql/spec/spec_helper_system.rb +0 -66
- data/modules/postgresql/spec/system/client_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/devel_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/java_spec.rb +0 -25
- data/modules/postgresql/spec/system/lib/python_spec.rb +0 -24
- data/modules/postgresql/spec/system/server/table_grant_spec.rb +0 -72
@@ -0,0 +1,107 @@
|
|
1
|
+
# These hashes allow us to iterate across a series of test data
|
2
|
+
# creating rspec examples for each parameter to ensure the input :line
|
3
|
+
# extrapolates to the desired value for the parameter in question. And
|
4
|
+
# vice-versa
|
5
|
+
|
6
|
+
# This hash is for testing a line conversion to a hash of parameters
|
7
|
+
# which will be used to create a resource.
|
8
|
+
ARGS_TO_HASH6 = {
|
9
|
+
'source_destination_ipv6_no_cidr' => {
|
10
|
+
:line => '-A INPUT -s 2001:db8:85a3::8a2e:370:7334 -d 2001:db8:85a3::8a2e:370:7334 -m comment --comment "000 source destination ipv6 no cidr"',
|
11
|
+
:table => 'filter',
|
12
|
+
:provider => 'ip6tables',
|
13
|
+
:params => {
|
14
|
+
:source => '2001:db8:85a3::8a2e:370:7334/128',
|
15
|
+
:destination => '2001:db8:85a3::8a2e:370:7334/128',
|
16
|
+
},
|
17
|
+
},
|
18
|
+
'source_destination_ipv6_netmask' => {
|
19
|
+
:line => '-A INPUT -s 2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -d 2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -m comment --comment "000 source destination ipv6 netmask"',
|
20
|
+
:table => 'filter',
|
21
|
+
:provider => 'ip6tables',
|
22
|
+
:params => {
|
23
|
+
:source => '2001:db8:1234::/48',
|
24
|
+
:destination => '2001:db8:4321::/48',
|
25
|
+
},
|
26
|
+
},
|
27
|
+
}
|
28
|
+
|
29
|
+
# This hash is for testing converting a hash to an argument line.
|
30
|
+
HASH_TO_ARGS6 = {
|
31
|
+
'zero_prefixlen_ipv6' => {
|
32
|
+
:params => {
|
33
|
+
:name => '100 zero prefix length ipv6',
|
34
|
+
:table => 'filter',
|
35
|
+
:provider => 'ip6tables',
|
36
|
+
:source => '::/0',
|
37
|
+
:destination => '::/0',
|
38
|
+
},
|
39
|
+
:args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv6'],
|
40
|
+
},
|
41
|
+
'source_destination_ipv4_no_cidr' => {
|
42
|
+
:params => {
|
43
|
+
:name => '000 source destination ipv4 no cidr',
|
44
|
+
:table => 'filter',
|
45
|
+
:provider => 'ip6tables',
|
46
|
+
:source => '1.1.1.1',
|
47
|
+
:destination => '2.2.2.2',
|
48
|
+
},
|
49
|
+
:args => ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.2.2.2/32', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv4 no cidr'],
|
50
|
+
},
|
51
|
+
'source_destination_ipv6_no_cidr' => {
|
52
|
+
:params => {
|
53
|
+
:name => '000 source destination ipv6 no cidr',
|
54
|
+
:table => 'filter',
|
55
|
+
:provider => 'ip6tables',
|
56
|
+
:source => '2001:db8:1234::',
|
57
|
+
:destination => '2001:db8:4321::',
|
58
|
+
},
|
59
|
+
:args => ['-t', :filter, '-s', '2001:db8:1234::/128', '-d', '2001:db8:4321::/128', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 no cidr'],
|
60
|
+
},
|
61
|
+
'source_destination_ipv6_netmask' => {
|
62
|
+
:params => {
|
63
|
+
:name => '000 source destination ipv6 netmask',
|
64
|
+
:table => 'filter',
|
65
|
+
:provider => 'ip6tables',
|
66
|
+
:source => '2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
