freighthop 0.3.3 → 0.4.0

data/modules/firewall/spec/fixtures/ip6tables/conversion_hash.rb

@@ -0,0 +1,107 @@
+# These hashes allow us to iterate across a series of test data
+# creating rspec examples for each parameter to ensure the input :line
+# extrapolates to the desired value for the parameter in question. And
+# vice-versa
+
+# This hash is for testing a line conversion to a hash of parameters
+# which will be used to create a resource.
+ARGS_TO_HASH6 = {
+  'source_destination_ipv6_no_cidr' => {
+    :line => '-A INPUT -s 2001:db8:85a3::8a2e:370:7334 -d 2001:db8:85a3::8a2e:370:7334 -m comment --comment "000 source destination ipv6 no cidr"',
+    :table => 'filter',
+    :provider => 'ip6tables',
+    :params => {
+      :source => '2001:db8:85a3::8a2e:370:7334/128',
+      :destination => '2001:db8:85a3::8a2e:370:7334/128',
+    },
+  },
+  'source_destination_ipv6_netmask' => {
+    :line => '-A INPUT -s 2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -d 2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -m comment --comment "000 source destination ipv6 netmask"',
+    :table => 'filter',
+    :provider => 'ip6tables',
+    :params => {
+      :source => '2001:db8:1234::/48',
+      :destination => '2001:db8:4321::/48',
+    },
+  },
+}
+
+# This hash is for testing converting a hash to an argument line.
+HASH_TO_ARGS6 = {
+  'zero_prefixlen_ipv6' => {
+    :params => {
+      :name => '100 zero prefix length ipv6',
+      :table => 'filter',
+      :provider => 'ip6tables',
+      :source => '::/0',
+      :destination => '::/0',
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv6'],
+  },
+  'source_destination_ipv4_no_cidr' => {
+    :params => {
+      :name => '000 source destination ipv4 no cidr',
+      :table => 'filter',
+      :provider => 'ip6tables',
+      :source => '1.1.1.1',
+      :destination => '2.2.2.2',
+    },
+    :args => ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.2.2.2/32', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv4 no cidr'],
+  },
+ 'source_destination_ipv6_no_cidr' => {
+    :params => {
+      :name => '000 source destination ipv6 no cidr',
+      :table => 'filter',
+      :provider => 'ip6tables',
+      :source => '2001:db8:1234::',
+      :destination => '2001:db8:4321::',
+    },
+    :args => ['-t', :filter, '-s', '2001:db8:1234::/128', '-d', '2001:db8:4321::/128', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 no cidr'],
+  },
+ 'source_destination_ipv6_netmask' => {
+    :params => {
+      :name => '000 source destination ipv6 netmask',
+      :table => 'filter',
+      :provider => 'ip6tables',
+      :source => '2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
+      :destination => '2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
+    },
+    :args => ['-t', :filter, '-s', '2001:db8:1234::/48', '-d', '2001:db8:4321::/48', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 netmask'],
+  },
+  'frag_ishasmorefrags' => {
+    :params => {
+      :name => "100 has more fragments",
+      :ishasmorefrags => true,
+      :provider => 'ip6tables',
+      :table => "filter",
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragmore", "-m", "comment", "--comment", "100 has more fragments"],
+  },
+  'frag_islastfrag' => {
+    :params => {
+      :name => "100 last fragment",
+      :islastfrag => true,
+      :provider => 'ip6tables',
+      :table => "filter",
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fraglast", "-m", "comment", "--comment", "100 last fragment"],
+  },
+  'frag_isfirstfrags' => {
+    :params => {
+      :name => "100 first fragment",
+      :isfirstfrag => true,
+      :provider => 'ip6tables',
+      :table => "filter",
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragfirst", "-m", "comment", "--comment", "100 first fragment"],
+  },
+  'hop_limit' => {
+    :params => {
+      :name => "100 hop limit",
+      :hop_limit => 255,
+      :provider => 'ip6tables',
+      :table => "filter",
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 hop limit", "-m", "hl", "--hl-eq", 255],
+  },
+}

