Inspec iptables should have_rule tests not working

[richardlock]

chefdk (0.10.0)
inspec (0.9.11)
kitchen-inspec (0.10.1)

When using verifier: name: inspec in .kitchen.yml instead of serverspec, none of the iptables tests work. E.g.

describe iptables do
  it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') }
end

kitchen verify web
-----> Starting Kitchen (v1.4.2)
C:/tools/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.6.0.1/lib/httpclient/webagent-cookie.rb:458: warning: already initialized constant HTTPClient::CookieManager
C:/tools/chefdk/embedded/lib/ruby/gems/2.1.0/gems/httpclient-2.6.0.1/lib/httpclient/cookie.rb:8: warning: previous definition of CookieManager was here
-----> Verifying <web-centos-67>...
........F

Failures:

  1) Iptables should have rule "-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment \"derby-cognos-web\" -j ACCEPT"
     Failure/Error: it { should have_rule('-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT') }
       expected Iptables to have rule "-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment \"derby-cognos-web\" -j ACCEPT"
     # ./test/integration/web/web_spec.rb:31:in `block (2 levels) in load'
     # C:/Users/782088/AppData/Local/chefdk/gem/ruby/2.1.0/gems/inspec-0.9.11/lib/inspec/runner_rspec.rb:55:in `run'
     # C:/Users/782088/AppData/Local/chefdk/gem/ruby/2.1.0/gems/inspec-0.9.11/lib/inspec/runner.rb:110:in `run'
     # C:/Users/782088/AppData/Local/chefdk/gem/ruby/2.1.0/gems/kitchen-inspec-0.10.1/lib/kitchen/verifier/inspec.rb:43:in `call'

Finished in 0.26005 seconds (files took 1.59 seconds to load)
9 examples, 1 failure

Failed examples:

rspec  # Iptables should have rule "-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment \"derby-cognos-web\" -j ACCEPT"

>>>>>> Verify failed on instance <web-centos-67>.
>>>>>> Please see .kitchen/logs/web-centos-67.log for more details
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: Inspec Runner returns 1
>>>>>> ----------------------
zlib(finalizer): the stream was freed prematurely.

[chris-rock]

Thanks for reporting @richardlock . Could you share the result of iptables -S

[richardlock]

Thanks.

sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N derby-base
-N derby-cognos-web
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "established" -j ACCEPT
-A INPUT -p icmp -m comment --comment "icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
-A INPUT -j derby-base
-A INPUT -j derby-cognos-web
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "ssh" -j ACCEPT
-A INPUT -m comment --comment "reject" -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m comment --comment "reject" -j REJECT --reject-with icmp-host-prohibited
-A derby-base -p tcp -m tcp --dport 6123 -m comment --comment "catalogic-dpx" -j ACCEPT
-A derby-base -p udp -m udp --dport 161 -m comment --comment "snmp" -j ACCEPT
-A derby-cognos-web -p tcp -m tcp --dport 80 -m comment --comment "derby-cognos-web" -j ACCEPT

[srenatus]

Hi @richardlock!

I've looked into this and it turns out that the output of iptables -S on a Ubuntu 14.04 does not seem to include those quotes around one word comments.

What platform are you working on?

[richardlock]

This is RHEL 6.x. Thanks.

[srenatus]

Thanks for the quick feedback. Ok, I can verify that CentOS 6.7 has those quotes, too...

[srenatus]

Yup, integration tests fail on centos6. Will dig deeper tomorrow. I bet it's the comments ;)

[srenatus]

The bug is fixed in #442:

Turns out separate lines of the iptables -S output on CentOS 6 may or may not have an extra trailing space. 👎

@richardlock please let me know if this fix works for you :)

[richardlock]

Thanks for fixing this Stephan and Dominik. I'm having trouble running bundler with chefdk on Windows so can't test building from source. I'll wait for the next inspec release to test.