|
67
|
+
:destination => '2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
|
68
|
+
},
|
69
|
+
:args => ['-t', :filter, '-s', '2001:db8:1234::/48', '-d', '2001:db8:4321::/48', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 netmask'],
|
70
|
+
},
|
71
|
+
'frag_ishasmorefrags' => {
|
72
|
+
:params => {
|
73
|
+
:name => "100 has more fragments",
|
74
|
+
:ishasmorefrags => true,
|
75
|
+
:provider => 'ip6tables',
|
76
|
+
:table => "filter",
|
77
|
+
},
|
78
|
+
:args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragmore", "-m", "comment", "--comment", "100 has more fragments"],
|
79
|
+
},
|
80
|
+
'frag_islastfrag' => {
|
81
|
+
:params => {
|
82
|
+
:name => "100 last fragment",
|
83
|
+
:islastfrag => true,
|
84
|
+
:provider => 'ip6tables',
|
85
|
+
:table => "filter",
|
86
|
+
},
|
87
|
+
:args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fraglast", "-m", "comment", "--comment", "100 last fragment"],
|
88
|
+
},
|
89
|
+
'frag_isfirstfrags' => {
|
90
|
+
:params => {
|
91
|
+
:name => "100 first fragment",
|
92
|
+
:isfirstfrag => true,
|
93
|
+
:provider => 'ip6tables',
|
94
|
+
:table => "filter",
|
95
|
+
},
|
96
|
+
:args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragfirst", "-m", "comment", "--comment", "100 first fragment"],
|
97
|
+
},
|
98
|
+
'hop_limit' => {
|
99
|
+
:params => {
|
100
|
+
:name => "100 hop limit",
|
101
|
+
:hop_limit => 255,
|
102
|
+
:provider => 'ip6tables',
|
103
|
+
:table => "filter",
|
104
|
+
},
|
105
|
+
:args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 hop limit", "-m", "hl", "--hl-eq", 255],
|
106
|
+
},
|
107
|
+
}
|
@@ -6,6 +6,19 @@
|
|
6
6
|
# This hash is for testing a line conversion to a hash of parameters
|
7
7
|
# which will be used to create a resource.
|
8
8
|
ARGS_TO_HASH = {
|
9
|
+
'dport_and_sport' => {
|
10
|
+
:line => '-A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT',
|
11
|
+
:table => 'filter',
|
12
|
+
:params => {
|
13
|
+
:action => 'accept',
|
14
|
+
:chain => 'nova-compute-FORWARD',
|
15
|
+
:source => '0.0.0.0/32',
|
16
|
+
:destination => '255.255.255.255/32',
|
17
|
+
:sport => ['68'],
|
18
|
+
:dport => ['67'],
|
19
|
+
:proto => 'udp',
|
20
|
+
},
|
21
|
+
},
|
9
22
|
'long_rule_1' => {
|
10
23
|
:line => '-A INPUT -s 1.1.1.1/32 -d 1.1.1.1/32 -p tcp -m multiport --dports 7061,7062 -m multiport --sports 7061,7062 -m comment --comment "000 allow foo" -j ACCEPT',
|
11
24
|
:table => 'filter',
|
@@ -89,6 +102,30 @@ ARGS_TO_HASH = {
|
|
89
102
|
:destination => '2001:db8:4321::/48',
|
90
103
|
},
|
91
104
|
},
|
105
|
+
'source_destination_negate_source' => {
|
106
|
+
:line => '-A INPUT ! -s 1.1.1.1 -d 2.2.2.2 -m comment --comment "000 negated source address"',
|
107
|
+
:table => 'filter',
|
108
|
+
:params => {
|
109
|
+
:source => '! 1.1.1.1/32',
|
110
|
+
:destination => '2.2.2.2/32',
|
111
|
+
},
|
112
|
+
},
|
113
|
+
'source_destination_negate_destination' => {
|
114
|
+
:line => '-A INPUT -s 1.1.1.1 ! -d 2.2.2.2 -m comment --comment "000 negated destination address"',
|
115
|
+
:table => 'filter',
|
116
|
+
:params => {
|
117
|
+
:source => '1.1.1.1/32',
|
118
|
+
:destination => '! 2.2.2.2/32',
|
119
|
+
},
|
120
|
+
},
|
121
|
+
'source_destination_negate_destination_alternative' => {
