diff --git a/lib/puppet/provider/firewall/firewall.rb b/lib/puppet/provider/firewall/firewall.rb index 189e0daca..be6e3e9c2 100644 --- a/lib/puppet/provider/firewall/firewall.rb +++ b/lib/puppet/provider/firewall/firewall.rb @@ -687,6 +687,20 @@ def self.validate_input(is, should) end # Log prefix size is limited raise 'Parameter `nflog_prefix`` must be less than 64 characters' if should[:nflog_prefix] && should[:nflog_prefix].length > 64 + + [:dst_range, :src_range].each do |key| + next unless should[key] + matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(should[key]) + raise(ArgumentError, "The IP range must be in 'IP1-IP2' format.") unless matches + + [matches[1], matches[2]].each do |addr| + begin # rubocop:disable Style/RedundantBegin + PuppetX::Firewall::Utility.host_to_ip(addr) + rescue StandardError + raise("Invalid IP address \"#{addr}\" in range \"#{should[key]}\"") + end + end + end end # Certain attributes need processed in ways that can vary between IPv4 and IPv6 @@ -917,7 +931,7 @@ def insync?(context, _name, property_name, is_hash, should_hash) is = is_hash[property_name] should = should_hash[property_name] - should = 'IPv4' if should == 'iptables' + is = 'IPv4' if is == 'iptables' should = 'IPv6' if should == 'ip6tables' is == should @@ -1015,6 +1029,12 @@ def insync?(context, _name, property_name, is_hash, should_hash) # Range can be passed as `-` but will always be set/returned as `:` is_hash[property_name] == should_hash[property_name].gsub(%r{-}, ':') if should_hash[property_name].is_a?(String) is_hash[property_name] == should_hash[property_name].map { |port| port.to_s.gsub(%r{-}, ':') } if should_hash[property_name].is_a?(Array) + when :string_hex + # Compare the values with any whitespace removed + is = is_hash[property_name].to_s.gsub(%r{\s+}, '') + should = should_hash[property_name].to_s.gsub(%r{\s+}, '') + + is == should else # Ensure that if both values are arrays, that they are sorted prior to comparison return nil unless is_hash[property_name].is_a?(Array) && should_hash[property_name].is_a?(Array) diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index f9a30647a..90eb701f1 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -341,21 +341,21 @@ DESC }, src_range: { - type: 'Optional[Pattern[/^(?:!\s)?\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d++$/]]', + type: 'Optional[String[1]]', desc: <<-DESC The source IP range. For example: src_range => '192.168.1.1-192.168.1.10' - You can also negate the range by putting ! in front. For example: + You can also negate the range by apending a `!`` to the front. For example: - ! src_range => '192.168.1.1-192.168.1.10' + src_range => '! 192.168.1.1-192.168.1.10' The source IP range must be in 'IP1-IP2' format. DESC }, dst_range: { - type: 'Optional[Pattern[/^(?:!\s)?\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+$/]]', + type: 'Optional[String[1]]', desc: <<-DESC The destination IP range. For example: @@ -1189,7 +1189,7 @@ DESC }, to: { - type: 'Optional[Pattern[/^\d+\.\d+\.\d+\.\d+(?:\/\d+)?$/]]', + type: 'Optional[String[1]]', desc: <<-DESC For NETMAP this will replace the destination IP DESC diff --git a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb index edfc34f4c..3b5854f60 100644 --- a/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb @@ -1,541 +1,541 @@ -# # frozen_string_literal: true - -# require 'spec_helper_acceptance' - -# describe 'firewall ipv6 attribute testing, exceptions' do -# before(:all) do -# iptables_flush_all_tables -# ip6tables_flush_all_tables -# if os[:family] == 'debian' && os[:release] == '10' -# # in order to avoid this stderr: Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to see them\n" -# run_shell('update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy') -# end -# end - -# describe 'standard attributes', unless: (os[:family] == 'redhat' && os[:release].start_with?('5', '6')) || (os[:family] == 'sles') do -# describe 'dst_range' do -# context 'when 2001::db8::1-2001:db8::ff' do -# pp = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '602 - test': -# proto => tcp, -# dport => '602', -# action => accept, -# provider => 'ip6tables', -# dst_range => '2001::db8::1-2001:db8::ff', -# } -# PUPPETCODE -# it 'applies' do -# apply_manifest(pp, expect_failures: true) do |r| -# expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"}) -# end -# end - -# it 'does not contain the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --dst-range 2001::db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - test" -j ACCEPT}) -# end -# end -# end -# end - -# ['dst_type', 'src_type'].each do |type| -# describe type.to_s do -# context 'when BROKEN' do -# pp = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '603 - test': -# proto => tcp, -# action => accept, -# #{type} => 'BROKEN', -# provider => 'ip6tables', -# } -# PUPPETCODE -# it 'fails' do -# apply_manifest(pp, expect_failures: true) do |r| -# expect(r.stderr).to match(%r{Invalid value "BROKEN".