iptables-ruby 0.2.4

data/test/tc_configuration.rb

@@ -0,0 +1,72 @@
+require 'common'
+
+class TestConfiguration < Test::Unit::TestCase
+  def setup
+    @test_config = IPTables::Configuration.new()
+  end
+
+  def test_initialize
+    assert_nothing_raised( RuntimeError ) { IPTables::Configuration.new() }
+  end
+
+  def test_parse_files
+    assert_raise( RuntimeError ) { IPTables::Configuration.new('foobar') }
+    # don't know how to test reading .json files
+    # without being able to test reading json, can not complete testing
+    #assert_nothing_raised( RuntimeError ) { IPTables::Configuration.new('test/test_config.json') }
+  end
+
+  def test_policy
+    assert_raise( RuntimeError ) { @test_config.policy }
+    assert_equal({}, @test_config.policy({}))
+  end
+
+  def test_policy6
+    assert_raise( RuntimeError ) { @test_config.policy6 }
+    assert_equal({}, @test_config.policy6({}))
+  end
+
+  def test_interpolations
+    assert_raise( RuntimeError ) { @test_config.interpolations }
+  end
+
+  def test_primitives
+    assert_raise( RuntimeError ) { @test_config.primitives }
+  end
+
+  def test_rules
+    assert_raise( RuntimeError ) { @test_config.rules }
+    assert_equal({}, @test_config.rules({}))
+  end
+
+  def test_services
+    assert_raise( RuntimeError ) { @test_config.services }
+  end
+
+  def test_macros
+    assert_raise( RuntimeError ) { @test_config.macros }
+  end
+
+  def test_converge_firewall
+    assert_raise( RuntimeError ) { @test_config.converge_firewall() }
+
+    test_policy = IPTables::Tables.new({
+      'table1' => {
+        'chain1' => {
+          'policy' => 'ACCEPT',
+          'rules' => [
+            '-j ACCEPT'
+          ]
+        }
+      }
+    }, @test_config)
+    @test_config.policy(test_policy)
+
+    test_rules = IPTables::Tables.new({
+      'table1' => { 'chain1' => { 'policy' => 'DROP' } }
+    }, @test_config)
+    @test_config.rules(test_policy)
+
+    assert_instance_of(IPTables::Tables, @test_config.converge_firewall)
+  end
+end

data/test/tc_expansions.rb

@@ -0,0 +1,116 @@
+require 'common'
+
+class TestMacros < Test::Unit::TestCase
+  def test_initialize
+    assert_equal({}, IPTables::Macros.new({}).named)
+    assert_instance_of(IPTables::Macro, IPTables::Macros.new({'test_macro' => {}}).named['test_macro'])
+  end
+end
+
+class TestMacro < Test::Unit::TestCase
+  def test_initialize
+    assert_raise( RuntimeError ) { IPTables::Macro.new('test_macro', 1) }
+
+    assert_equal('test_macro', IPTables::Macro.new('test_macro', {}).name)
+    assert_equal([], IPTables::Macro.new('test_macro', []).children)
+    assert_equal([{}], IPTables::Macro.new('test_macro', {}).children)
+    assert_equal([{'raw' => ''}], IPTables::Macro.new('test_macro', '').children)
+    assert_equal([{'raw' => ''}], IPTables::Macro.new('test_macro', [{'raw' => ''}]).children)
+  end
+end
+
+class TestServices < Test::Unit::TestCase
+  def test_initialize
+    assert_equal({}, IPTables::Services.new({}).named)
+    assert_instance_of(IPTables::Service, IPTables::Services.new({'test_service' => 1}).named['test_service'])
+  end
+end
+
+class TestService < Test::Unit::TestCase
+  def test_initialize
+    assert_raise( RuntimeError ) { IPTables::Service.new('test_service', 1.0) }
+    assert_raise( RuntimeError ) { IPTables::Service.new('test_service', []) }
+    assert_raise( RuntimeError ) { IPTables::Service.new('test_service', {}) }
+
+    assert_equal('test_service', IPTables::Service.new('test_service', 1).name)
+  end
+
+  def test_handle_string
+    assert_equal([{"comment"=>"_ test_service"}, {"raw"=>"-j ACCEPT"}], IPTables::Service.new('test_service', '-j ACCEPT').children)