|
122
|
+
:line => '-A INPUT -s 1.1.1.1 -d ! 2.2.2.2 -m comment --comment "000 negated destination address alternative"',
|
123
|
+
:table => 'filter',
|
124
|
+
:params => {
|
125
|
+
:source => '1.1.1.1/32',
|
126
|
+
:destination => '! 2.2.2.2/32',
|
127
|
+
},
|
128
|
+
},
|
92
129
|
'dport_range_1' => {
|
93
130
|
:line => '-A INPUT -m multiport --dports 1:1024 -m comment --comment "000 allow foo"',
|
94
131
|
:table => 'filter',
|
@@ -170,6 +207,14 @@ ARGS_TO_HASH = {
|
|
170
207
|
:action => nil,
|
171
208
|
},
|
172
209
|
},
|
210
|
+
'ctstate_returns_sorted_values' => {
|
211
|
+
:line => '-A INPUT -m conntrack --ctstate INVALID,RELATED,ESTABLISHED',
|
212
|
+
:table => 'filter',
|
213
|
+
:params => {
|
214
|
+
:ctstate => ['ESTABLISHED', 'INVALID', 'RELATED'],
|
215
|
+
:action => nil,
|
216
|
+
},
|
217
|
+
},
|
173
218
|
'comment_string_character_validation' => {
|
174
219
|
:line => '-A INPUT -s 192.168.0.1/32 -m comment --comment "000 allow from 192.168.0.1, please"',
|
175
220
|
:table => 'filter',
|
@@ -539,7 +584,7 @@ HASH_TO_ARGS = {
|
|
539
584
|
:table => 'filter',
|
540
585
|
:dst_range => '10.0.0.1-10.0.0.10',
|
541
586
|
},
|
542
|
-
:args => ['-t', :filter, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-
|
587
|
+
:args => ['-t', :filter, '-p', :tcp, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-m', 'comment', '--comment', '000 dst_range'],
|
543
588
|
},
|
544
589
|
'src_range_1' => {
|
545
590
|
:params => {
|
@@ -547,7 +592,7 @@ HASH_TO_ARGS = {
|
|
547
592
|
:table => 'filter',
|
548
593
|
:dst_range => '10.0.0.1-10.0.0.10',
|
549
594
|
},
|
550
|
-
:args => ['-t', :filter, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-
|
595
|
+
:args => ['-t', :filter, '-p', :tcp, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-m', 'comment', '--comment', '000 src_range'],
|
551
596
|
},
|
552
597
|
'tcp_flags_1' => {
|
553
598
|
:params => {
|
@@ -567,6 +612,15 @@ HASH_TO_ARGS = {
|
|
567
612
|
:args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 states_set_from_array",
|
568
613
|
"-m", "state", "--state", "ESTABLISHED,INVALID"],
|
569
614
|
},
|
615
|
+
'ctstates_set_from_array' => {
|
616
|
+
:params => {
|
617
|
+
:name => "100 ctstates_set_from_array",
|
618
|
+
:table => "filter",
|
619
|
+
:ctstate => ['ESTABLISHED', 'INVALID']
|
620
|
+
},
|
621
|
+
:args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 ctstates_set_from_array",
|
622
|
+
"-m", "conntrack", "--ctstate", "ESTABLISHED,INVALID"],
|
623
|
+
},
|
570
624
|
'comment_string_character_validation' => {
|
571
625
|
:params => {
|
572
626
|
:name => "000 allow from 192.168.0.1, please",
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'beaker-rspec'
|
2
|
+
|
3
|
+
def iptables_flush_all_tables
|
4
|
+
['filter', 'nat', 'mangle', 'raw'].each do |t|
|
5
|
+
expect(shell("/sbin/iptables -t #{t} -F").stderr).to eq("")
|
6
|
+
end
|
7
|
+
end
|
8
|
+
|
9
|
+
def ip6tables_flush_all_tables
|
10
|
+
['filter'].each do |t|
|
11
|
+
expect(shell("/sbin/ip6tables -t #{t} -F").stderr).to eq("")
|
12
|
+
end
|
13
|
+
end
|
14
|
+
|
15
|
+
hosts.each do |host|
|
16
|
+
# Install Puppet
|
17
|
+
install_package host, 'rubygems'
|
18
|
+
on host, 'gem install puppet --no-ri --no-rdoc'