data/modules/firewall/spec/fixtures/iptables/conversion_hash.rb

@@ -6,6 +6,19 @@
 # This hash is for testing a line conversion to a hash of parameters
 # which will be used to create a resource.
 ARGS_TO_HASH = {
+  'dport_and_sport' => {
+    :line => '-A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT',
+    :table => 'filter',
+    :params => {
+      :action => 'accept',
+      :chain => 'nova-compute-FORWARD',
+      :source => '0.0.0.0/32',
+      :destination => '255.255.255.255/32',
+      :sport => ['68'],
+      :dport => ['67'],
+      :proto => 'udp',
+    },
+  },
   'long_rule_1' => {
     :line => '-A INPUT -s 1.1.1.1/32 -d 1.1.1.1/32 -p tcp -m multiport --dports 7061,7062 -m multiport --sports 7061,7062 -m comment --comment "000 allow foo" -j ACCEPT',
     :table => 'filter',
@@ -89,6 +102,30 @@ ARGS_TO_HASH = {
       :destination => '2001:db8:4321::/48',
     },
   },
+  'source_destination_negate_source' => {
+    :line => '-A INPUT ! -s 1.1.1.1 -d 2.2.2.2 -m comment --comment "000 negated source address"',
+    :table => 'filter',
+    :params => {
+      :source => '! 1.1.1.1/32',
+      :destination => '2.2.2.2/32',
+    },
+  },
+  'source_destination_negate_destination' => {
+    :line => '-A INPUT -s 1.1.1.1 ! -d 2.2.2.2 -m comment --comment "000 negated destination address"',
+    :table => 'filter',
+    :params => {
+      :source => '1.1.1.1/32',
+      :destination => '! 2.2.2.2/32',
+    },
+  },
+  'source_destination_negate_destination_alternative' => {
+    :line => '-A INPUT -s 1.1.1.1 -d ! 2.2.2.2 -m comment --comment "000 negated destination address alternative"',
+    :table => 'filter',
+    :params => {
+      :source => '1.1.1.1/32',
+      :destination => '! 2.2.2.2/32',
+    },
+  },
   'dport_range_1' => {
     :line => '-A INPUT -m multiport --dports 1:1024 -m comment --comment "000 allow foo"',
     :table => 'filter',
@@ -170,6 +207,14 @@ ARGS_TO_HASH = {
       :action => nil,
     },
   },
+  'ctstate_returns_sorted_values' => {
+    :line => '-A INPUT -m conntrack --ctstate INVALID,RELATED,ESTABLISHED',
+    :table => 'filter',
+    :params => {
+      :ctstate => ['ESTABLISHED', 'INVALID', 'RELATED'],
+      :action => nil,
+    },
+  },
   'comment_string_character_validation' => {
     :line => '-A INPUT -s 192.168.0.1/32 -m comment --comment "000 allow from 192.168.0.1, please"',
     :table => 'filter',
@@ -539,7 +584,7 @@ HASH_TO_ARGS = {
       :table => 'filter',
       :dst_range => '10.0.0.1-10.0.0.10',
     },
-    :args => ['-t', :filter, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-p', :tcp, '-m', 'comment', '--comment', '000 dst_range'],
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-m', 'comment', '--comment', '000 dst_range'],
   },
   'src_range_1' => {
     :params => {
@@ -547,7 +592,7 @@ HASH_TO_ARGS = {
       :table => 'filter',
       :dst_range => '10.0.0.1-10.0.0.10',
     },
-    :args => ['-t', :filter, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-p', :tcp, '-m', 'comment', '--comment', '000 src_range'],
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-m', 'comment', '--comment', '000 src_range'],
   },
   'tcp_flags_1' => {
     :params => {
@@ -567,6 +612,15 @@ HASH_TO_ARGS = {
     :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 states_set_from_array",
       "-m", "state", "--state", "ESTABLISHED,INVALID"],
   },
+  'ctstates_set_from_array' => {
+    :params => {
+      :name => "100 ctstates_set_from_array",
+      :table => "filter",
+      :ctstate => ['ESTABLISHED', 'INVALID']
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 ctstates_set_from_array",
+      "-m", "conntrack", "--ctstate", "ESTABLISHED,INVALID"],
+  },
   'comment_string_character_validation' => {
     :params => {
       :name => "000 allow from 192.168.0.1, please",