+  end
+
+  def test_handle_array
+    assert_equal([{"comment"=>"_ test_service"}, {"raw"=>"-j ACCEPT"}], IPTables::Service.new('test_service', [{'raw' => '-j ACCEPT'}]).children)
+  end
+
+  def test_handle_hash
+    assert_equal([{"raw"=>"-j ACCEPT", "service_name"=>"test_service"}], IPTables::Service.new('test_service', {'raw' => '-j ACCEPT'}).children)
+  end
+
+  def test_handle_integer
+    assert_equal(
+      [
+        {"comment"=>"_ Port 1 - test_service"},
+        {"raw"=> "-p tcp -m tcp --sport 1024:65535 --dport 1 -m state --state NEW,ESTABLISHED -j ACCEPT"}
+      ], 
+    IPTables::Service.new('test_service', 1).children
+  )
+  end
+end
+
+class TestInterpolations < Test::Unit::TestCase
+  def setup
+    @new = IPTables::Interpolations.new({})
+  end
+
+  def test_initialize
+    assert_equal({}, @new.named)
+  end
+
+  def test_add
+    @new.add('test_interpolation')
+    assert_instance_of(IPTables::Interpolation, @new.named['test_interpolation'])
+  end
+
+  def test_children
+    @new.add('test_interpolation')
+    assert_equal([{"raw"=>"test_interpolation"}], @new.children('test_interpolation'))
+    assert_equal([{"raw"=>"test_interpolation"}], @new.children(['test_interpolation']))
+  end
+end
+
+class TestInterpolation < Test::Unit::TestCase
+  def setup
+    @config = IPTables::Configuration.new
+    @config.primitives( 
+      IPTables::Primitives.new({
+        'branch' => { 'leaf1' => 'leaf1_value' },
+        'leaf2' => 'leaf2_value',
+        'array1' => [ 'array_value1', 'array_value2' ]
+      }) 
+    )
+    @config.interpolations( 
+      IPTables::Interpolations.new( @config.primitives )
+    )
+  end
+
+  def test_add_child
+    assert_raise( RuntimeError ) { IPTables::Interpolation.new(@config.interpolations, '<% missing %>') }
+    #assert_raise( RuntimeError ) { IPTables::Interpolation.new(@config.interpolations, '<% branch %>') }
+  end
+
+  def test_children
+    assert_equal(
+      'junk leaf1_value', 
+      IPTables::Interpolation.new(@config.interpolations, 'junk <% branch.leaf1 %>').children
+    )
+    assert_equal(
+      'leaf2_value stuff', 
+      IPTables::Interpolation.new(@config.interpolations, '<% leaf2 %> stuff').children
+    )
+    assert_equal(
+      ["before array_value1 after", "before array_value2 after"], 
+      IPTables::Interpolation.new(@config.interpolations, 'before <% array1 %> after').children
+    )
+  end
+end

data/test/tc_primitives.rb

@@ -0,0 +1,35 @@
+require 'common'
+
+class TestPrimitives < Test::Unit::TestCase
+  def setup
+    test_data = {
+      'first' => {
+        'second' => 'blah'
+      }
+    }
+    @primitives = IPTables::Primitives.new(test_data)
+  end
+
+  def test_initialize
+    assert_raise( RuntimeError ) { IPTables::Primitives.new(1) }
+    assert_raise( RuntimeError ) { IPTables::Primitives.new({'test_primitive', 1}) }
+
+    assert_equal({}, IPTables::Primitives.new({}).children)
+    assert_equal({'test_primitive' => []}, IPTables::Primitives.new({'test_primitive' => []}).children)
+
+    primitives = IPTables::Primitives.new({'test_primitive' => {}})
+    assert_kind_of(IPTables::Primitives, primitives.children['test_primitive'])
+  end
+
+  def test_substitute
+    assert_raise( RuntimeError, 'a missing substitution is an error' ) { @primitives.substitute('missing') }
+    assert_raise( RuntimeError, 'a partial substitution is an error' ) { @primitives.substitute('first') }
+    assert_equal('blah', @primitives.substitute('first.second'))
+  end
+
+  def test_has_primitive