|
19
|
+
on host, "mkdir -p #{host['distmoduledir']}"
|
20
|
+
end
|
21
|
+
|
22
|
+
RSpec.configure do |c|
|
23
|
+
# Project root
|
24
|
+
proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
|
25
|
+
|
26
|
+
# Readable test descriptions
|
27
|
+
c.formatter = :documentation
|
28
|
+
|
29
|
+
# Configure all nodes in nodeset
|
30
|
+
c.before :suite do
|
31
|
+
# Install module and dependencies
|
32
|
+
puppet_module_install(:source => proj_root, :module_name => 'firewall')
|
33
|
+
hosts.each do |host|
|
34
|
+
shell('/bin/touch /etc/puppet/hiera.yaml')
|
35
|
+
shell('puppet module install puppetlabs-stdlib --version 3.2.0', { :acceptable_exit_codes => [0,1] })
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -8,7 +8,7 @@ describe 'firewall', :type => :class do
|
|
8
8
|
|
9
9
|
context 'kernel => Windows' do
|
10
10
|
let(:facts) {{ :kernel => 'Windows' }}
|
11
|
-
it { expect { should
|
11
|
+
it { expect { should contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
|
12
12
|
end
|
13
13
|
|
14
14
|
context 'ensure => stopped' do
|
@@ -20,6 +20,6 @@ describe 'firewall', :type => :class do
|
|
20
20
|
context 'ensure => test' do
|
21
21
|
let(:facts) {{ :kernel => 'Linux' }}
|
22
22
|
let(:params) {{ :ensure => 'test' }}
|
23
|
-
it { expect { should
|
23
|
+
it { expect { should contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
|
24
24
|
end
|
25
25
|
end
|
@@ -10,8 +10,9 @@ describe "Facter::Util::Fact iptables_persistent_version" do
|
|
10
10
|
}.each do |os, ver|
|
11
11
|
describe "#{os} package installed" do
|
12
12
|
before {
|
13
|
-
Facter.fact(:operatingsystem).
|
14
|
-
Facter::Util::Resolution.
|
13
|
+
allow(Facter.fact(:operatingsystem)).to receive(:value).and_return(os)
|
14
|
+
allow(Facter::Util::Resolution).to receive(:exec).with(dpkg_cmd).
|
15
|
+
and_return(ver)
|
15
16
|
}
|
16
17
|
it { Facter.fact(:iptables_persistent_version).value.should == ver }
|
17
18
|
end
|
@@ -19,14 +20,16 @@ describe "Facter::Util::Fact iptables_persistent_version" do
|
|
19
20
|
|
20
21
|
describe 'Ubuntu package not installed' do
|
21
22
|
before {
|
22
|
-
Facter.fact(:operatingsystem).
|
23
|
-
Facter::Util::Resolution.
|
23
|
+
allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Ubuntu')
|
24
|
+
allow(Facter::Util::Resolution).to receive(:exec).with(dpkg_cmd).
|
25
|
+
and_return(nil)
|
24
26
|
}
|
25
27
|
it { Facter.fact(:iptables_persistent_version).value.should be_nil }
|
26
28
|
end
|
27
29
|
|
28
30
|
describe 'CentOS not supported' do
|
29
|
-
before { Facter.fact(:operatingsystem).
|
31
|
+
before { allow(Facter.fact(:operatingsystem)).to receive(:value).
|
32
|
+
and_return("CentOS") }
|
30
33
|
it { Facter.fact(:iptables_persistent_version).value.should be_nil }
|
31
34
|
end
|
32
35
|
end
|
@@ -3,19 +3,21 @@ require 'spec_helper'
|
|
3
3
|
describe "Facter::Util::Fact" do
|
4
4
|
before {
|
5
5
|
Facter.clear
|
6
|
-
Facter.fact(:kernel).
|
7
|
-
Facter.fact(:kernelrelease).
|
6
|
+
allow(Facter.fact(:kernel)).to receive(:value).and_return('Linux')
|
7
|
+
allow(Facter.fact(:kernelrelease)).to receive(:value).and_return('2.6')
|
8
8
|
}
|
9
9
|
|
10
10
|
describe 'iptables_version' do
|
11
11
|
it {
|
12
|
-
Facter::Util::Resolution.