data/modules/firewall/spec/spec_helper_acceptance.rb

@@ -0,0 +1,38 @@
+require 'beaker-rspec'
+
+def iptables_flush_all_tables
+  ['filter', 'nat', 'mangle', 'raw'].each do |t|
+    expect(shell("/sbin/iptables -t #{t} -F").stderr).to eq("")
+  end
+end
+
+def ip6tables_flush_all_tables
+  ['filter'].each do |t|
+    expect(shell("/sbin/ip6tables -t #{t} -F").stderr).to eq("")
+  end
+end
+
+hosts.each do |host|
+  # Install Puppet
+  install_package host, 'rubygems'
+  on host, 'gem install puppet --no-ri --no-rdoc'
+  on host, "mkdir -p #{host['distmoduledir']}"
+end
+
+RSpec.configure do |c|
+  # Project root
+  proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+  # Readable test descriptions
+  c.formatter = :documentation
+
+  # Configure all nodes in nodeset
+  c.before :suite do
+    # Install module and dependencies
+    puppet_module_install(:source => proj_root, :module_name => 'firewall')
+    hosts.each do |host|
+      shell('/bin/touch /etc/puppet/hiera.yaml')
+      shell('puppet module install puppetlabs-stdlib --version 3.2.0', { :acceptable_exit_codes => [0,1] })
+    end
+  end
+end

data/modules/firewall/spec/unit/classes/firewall_spec.rb

@@ -8,7 +8,7 @@ describe 'firewall', :type => :class do
 
   context 'kernel => Windows' do
     let(:facts) {{ :kernel => 'Windows' }}
-    it { expect { should include_class('firewall::linux') }.to raise_error(Puppet::Error) }
+    it { expect { should contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
   end
 
   context 'ensure => stopped' do
@@ -20,6 +20,6 @@ describe 'firewall', :type => :class do
   context 'ensure => test' do
     let(:facts) {{ :kernel => 'Linux' }}
     let(:params) {{ :ensure => 'test' }}
-    it { expect { should include_class('firewall::linux') }.to raise_error(Puppet::Error) }
+    it { expect { should contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
   end
 end

data/modules/firewall/spec/unit/facter/iptables_persistent_version_spec.rb

@@ -10,8 +10,9 @@ describe "Facter::Util::Fact iptables_persistent_version" do
   }.each do |os, ver|
     describe "#{os} package installed" do
       before {
-        Facter.fact(:operatingsystem).stubs(:value).returns(os)
-        Facter::Util::Resolution.stubs(:exec).with(dpkg_cmd).returns(ver)
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return(os)
+        allow(Facter::Util::Resolution).to receive(:exec).with(dpkg_cmd).
+          and_return(ver)
       }
       it { Facter.fact(:iptables_persistent_version).value.should == ver }
     end
@@ -19,14 +20,16 @@ describe "Facter::Util::Fact iptables_persistent_version" do
 
   describe 'Ubuntu package not installed' do
     before {
-      Facter.fact(:operatingsystem).stubs(:value).returns("Ubuntu")
-      Facter::Util::Resolution.stubs(:exec).with(dpkg_cmd).returns(nil)
+      allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Ubuntu')
+      allow(Facter::Util::Resolution).to receive(:exec).with(dpkg_cmd).
+        and_return(nil)
     }
     it { Facter.fact(:iptables_persistent_version).value.should be_nil }
   end
 
   describe 'CentOS not supported' do
-    before { Facter.fact(:operatingsystem).stubs(:value).returns("CentOS") }
+    before { allow(Facter.fact(:operatingsystem)).to receive(:value).
+               and_return("CentOS") }
     it { Facter.fact(:iptables_persistent_version).value.should be_nil }
   end
 end

data/modules/firewall/spec/unit/facter/iptables_spec.rb

@@ -3,19 +3,21 @@ require 'spec_helper'
 describe "Facter::Util::Fact" do
   before {
     Facter.clear
-    Facter.fact(:kernel).stubs(:value).returns("Linux")
-    Facter.fact(:kernelrelease).stubs(:value).returns("2.6")
+    allow(Facter.fact(:kernel)).to receive(:value).and_return('Linux')
+    allow(Facter.fact(:kernelrelease)).to receive(:value).and_return('2.6')
   }
 