+    assert(@primitives.has_primitive?('first.second'), 'An existing primitive should say it exists')
+    assert_equal(false, @primitives.has_primitive?('missing'), 'A missing primitive should say it does not exist')
+    assert_equal(false, @primitives.has_primitive?('first'), 'A partial primitive should say it does not exist')
+  end
+end

data/test/tc_tables.rb

@@ -0,0 +1,652 @@
+require 'common'
+
+class TestTables < Test::Unit::TestCase
+  def test_initialize
+    assert_raise( RuntimeError ) { IPTables::Tables.new(1) }
+
+    test_iptables = IPTables::Tables.new({
+      'table1' => {},
+      'table2' => nil
+    })
+    assert_kind_of(IPTables::Table, test_iptables.tables['table1'])
+    assert_nil(test_iptables.tables['table2'])
+  end
+
+  def test_null_table_as_array
+    test_iptables1 = IPTables::Tables.new( {
+      'nat' => nil,
+    })
+    assert_equal(
+      [], 
+      test_iptables1.as_array,
+      'null table should produce no policy and empty ruleset'
+    )
+  end
+
+  def test_as_array_without_comments
+    config = IPTables::Configuration.new()
+    tables = IPTables::Tables.new({
+      'filter' => {
+        'INPUT' => {
+          'policy' => 'ACCEPT',
+          'rules' => [
+            { 'comment' => 'foobar' }
+          ]
+        }
+      }
+    }, config)
+    assert_equal(
+      [
+        "*filter",
+        ":INPUT ACCEPT",
+        "COMMIT"
+      ], 
+      tables.as_array(comments = false),
+      'if comments are excluded, they should not appear in output'
+    )
+  end
+
+  def test_ignore_comments_in_policy_fw
+    config = IPTables::Configuration.new
+    config.primitives( 
+      IPTables::Primitives.new({
+        'branch' => { 'leaf1' => 'leaf1_value' },
+        'leaf2' => 'leaf2_value',
+      }) 
+    )
+    config.interpolations( 
+      IPTables::Interpolations.new( config.primitives )
+    )
+    config.services( 
+      IPTables::Services.new({
+        'service1' => 1111,
+      }) 
+    )
+    config.macros( 
+      IPTables::Macros.new({
+        'macro1' => [
+          { 'comment' => 'A comment in a macro' }
+        ]
+      }) 
+    )
+    config.policy(
+      IPTables::Tables.new({
+        'filter' => {
+          'INPUT' => {
+            'policy' => 'ACCEPT',
+            'rules' => [
+              { 'comment' => 'foobar' },
+              '-j ACCEPT',
+              { 'node_addition_points' => [ 'INPUT' ] },
+              { 'macro' => 'macro1' },
+              { 'service' => 'service1' },
+            ]
+          }
+        }
+      }, config)
+    )
+    config.rules(
+      IPTables::Tables.new({
+        'filter' => {
+          'INPUT' => {
+            'additions' => [
+              { 'comment' => 'a comment from an addition' },
+              { 
+                'service_name' => 'a test service',
+                'service_tcp' => 2222
+              },
+            ]
+          }
+        }
+      }, config)
+    )
+    converged_fw = config.converge_firewall
+    assert_equal(
+      [
+        '*filter',
+        ':INPUT ACCEPT',
+        '-A INPUT -j ACCEPT',
+        '-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT',
+        '-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1111 -m state --state NEW,ESTABLISHED -j ACCEPT',
+        'COMMIT'
+      ],
+      converged_fw.as_array(false),
+      'when excluding comments from a converged firewall, should see no comments'
+    )
+  end
+
+  def test_two_tables_as_array
+    test_iptables1 = IPTables::Tables.new( {
+      'nat' => {
+        'INPUT' => {
+          'policy' => 'ACCEPT'
+        }
+      },
+      'filter' => {
+        'INPUT' => {
+          'policy' => 'ACCEPT'