|
12
|
+
allow(Facter::Util::Resolution).to receive(:exec).with('iptables --version').
|
13
|
+
and_return('iptables v1.4.7')
|
13
14
|
Facter.fact(:iptables_version).value.should == '1.4.7'
|
14
15
|
}
|
15
16
|
end
|
16
17
|
|
17
18
|
describe 'ip6tables_version' do
|
18
|
-
before { Facter::Util::Resolution.
|
19
|
+
before { allow(Facter::Util::Resolution).to receive(:exec).
|
20
|
+
with('ip6tables --version').and_return('ip6tables v1.4.7') }
|
19
21
|
it { Facter.fact(:ip6tables_version).value.should == '1.4.7' }
|
20
22
|
end
|
21
23
|
end
|
@@ -1,12 +1,22 @@
|
|
1
1
|
#!/usr/bin/env rspec
|
2
2
|
|
3
3
|
require 'spec_helper'
|
4
|
-
|
4
|
+
if Puppet.version < '3.4.0'
|
5
|
+
require 'puppet/provider/confine/exists'
|
6
|
+
else
|
7
|
+
require 'puppet/confine/exists'
|
8
|
+
end
|
5
9
|
|
6
10
|
describe 'iptables chain provider detection' do
|
7
|
-
|
8
|
-
|
9
|
-
|
11
|
+
if Puppet.version < '3.4.0'
|
12
|
+
let(:exists) {
|
13
|
+
Puppet::Provider::Confine::Exists
|
14
|
+
}
|
15
|
+
else
|
16
|
+
let(:exists) {
|
17
|
+
Puppet::Confine::Exists
|
18
|
+
}
|
19
|
+
end
|
10
20
|
|
11
21
|
before :each do
|
12
22
|
# Reset the default provider
|
@@ -1,12 +1,22 @@
|
|
1
1
|
#!/usr/bin/env rspec
|
2
2
|
|
3
3
|
require 'spec_helper'
|
4
|
-
|
4
|
+
if Puppet.version < '3.4.0'
|
5
|
+
require 'puppet/provider/confine/exists'
|
6
|
+
else
|
7
|
+
require 'puppet/confine/exists'
|
8
|
+
end
|
5
9
|
|
6
10
|
describe 'iptables provider detection' do
|
7
|
-
|
8
|
-
|
9
|
-
|
11
|
+
if Puppet.version < '3.4.0'
|
12
|
+
let(:exists) {
|
13
|
+
Puppet::Provider::Confine::Exists
|
14
|
+
}
|
15
|
+
else
|
16
|
+
let(:exists) {
|
17
|
+
Puppet::Confine::Exists
|
18
|
+
}
|
19
|
+
end
|
10
20
|
|
11
21
|
before :each do
|
12
22
|
# Reset the default provider
|
@@ -44,7 +54,7 @@ describe 'iptables provider' do
|
|
44
54
|
}
|
45
55
|
|
46
56
|
before :each do
|
47
|
-
Puppet::Type::Firewall.