   describe 'iptables_version' do
     it {
-      Facter::Util::Resolution.stubs(:exec).with('iptables --version').returns('iptables v1.4.7')
+      allow(Facter::Util::Resolution).to receive(:exec).with('iptables --version').
+      and_return('iptables v1.4.7')
       Facter.fact(:iptables_version).value.should == '1.4.7'
     }
   end
 
   describe 'ip6tables_version' do
-    before { Facter::Util::Resolution.stubs(:exec).with('ip6tables --version').returns('ip6tables v1.4.7') }
+    before { allow(Facter::Util::Resolution).to receive(:exec).
+             with('ip6tables --version').and_return('ip6tables v1.4.7') }
     it { Facter.fact(:ip6tables_version).value.should == '1.4.7' }
   end
 end

data/modules/firewall/spec/unit/puppet/provider/iptables_chain_spec.rb

@@ -1,12 +1,22 @@
 #!/usr/bin/env rspec
 
 require 'spec_helper'
-require 'puppet'
+if Puppet.version < '3.4.0'
+  require 'puppet/provider/confine/exists'
+else
+  require 'puppet/confine/exists'
+end
 
 describe 'iptables chain provider detection' do
-  let(:exists) {
-    Puppet::Provider::Confine::Exists
-  }
+  if Puppet.version < '3.4.0'
+    let(:exists) {
+      Puppet::Provider::Confine::Exists
+    }
+  else
+    let(:exists) {
+      Puppet::Confine::Exists
+    }
+  end
 
   before :each do
     # Reset the default provider

data/modules/firewall/spec/unit/puppet/provider/iptables_spec.rb

@@ -1,12 +1,22 @@
 #!/usr/bin/env rspec
 
 require 'spec_helper'
-require 'puppet/provider/confine/exists'
+if Puppet.version < '3.4.0'
+  require 'puppet/provider/confine/exists'
+else
+  require 'puppet/confine/exists'
+end
 
 describe 'iptables provider detection' do
-  let(:exists) {
-    Puppet::Provider::Confine::Exists
-  }
+  if Puppet.version < '3.4.0'
+    let(:exists) {
+      Puppet::Provider::Confine::Exists
+    }
+  else
+    let(:exists) {
+      Puppet::Confine::Exists
+    }
+  end
 
   before :each do
     # Reset the default provider
@@ -44,7 +54,7 @@ describe 'iptables provider' do
   }
 
   before :each do
-    Puppet::Type::Firewall.stubs(:defaultprovider).returns provider
+    allow(Puppet::Type::Firewall).to receive(:defaultprovider).and_return provider
     allow(provider).to receive(:command).with(:iptables_save).and_return "/sbin/iptables-save"
 
     # Stub iptables version
@@ -69,6 +79,126 @@ describe 'iptables provider' do
     expect(provider.instances.length).to be_zero
   end
 