+        }
+      },
+    })
+    assert_equal(
+      [
+        "*filter",
+        ":INPUT ACCEPT",
+        "COMMIT",
+        "*nat",
+        ":INPUT ACCEPT",
+        "COMMIT"
+      ], 
+      test_iptables1.as_array,
+      'two tables should produce consistent array output'
+    )
+  end
+
+  def test_table_only_with_policy_as_array
+    test_iptables1 = IPTables::Tables.new( {
+      'nat' => {
+        'INPUT' => {
+          'policy' => 'ACCEPT'
+        }
+      },
+    })
+    assert_equal(
+      [
+        "*nat",
+        ":INPUT ACCEPT",
+        "COMMIT"
+      ], 
+      test_iptables1.as_array,
+      'null table to array should produce an empty array'
+    )
+  end
+
+  def test_merge_table_to_null_table
+    test_iptables1 = IPTables::Tables.new( {
+      'table1' => nil,
+    })
+    test_iptables2 = IPTables::Tables.new( {
+      'table1' => {
+        'INPUT' => {
+          'policy' => 'ACCEPT'
+        }
+      },
+    })
+    test_iptables1.merge(test_iptables2)
+    assert_kind_of(IPTables::Table, test_iptables1.tables['table1'], 'after merge, table1 should be a Table')
+    assert_equal(
+      [
+        "*table1",
+        ":INPUT ACCEPT",
+        "COMMIT"
+      ], 
+      test_iptables1.as_array,
+      'after merge, table1 should include a complete ruleset'
+    )
+  end
+
+  def test_custom_service_additions
+    config = IPTables::Configuration.new()
+    policy_table = IPTables::Tables.new({
+      'filter' => {
+        'INPUT' => {
+          'policy' => 'ACCEPT',
+          'rules' => [
+            {
+              'node_addition_points' => [ 'INPUT' ]
+            },
+          ]
+        }
+      }
+    }, config)
+    rules_table = IPTables::Tables.new({
+      'filter' => {
+        'INPUT' => {
+          'additions' => [
+            {
+              'service_name' => 'svc1',
+              'service_tcp' => 2222
+            },
+            {
+              'service_name' => 'svc2',
+              'service_udp' => 2223
+            },
+            {
+              'service_name' => 'svc3',
+              'service_tcp' => 2224,
+              'service_udp' => 2225
+            }
+          ]
+        }
+      }
+    }, config)
+    policy_table.merge(rules_table)
+    assert_equal(
+      [
+        "*filter",
+        ":INPUT ACCEPT",
+        '-A INPUT -m comment --comment "_ Port 2222 - svc1"',
+        '-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT',
+        '-A INPUT -m comment --comment "_ Port 2223 - svc2"',
+        '-A INPUT -p udp -m udp --sport 1024:65535 --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT',
+        '-A INPUT -m comment --comment "_ svc3"',
+        '-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2224 -m state --state NEW,ESTABLISHED -j ACCEPT',
+        '-A INPUT -p udp -m udp --sport 1024:65535 --dport 2225 -m state --state NEW,ESTABLISHED -j ACCEPT',
+        "COMMIT"
+      ], 
+      policy_table.as_array,
+      'adding custom services on a node_addition_point should produce known results'
+    )
+  end
+
+  def test_merge
+    test_iptables1 = IPTables::Tables.new(
+      <<-EOS.dedent
+        *table1
+        *table2
+        COMMIT
+      EOS
+    )
+    test_iptables2 = IPTables::Tables.new( {
+      'table1' => {},
+      'table2' => false,
+      'table3' => nil,
+      'table4' => {}
+    })
+    test_iptables1.merge(test_iptables2)
+    assert_kind_of(IPTables::Table, test_iptables1.tables['table1'], 'after merge, table1 should still be a Table')
+    assert_nil(test_iptables1.tables['table2'], 'after merge, should have no table2')