|
57
|
+
allow(Puppet::Type::Firewall).to receive(:defaultprovider).and_return provider
|
48
58
|
allow(provider).to receive(:command).with(:iptables_save).and_return "/sbin/iptables-save"
|
49
59
|
|
50
60
|
# Stub iptables version
|
@@ -69,6 +79,126 @@ describe 'iptables provider' do
|
|
69
79
|
expect(provider.instances.length).to be_zero
|
70
80
|
end
|
71
81
|
|
82
|
+
describe '#insert_order' do
|
83
|
+
let(:iptables_save_output) { [
|
84
|
+
'-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test" -j ACCEPT',
|
85
|
+
'-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 200 -m comment --comment "200 test" -j ACCEPT',
|
86
|
+
'-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 300 -m comment --comment "300 test" -j ACCEPT'
|
87
|
+
] }
|
88
|
+
let(:resources) do
|
89
|
+
iptables_save_output.each_with_index.collect { |l,index| provider.rule_to_hash(l, 'filter', index) }
|
90
|
+
end
|
91
|
+
let(:providers) do
|
92
|
+
resources.collect { |r| provider.new(r) }
|
93
|
+
end
|
94
|
+
it 'understands offsets for adding rules to the beginning' do
|
95
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '001 test', })
|
96
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
97
|
+
expect(resource.provider.insert_order).to eq(1) # 1-indexed
|
98
|
+
end
|
99
|
+
it 'understands offsets for editing rules at the beginning' do
|
100
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '100 test', })
|
101
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
102
|
+
expect(resource.provider.insert_order).to eq(1)
|
103
|
+
end
|
104
|
+
it 'understands offsets for adding rules to the middle' do
|
105
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '101 test', })
|
106
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
107
|
+
expect(resource.provider.insert_order).to eq(2)
|
108
|
+
end
|
109
|
+
it 'understands offsets for editing rules at the middle' do
|
110
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '200 test', })
|
111
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
112
|
+
expect(resource.provider.insert_order).to eq(2)
|
113
|
+
end
|
114
|
+
it 'understands offsets for adding rules to the end' do
|
115
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '301 test', })
|
116
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
117
|
+
expect(resource.provider.insert_order).to eq(4)
|
118
|
+
end
|
119
|
+
it 'understands offsets for editing rules at the end' do
|
120
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '300 test', })
|
121
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
122
|
+
expect(resource.provider.insert_order).to eq(3)
|
123
|
+
end
|
124
|
+
|
125
|
+
context 'with unname rules between' do
|
126
|
+
let(:iptables_save_output) { [
|
127
|
+
'-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test" -j ACCEPT',
|
128
|
+
'-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 150 -m comment --comment "150 test" -j ACCEPT',
|
129
|
+
'-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 200 -j ACCEPT',
|
130
|
+
'-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 250 -j ACCEPT',
|
131
|
+
'-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 300 -m comment --comment "300 test" -j ACCEPT',
|
132
|
+
'-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 350 -m comment --comment "350 test" -j ACCEPT',
|
133
|
+
] }
|
134
|
+
it 'understands offsets for adding rules before unnamed rules' do
|
135
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '001 test', })
|
136
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
137
|
+
expect(resource.provider.insert_order).to eq(1)
|
138
|
+
end
|
139
|
+
it 'understands offsets for editing rules before unnamed rules' do
|
140
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '100 test', })
|
141
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
142
|
+
expect(resource.provider.insert_order).to eq(1)
|
143
|
+
end
|
144
|
+
it 'understands offsets for adding rules between managed rules' do
|
145
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '120 test', })
|
146
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
147
|
+
expect(resource.provider.insert_order).to eq(2)
|
148
|
+
end
|
149
|
+
it 'understands offsets for adding rules between unnamed rules' do