+  describe '#insert_order' do
+    let(:iptables_save_output) { [
+      '-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test" -j ACCEPT',
+      '-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 200 -m comment --comment "200 test" -j ACCEPT',
+      '-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 300 -m comment --comment "300 test" -j ACCEPT'
+    ] }
+    let(:resources) do
+      iptables_save_output.each_with_index.collect { |l,index| provider.rule_to_hash(l, 'filter', index) }
+    end
+    let(:providers) do
+      resources.collect { |r| provider.new(r) }
+    end
+    it 'understands offsets for adding rules to the beginning' do
+      resource = Puppet::Type.type(:firewall).new({ :name => '001 test', })
+      allow(resource.provider.class).to receive(:instances).and_return(providers)
+      expect(resource.provider.insert_order).to eq(1) # 1-indexed
+    end
+    it 'understands offsets for editing rules at the beginning' do
+      resource = Puppet::Type.type(:firewall).new({ :name => '100 test', })
+      allow(resource.provider.class).to receive(:instances).and_return(providers)
+      expect(resource.provider.insert_order).to eq(1)
+    end
+    it 'understands offsets for adding rules to the middle' do
+      resource = Puppet::Type.type(:firewall).new({ :name => '101 test', })
+      allow(resource.provider.class).to receive(:instances).and_return(providers)
+      expect(resource.provider.insert_order).to eq(2)
+    end
+    it 'understands offsets for editing rules at the middle' do
+      resource = Puppet::Type.type(:firewall).new({ :name => '200 test', })
+      allow(resource.provider.class).to receive(:instances).and_return(providers)
+      expect(resource.provider.insert_order).to eq(2)
+    end
+    it 'understands offsets for adding rules to the end' do
+      resource = Puppet::Type.type(:firewall).new({ :name => '301 test', })
+      allow(resource.provider.class).to receive(:instances).and_return(providers)
+      expect(resource.provider.insert_order).to eq(4)
+    end
+    it 'understands offsets for editing rules at the end' do
+      resource = Puppet::Type.type(:firewall).new({ :name => '300 test', })
+      allow(resource.provider.class).to receive(:instances).and_return(providers)
+      expect(resource.provider.insert_order).to eq(3)
+    end
+
+    context 'with unname rules between' do
+      let(:iptables_save_output) { [
+        '-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test" -j ACCEPT',
+        '-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 150 -m comment --comment "150 test" -j ACCEPT',
+        '-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 200 -j ACCEPT',
+        '-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 250 -j ACCEPT',
+        '-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 300 -m comment --comment "300 test" -j ACCEPT',
+        '-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 350 -m comment --comment "350 test" -j ACCEPT',
+      ] }
+      it 'understands offsets for adding rules before unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '001 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(1)
+      end
+      it 'understands offsets for editing rules before unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '100 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(1)
+      end
+      it 'understands offsets for adding rules between managed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '120 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(2)
+      end
+      it 'understands offsets for adding rules between unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '151 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(3)
+      end
+      it 'understands offsets for adding rules after unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '351 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(7)
+      end
+    end
+
+    context 'with unname rules before and after' do
+      let(:iptables_save_output) { [
+        '-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 050 -j ACCEPT',
+        '-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 090 -j ACCEPT',
+        '-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 100 -m comment --comment "100 test" -j ACCEPT',
+        '-A INPUT -s 8.0.0.2/32 -p tcp -m multiport --ports 150 -m comment --comment "150 test" -j ACCEPT',
+        '-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 200 -j ACCEPT',
+        '-A INPUT -s 8.0.0.3/32 -p tcp -m multiport --ports 250 -j ACCEPT',
+        '-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 300 -m comment --comment "300 test" -j ACCEPT',
+        '-A INPUT -s 8.0.0.4/32 -p tcp -m multiport --ports 350 -m comment --comment "350 test" -j ACCEPT',
+        '-A INPUT -s 8.0.0.5/32 -p tcp -m multiport --ports 400 -j ACCEPT',
+        '-A INPUT -s 8.0.0.5/32 -p tcp -m multiport --ports 450 -j ACCEPT',
+      ] }
+      it 'understands offsets for adding rules before unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '001 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(1)
+      end
+      it 'understands offsets for editing rules before unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '100 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(3)
+      end
+      it 'understands offsets for adding rules between managed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '120 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(4)
+      end
+      it 'understands offsets for adding rules between unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '151 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(5)
+      end
+      it 'understands offsets for adding rules after unnamed rules' do
+        resource = Puppet::Type.type(:firewall).new({ :name => '351 test', })
+        allow(resource.provider.class).to receive(:instances).and_return(providers)
+        expect(resource.provider.insert_order).to eq(9)
+      end
+    end
+  end
+
   # Load in ruby hash for test fixtures.
   load 'spec/fixtures/iptables/conversion_hash.rb'
 
@@ -123,6 +253,37 @@ describe 'iptables provider' do
     it 'rule name contains a MD5 sum of the line' do
       expect(resource[:name]).to eq("9000 #{Digest::MD5.hexdigest(resource[:line])}")
     end
+
+    it 'parsed the rule arguments correctly' do
+      expect(resource[:chain]).to eq('INPUT')
+      expect(resource[:source]).to eq('1.1.1.1/32')
+      expect(resource[:destination]).to eq('1.1.1.1/32')
+      expect(resource[:proto]).to eq('tcp')
+      expect(resource[:dport]).to eq(['7061', '7062'])
+      expect(resource[:sport]).to eq(['7061', '7062'])
+      expect(resource[:action]).to eq('accept')
+    end
+  end
+
+  describe 'when converting existing rules generates by system-config-firewall-tui to resources' do
+    let(:sample_rule) {
+      # as generated by iptables-save from rules created with system-config-firewall-tui
+      '-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT'
+    }
+    let(:resource) { provider.rule_to_hash(sample_rule, 'filter', 0) }
+    let(:instance) { provider.new(resource) }
+
+    it 'rule name contains a MD5 sum of the line' do
+      expect(resource[:name]).to eq("9000 #{Digest::MD5.hexdigest(resource[:line])}")
+    end
+
+    it 'parse arguments' do
+      expect(resource[:chain]).to eq('INPUT')
+      expect(resource[:proto]).to eq('tcp')
+      expect(resource[:dport]).to eq(['22'])
+      expect(resource[:state]).to eq(['NEW'])
+      expect(resource[:action]).to eq('accept')
+    end
   end
 