+    assert_nil(test_iptables1.tables['table3'], 'after merge, should still have no table3')
+    assert_kind_of(IPTables::Table, test_iptables1.tables['table4'], 'after merge, table4 should be a new Table')
+
+    # a huge merge test, because I am lazy
+    config = IPTables::Configuration.new()
+    policy_table = IPTables::Tables.new({
+      'filter' => {
+        'INPUT' => {
+          'policy' => 'ACCEPT',
+          'rules' => [
+            '-J INPUT_rule1',
+            {
+              'node_addition_points' => [ 'INPUT', 'chain_INOUT' ]
+            },
+            '-J INPUT_rule3'
+          ]
+        },
+        'OUTPUT' => {
+          'policy' => 'ACCEPT',
+          'rules' => [
+            '-J OUTPUT_rule1',
+            {
+              'node_addition_points' => [ 'OUTPUT', 'chain_INOUT' ]
+            },
+            '-J OUTPUT_rule3'
+          ]
+        }
+      }
+    }, config)
+    rules_table = IPTables::Tables.new({
+      'filter' => {
+        'INPUT' => {
+          'policy' => 'DROP',
+          'additions' => [
+            '-J INPUT_addition'
+          ]
+        },
+        'FORWARD' => {
+          'policy' => 'REJECT',
+          'rules' => [
+            '-J FORWARD_rule1'
+          ]
+        },
+        'chain_INOUT' => {
+          'additions' => [
+            '-J chain_INOUT_addition'
+          ]
+        },
+        'nonexistent' => {
+          'additions' => [
+            '-J nonexistent_addition'
+          ]
+        }
+      }
+    }, config)
+    policy_table.merge(rules_table)
+    assert_equal(
+      [
+        "*filter",
+        ":INPUT DROP",
+        ":FORWARD REJECT",
+        ":OUTPUT ACCEPT",
+        "-A INPUT -J INPUT_rule1",
+        "-A INPUT -J INPUT_addition",
+        "-A INPUT -J chain_INOUT_addition",
+        "-A INPUT -J INPUT_rule3",
+        "-A FORWARD -J FORWARD_rule1",
+        "-A OUTPUT -J OUTPUT_rule1",
+        "-A OUTPUT -J chain_INOUT_addition",
+        "-A OUTPUT -J OUTPUT_rule3",
+        "COMMIT"
+      ], 
+      policy_table.as_array
+    )
+  end
+
+  def test_get_node_additions
+    # not testing this directly here?
+  end
+
+  def test_parse
+    assert_raise( RuntimeError ) { IPTables::Tables.new('garbage') }
+    assert_raise( RuntimeError, 'should not allow empty iptables parsed rules' ) { IPTables::Tables.new('') }
+  end
+end
+
+class TestTable < Test::Unit::TestCase
+  def test_initialize
+    test_iptables = IPTables::Tables.new({
+      'table1' => {
+        'INPUT' => {
+          'rules' => [
+            '-j ACCEPT'
+          ]
+        }
+      }
+    })
+    table1 = test_iptables.tables['table1']
+    assert_kind_of(IPTables::Tables, table1.my_iptables)
+    assert_kind_of(IPTables::Chain, table1.chains['INPUT'])
+    assert_equal('table1', table1.name)
+
+    assert_raise( RuntimeError ) {
+      IPTables::Tables.new({
+        'table1' => {
+          'INPUT' => 1
+        }
+      })
+    }
+  end
+
+  def test_path
+    test_iptables = IPTables::Tables.new({
+      'table1' => {
+        'INPUT' => {
+          'rules' => [
+            '-j ACCEPT'
+          ]
+        }
+      }
+    })
+    table1 = test_iptables.tables['table1']
+    assert_equal('table1', table1.path)
+  end
+
+  def test_merge
+    test_iptables1 = IPTables::Tables.new(
+      <<-EOS.dedent
+        *table1
+        :chain1 ACCEPT [0:0]
+        :chain2 ACCEPT [0:0]
+        -A chain1 -j ACCEPT
+        -A chain2 -j ACCEPT
+        COMMIT
+      EOS
+    )
+    table1 = test_iptables1.tables['table1']
+
+    test_iptables2 = IPTables::Tables.new({
+      'table1' => {
+        'chain1' => {},
+        'chain2' => false,