|
150
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '151 test', })
|
151
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
152
|
+
expect(resource.provider.insert_order).to eq(3)
|
153
|
+
end
|
154
|
+
it 'understands offsets for adding rules after unnamed rules' do
|
155
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '351 test', })
|
156
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
157
|
+
expect(resource.provider.insert_order).to eq(7)
|
158
|
+
end
|
159
|
+
end
|
160
|
+
|
161
|
+
context 'with unname rules before and after' do
|
162
|
+
let(:iptables_save_output) { [
|
163
|
+
'-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 050 -j ACCEPT',
|
164
|
+
'-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 090 -j ACCEPT',
|
165
|
+
'-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test" -j ACCEPT',
|
166
|
+
'-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 150 -m comment --comment "150 test" -j ACCEPT',
|
167
|
+
'-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 200 -j ACCEPT',
|
168
|
+
'-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 250 -j ACCEPT',
|
169
|
+
'-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 300 -m comment --comment "300 test" -j ACCEPT',
|
170
|
+
'-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 350 -m comment --comment "350 test" -j ACCEPT',
|
171
|
+
'-A INPUT -s 8.0.0.5/32 -p tcp -m multiport --ports 400 -j ACCEPT',
|
172
|
+
'-A INPUT -s 8.0.0.5/32 -p tcp -m multiport --ports 450 -j ACCEPT',
|
173
|
+
] }
|
174
|
+
it 'understands offsets for adding rules before unnamed rules' do
|
175
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '001 test', })
|
176
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
177
|
+
expect(resource.provider.insert_order).to eq(1)
|
178
|
+
end
|
179
|
+
it 'understands offsets for editing rules before unnamed rules' do
|
180
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '100 test', })
|
181
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
182
|
+
expect(resource.provider.insert_order).to eq(3)
|
183
|
+
end
|
184
|
+
it 'understands offsets for adding rules between managed rules' do
|
185
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '120 test', })
|
186
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
187
|
+
expect(resource.provider.insert_order).to eq(4)
|
188
|
+
end
|
189
|
+
it 'understands offsets for adding rules between unnamed rules' do
|
190
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '151 test', })
|
191
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
192
|
+
expect(resource.provider.insert_order).to eq(5)
|
193
|
+
end
|
194
|
+
it 'understands offsets for adding rules after unnamed rules' do
|
195
|
+
resource = Puppet::Type.type(:firewall).new({ :name => '351 test', })
|
196
|
+
allow(resource.provider.class).to receive(:instances).and_return(providers)
|
197
|
+
expect(resource.provider.insert_order).to eq(9)
|
198
|
+
end
|
199
|
+
end
|
200
|
+
end
|
201
|
+
|
72
202
|
# Load in ruby hash for test fixtures.
|
73
203
|
load 'spec/fixtures/iptables/conversion_hash.rb'
|
74
204
|
|
@@ -123,6 +253,37 @@ describe 'iptables provider' do
|
|
123
253
|
it 'rule name contains a MD5 sum of the line' do
|
124
254
|
expect(resource[:name]).to eq("9000 #{Digest::MD5.hexdigest(resource[:line])}")
|
125
255
|
end
|
256
|
+
|
257
|
+
it 'parsed the rule arguments correctly' do
|
258
|
+
expect(resource[:chain]).to eq('INPUT')
|
259
|
+
expect(resource[:source]).to eq('1.1.1.1/32')
|
260
|
+
expect(resource[:destination]).to eq('1.1.1.1/32')
|
261
|
+
expect(resource[:proto]).to eq('tcp')
|
262
|
+
expect(resource[:dport]).to eq(['7061', '7062'])
|
263
|
+
expect(resource[:sport]).to eq(['7061', '7062'])
|
264
|
+
expect(resource[:action]).to eq('accept')
|
265
|
+
end
|
266
|
+
end
|
267
|
+
|
268
|
+
describe 'when converting existing rules generates by system-config-firewall-tui to resources' do
|
269
|
+
let(:sample_rule) {
|
270
|
+
# as generated by iptables-save from rules created with system-config-firewall-tui
|
271
|
+
'-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT'
|
272
|
+
}
|
273
|
+
let(:resource) { provider.rule_to_hash(sample_rule, 'filter', 0) }
|
274
|