   describe 'when creating resources' do
@@ -139,6 +300,10 @@ describe 'iptables provider' do
     it 'update_args should be an array' do
       expect(instance.update_args.class).to eq(Array)
     end
+
+    it 'fails when modifying the chain' do
+      expect { instance.chain = "OUTPUT" }.to raise_error(/is not supported/)
+    end
   end
 
   describe 'when deleting resources' do
@@ -162,3 +327,79 @@ describe 'iptables provider' do
     end
   end
 end
+
+describe 'ip6tables provider' do
+  let(:provider6) { Puppet::Type.type(:firewall).provider(:ip6tables) }
+  let(:resource) {
+    Puppet::Type.type(:firewall).new({
+      :name  => '000 test foo',
+      :action  => 'accept',
+      :provider => "ip6tables",
+    })
+  }
+
+  before :each do
+    allow(Puppet::Type::Firewall).to receive(:ip6tables).and_return provider6
+    allow(provider6).to receive(:command).with(:ip6tables_save).and_return "/sbin/ip6tables-save"
+
+    # Stub iptables version
+    allow(Facter.fact(:ip6tables_version)).to receive(:value).and_return '1.4.7'
+
+    allow(Puppet::Util::Execution).to receive(:execute).and_return ''
+    allow(Puppet::Util).to receive(:which).with("ip6tables-save").
+      and_return "/sbin/ip6tables-save"
+  end
+
+  it 'should be able to get a list of existing rules' do
+    provider6.instances.each do |rule|
+      rule.should be_instance_of(provider6)
+      rule.properties[:provider6].to_s.should == provider6.name.to_s
+    end
+  end
+
+  it 'should ignore lines with fatal errors' do
+    allow(Puppet::Util::Execution).to receive(:execute).with(['/sbin/ip6tables-save']).
+      and_return("FATAL: Could not load /lib/modules/2.6.18-028stab095.1/modules.dep: No such file or directory")
+    provider6.instances.length.should == 0
+  end
+
+  # Load in ruby hash for test fixtures.
+  load 'spec/fixtures/ip6tables/conversion_hash.rb'
+
+  describe 'when converting rules to resources' do
+    ARGS_TO_HASH6.each do |test_name,data|
+      describe "for test data '#{test_name}'" do
+        let(:resource) { provider6.rule_to_hash(data[:line], data[:table], 0) }
+
+        # If this option is enabled, make sure the parameters exactly match
+        if data[:compare_all] then
+          it "the parameter hash keys should be the same as returned by rules_to_hash" do
+            resource.keys.should =~ data[:params].keys
+          end
+        end
+
+        # Iterate across each parameter, creating an example for comparison
+        data[:params].each do |param_name, param_value|
+          it "the parameter '#{param_name.to_s}' should match #{param_value.inspect}" do
+            resource[param_name].should == data[:params][param_name]
+          end
+        end
+      end
+    end
+  end
+
+  describe 'when working out general_args' do
+    HASH_TO_ARGS6.each do |test_name,data|
+      describe "for test data '#{test_name}'" do
+        let(:resource) { Puppet::Type.type(:firewall).new(data[:params]) }
+        let(:provider6) { Puppet::Type.type(:firewall).provider(:ip6tables) }
+        let(:instance) { provider6.new(resource) }
+
+        it 'general_args should be valid' do
+          instance.general_args.flatten.should == data[:args]
+        end
+      end
+    end
+  end
+end
+