+        'chain3' => nil,
+        'chain4' => {},
+      }
+    })
+    table2 = test_iptables2.tables['table1']
+
+    table1.merge(table2)
+    assert_kind_of(IPTables::Chain, table1.chains['chain1'])
+    assert_nil(table1.chains['chain2'], 'after merge, should have no chain2')
+    assert_nil(table1.chains['chain3'], 'after merge, should have no chain3')
+    assert_kind_of(IPTables::Chain, table1.chains['chain4'])
+  end
+end
+
+class TestChain < Test::Unit::TestCase
+  def setup
+    @test_iptables = IPTables::Tables.new(
+      <<-EOS.dedent
+        *table1
+        :chain1 ACCEPT [0:0]
+        -A chain1 -m comment --comment "BEGIN: in-bound traffic"
+        -A chain1 -j ACCEPT
+        COMMIT
+      EOS
+    )
+    @chain1 = @test_iptables.tables['table1'].chains['chain1']
+  end
+
+  def test_output_policy
+    assert_equal('ACCEPT', @chain1.output_policy)
+  end
+
+  def test_as_array
+    assert_equal(
+      [
+        '-A chain1 -m comment --comment "BEGIN: in-bound traffic"',
+        '-A chain1 -j ACCEPT'
+      ], 
+      @chain1.as_array,
+      'chain as array should produce known output'
+    )
+  end
+
+  def test_all_as_array
+    assert_equal(
+      [
+        ':chain1 ACCEPT',
+        '-A chain1 -m comment --comment "BEGIN: in-bound traffic"',
+        '-A chain1 -j ACCEPT'
+      ], 
+      @chain1.all_as_array,
+      'chain as array including its policy should produce known output'
+    )
+  end
+
+  def test_as_array_without_comments
+    assert_equal(
+      @chain1.rules[0].type,
+      'comment',
+      'a chain rule that is known to be a comment should have type comment'
+    )
+    assert_equal(
+      [ '-A chain1 -j ACCEPT' ], 
+      @chain1.as_array(comments = false),
+      'chain as array without comments should produce known output'
+    )
+  end
+
+  def test_path
+    assert_equal('table1.chain1', @chain1.path)
+  end
+
+  def test_complete?
+    assert(
+      IPTables::Chain.new(
+        'test_chain',
+        { 'rules' => [ '-j ACCEPT' ] }, 
+        @test_iptables
+      ).complete?,
+      'chain with rules should say it is complete'
+    )
+    assert(
+      IPTables::Chain.new( 'test_chain', {}, @test_iptables).complete?,
+      'chain without any rules or additions should say it is complete'
+    )
+    assert_equal(
+      false,
+      IPTables::Chain.new( 'test_chain', { 'additions' => [] }, @test_iptables).complete?,
+      'chain with only additions should not say it is complete'
+    )
+  end
+end
+
+class TestRule < Test::Unit::TestCase
+  def setup
+    config = IPTables::Configuration.new
+    config.primitives( 
+      IPTables::Primitives.new({
+        'branch' => { 'leaf1' => 'leaf1_value' },
+        'leaf2' => 'leaf2_value',
+      }) 
+    )
+    config.interpolations( 
+      IPTables::Interpolations.new( config.primitives )
+    )
+    config.services( 
+      IPTables::Services.new({
+        'service1' => 1111,
+      }) 
+    )
+    config.macros( 
+      IPTables::Macros.new({
+        'macro1' => '-j macro1',
+      }) 
+    )
+    @test_iptables = IPTables::Tables.new({
+      'table1' => {
+        'chain1' => {
+          'policy' => 'ACCEPT',
+          'rules' => [
+            '-j ACCEPT'
+          ]
+        }
+      }
+    }, config)
+    @chain1 = @test_iptables.tables['table1'].chains['chain1']
+  end
+
+  def test_initialize
+    assert_raise( RuntimeError ) { IPTables::Rule.new( 1, @chain1 ) }
+    assert_equal(0, @chain1.rules[0].position)
+    assert_equal(
+      ["-A chain1 -j ACCEPT"], 
+      IPTables::Rule.new( {'raw' => '-j ACCEPT'}, @chain1 ).as_array
+    )
+    assert_equal(