+
let(:instance) { provider.new(resource) }
|
275
|
+
|
276
|
+
it 'rule name contains a MD5 sum of the line' do
|
277
|
+
expect(resource[:name]).to eq("9000 #{Digest::MD5.hexdigest(resource[:line])}")
|
278
|
+
end
|
279
|
+
|
280
|
+
it 'parse arguments' do
|
281
|
+
expect(resource[:chain]).to eq('INPUT')
|
282
|
+
expect(resource[:proto]).to eq('tcp')
|
283
|
+
expect(resource[:dport]).to eq(['22'])
|
284
|
+
expect(resource[:state]).to eq(['NEW'])
|
285
|
+
expect(resource[:action]).to eq('accept')
|
286
|
+
end
|
126
287
|
end
|
127
288
|
|
128
289
|
describe 'when creating resources' do
|
@@ -139,6 +300,10 @@ describe 'iptables provider' do
|
|
139
300
|
it 'update_args should be an array' do
|
140
301
|
expect(instance.update_args.class).to eq(Array)
|
141
302
|
end
|
303
|
+
|
304
|
+
it 'fails when modifying the chain' do
|
305
|
+
expect { instance.chain = "OUTPUT" }.to raise_error(/is not supported/)
|
306
|
+
end
|
142
307
|
end
|
143
308
|
|
144
309
|
describe 'when deleting resources' do
|
@@ -162,3 +327,79 @@ describe 'iptables provider' do
|
|
162
327
|
end
|
163
328
|
end
|
164
329
|
end
|
330
|
+
|
331
|
+
describe 'ip6tables provider' do
|
332
|
+
let(:provider6) { Puppet::Type.type(:firewall).provider(:ip6tables) }
|
333
|
+
let(:resource) {
|
334
|
+
Puppet::Type.type(:firewall).new({
|
335
|
+
:name => '000 test foo',
|
336
|
+
:action => 'accept',
|
337
|
+
:provider => "ip6tables",
|
338
|
+
})
|
339
|
+
}
|
340
|
+
|
341
|
+
before :each do
|
342
|
+
allow(Puppet::Type::Firewall).to receive(:ip6tables).and_return provider6
|
343
|
+
allow(provider6).to receive(:command).with(:ip6tables_save).and_return "/sbin/ip6tables-save"
|
344
|
+
|
345
|
+
# Stub iptables version
|
346
|
+
allow(Facter.fact(:ip6tables_version)).to receive(:value).and_return '1.4.7'
|
347
|
+
|
348
|
+
allow(Puppet::Util::Execution).to receive(:execute).and_return ''
|
349
|
+
allow(Puppet::Util).to receive(:which).with("ip6tables-save").
|
350
|
+
and_return "/sbin/ip6tables-save"
|
351
|
+
end
|
352
|
+
|
353
|
+
it 'should be able to get a list of existing rules' do
|
354
|
+
provider6.instances.each do |rule|
|
355
|
+
rule.should be_instance_of(provider6)
|
356
|
+
rule.properties[:provider6].to_s.should == provider6.name.to_s
|
357
|
+
end
|
358
|
+
end
|
359
|
+
|
360
|
+
it 'should ignore lines with fatal errors' do
|
361
|
+
allow(Puppet::Util::Execution).to receive(:execute).with(['/sbin/ip6tables-save']).
|
362
|
+
and_return("FATAL: Could not load /lib/modules/2.6.18-028stab095.1/modules.dep: No such file or directory")
|
363
|
+
provider6.instances.length.should == 0
|
364
|
+
end
|
365
|
+
|
366
|
+
# Load in ruby hash for test fixtures.
|
367
|
+
load 'spec/fixtures/ip6tables/conversion_hash.rb'
|
368
|
+
|
369
|
+
describe 'when converting rules to resources' do
|
370
|
+
ARGS_TO_HASH6.each do |test_name,data|
|
371
|
+
describe "for test data '#{test_name}'" do
|
372
|
+
let(:resource) { provider6.rule_to_hash(data[:line], data[:table], 0) }
|
373
|
+
|
374
|
+
# If this option is enabled, make sure the parameters exactly match
|
375
|
+
if data[:compare_all] then
|
376
|
+
it "the parameter hash keys should be the same as returned by rules_to_hash" do
|
377
|
+
resource.keys.should =~ data[:params].keys
|
378
|
+
end
|
379
|
+
end
|
380
|
+
|
381
|
+
# Iterate across each parameter, creating an example for comparison
|
382
|
+
data[:params].each do |param_name, param_value|
|
383
|
+
it "the parameter '#{param_name.to_s}' should match #{param_value.inspect}" do
|
384
|
+
resource[param_name].should == data[:params][param_name]
|
385
|
+
end
|
386
|
+
end
|
387
|
+
end
|
388
|
+
end
|
389
|
+
end
|
390
|
+
|
391
|
+
describe 'when working out general_args' do
|
392
|
+
HASH_TO_ARGS6.each do |test_name,data|
|
393
|
+
describe "for test data '#{test_name}'" do
|
394
|
+
let(:resource) { Puppet::Type.type(:firewall).new(data[:params]) }
|
395
|
+
let(:provider6) { Puppet::Type.type(:firewall).provider(:ip6tables) }
|
396
|
+
let(:instance) { provider6.new(resource) }
|
397
|
+
|
398
|
+
it 'general_args should be valid' do
|
399
|
+
instance.general_args.flatten.should == data[:args]
|
400
|
+
end
|
401
|
+
end
|
402
|
+
end
|
403
|
+
end
|
404
|
+
end
|
405
|
+
|