+      [
+        "-A chain1 -m comment --comment \"_ Port 1337 - foo\"",
+         "-A chain1 -p tcp -m tcp --sport 1024:65535 --dport 1337 -m state --state NEW,ESTABLISHED -j ACCEPT"
+      ],
+      IPTables::Rule.new( {'service_name' => 'foo', 'service_tcp' => 1337}, @chain1 ).as_array
+    )
+    assert_equal(
+      [
+        "-A chain1 -m comment --comment \"_ Port 1337 - foo\"",
+         "-A chain1 -p tcp -m tcp --sport 1024:65535 --dport 1337 -m state --state NEW,ESTABLISHED -j ACCEPT",
+        "-A chain1 -p udp -m udp --sport 1024:65535 --dport 1337 -m state --state NEW,ESTABLISHED -j ACCEPT"
+      ],
+      IPTables::Rule.new( {'service_name' => 'foo', 'service_tcp' => 1337, 'service_udp' => 1337}, @chain1 ).as_array
+    )
+    assert_raise( RuntimeError ) { 
+      IPTables::Rule.new( {'service_name' => 'foo', 'service_tcp' => 1337, 'service_udp' => 1337, 'fake' => 1}, @chain1 ).as_array
+    }
+    assert_raise( RuntimeError ) { IPTables::Rule.new( {'bad' => 1}, @chain1 ) }
+  end
+
+  def test_handle_comment
+    rule = IPTables::Rule.new( {'comment' => 'a comment'}, @chain1 )
+    assert_equal( 
+      {'comment' => 'a comment'}, 
+      rule.rule_hash,
+      'comment attributes should be handled as comments'
+    )
+    assert_equal( 
+      rule.type,
+      'comment',
+      'comment attributes should have their type set as "comment"'
+    )
+  end
+
+  def test_parse_comment
+    rule = IPTables::Rule.new( '-m comment --comment "BEGIN: in-bound traffic"', @chain1 )
+    assert_equal( 
+      {'comment' => 'BEGIN: in-bound traffic'}, 
+      rule.rule_hash,
+      'parsed comments should have their rule_hash set properly'
+    )
+    assert_equal( 
+      rule.type,
+      'comment',
+      'parsed comments should have their type set as "comment"'
+    )
+    assert_equal( 
+      [], 
+      rule.as_array(comments = false),
+      'parsed comments should not display when displayed with comments turned off'
+    )
+  end
+
+  def test_handle_node_addition_points
+    rule = IPTables::Rule.new( {'node_addition_points' => ['chain1']}, @chain1 )
+    assert_equal( [], rule.as_array )
+  end
+
+  def test_handle_interpolated
+    assert_equal( 
+      ["-A chain1 -j leaf1_value"], 
+      IPTables::Rule.new( {'interpolated' => '-j <% branch.leaf1 %>'}, @chain1 ).as_array 
+    )
+  end
+
+  def test_handle_macro
+    assert_equal( 
+      ["-A chain1 -j macro1"], 
+      IPTables::Rule.new( {'macro' => 'macro1'}, @chain1 ).as_array 
+    )
+  end
+
+  def test_handle_service
+    assert_equal( 
+      [
+        "-A chain1 -m comment --comment \"_ Port 1111 - service1\"",
+        "-A chain1 -p tcp -m tcp --sport 1024:65535 --dport 1111 -m state --state NEW,ESTABLISHED -j ACCEPT"
+      ], 
+      IPTables::Rule.new( {'service' => 'service1'}, @chain1 ).as_array 
+    )
+  end
+
+  def test_handle_requires_primitive
+    assert_equal( 
+      [], 
+      IPTables::Rule.new( 
+        {
+          'raw' => '-j ACCEPT', 
+          'requires_primitive' => 'nonexistent'
+        }, 
+        @chain1 
+      ).as_array 
+    )
+    assert_equal( 
+      ['-A chain1 -j ACCEPT'], 
+      IPTables::Rule.new( 
+        {
+          'raw' => '-j ACCEPT', 
+          'requires_primitive' => 'leaf2'
+        }, 
+        @chain1 
+      ).as_array 
+    )
+  end
+
+  def test_as_array
+    assert_equal(
+      ["-A chain1 -p tcp -m limit --limit 1/sec --limit-burst 2 -j ULOG --ulog-prefix \"chain1:\""],
+      IPTables::Rule.new( {'ulog' => '-p tcp'}, @chain1 ).as_array
+    )
+  end
+
+  def test_path
+    assert_equal('table1.chain1.0', @chain1.rules[0].path)
+  end
+end