}) -# end -# end - -# it 'does not contain the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT}) -# end -# end -# end - -# context 'when duplicated LOCAL' do -# pp = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '619 - test': -# proto => tcp, -# action => accept, -# #{type} => ['LOCAL', 'LOCAL'], -# provider => 'ip6tables', -# } -# PUPPETCODE -# it 'fails' do -# apply_manifest(pp, expect_failures: true) do |r| -# expect(r.stderr).to match(%r{#{type} elements must be unique}) -# end -# end - -# it 'does not contain the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype\s.*\sLOCAL -m addrtype\s.*\sLOCAL -m comment --comment "619 - test" -j ACCEPT}) -# end -# end -# end - -# context 'when multiple addrtype fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5')) do -# pp = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '616 - test': -# proto => tcp, -# action => accept, -# #{type} => ['LOCAL', '! LOCAL'], -# provider => 'ip6tables', -# } -# PUPPETCODE -# it 'fails' do -# apply_manifest(pp, expect_failures: true) do |r| -# expect(r.stderr).to match(%r{Multiple #{type} elements are available from iptables version}) -# end -# end - -# it 'does not contain the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT}) -# end -# end -# end -# end -# end - -# describe 'hop_limit' do -# context 'when invalid' do -# pp = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '571 - test': -# ensure => present, -# proto => tcp, -# dport => '571', -# action => accept, -# hop_limit => 'invalid', -# provider => 'ip6tables', -# } -# PUPPETCODE -# it 'applies' do -# apply_manifest(pp, expect_failures: true) do |r| -# expect(r.stderr).to match(%r{Invalid value "invalid".}) -# end -# end - -# it 'does not contain the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m multiport --dports 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT}) -# end -# end -# end -# end - -# # ipset is hard to test, only testing on ubuntu 14 -# describe 'ipset', if: (os[:family] == 'redhat' && os[:release].start_with?('14')) do -# before(:all) do -# pp = <<-PUPPETCODE -# exec { 'hackery pt 1': -# command => 'service iptables-persistent flush', -# path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', -# } -# package { 'ipset': -# ensure => present, -# require => Exec['hackery pt 1'], -# } -# exec { 'hackery pt 2': -# command => 'service iptables-persistent start', -# path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', -# require => Package['ipset'], -# } -# class { '::firewall': } -# exec { 'create ipset blacklist': -# command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120', -# path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', -# require => Package['ipset'], -# } -# -> exec { 'create ipset honeypot': -# command => 'ipset create honeypot hash:ip family inet6 maxelem 1024 hashsize 65535 timeout 120', -# path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', -# } -# -> exec { 'add blacklist': -# command => 'ipset add blacklist 2001:db8::1,80', -# path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', -# } -# -> exec { 'add honeypot': -# command => 'ipset add honeypot 2001:db8::5', -# path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', -# } -# firewall { '612 - test': -# ensure => present, -# chain => 'INPUT', -# proto => tcp, -# action => drop, -# ipset => ['blacklist src,dst', '! honeypot dst'], -# provider => 'ip6tables', -# require => Exec['add honeypot'], -# } -# PUPPETCODE -# apply_manifest(pp, catch_failures: true) -# end - -# it 'contains the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).to match(%r{-A INPUT -p tcp -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP}) -# end -# end -# end - -# describe 'src_range' do -# context 'when 2001::db8::1-2001:db8::ff' do -# pp = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '601 - test': -# proto => tcp, -# dport => '601', -# action => accept, -# provider => 'ip6tables', -# src_range => '2001::db8::1-2001:db8::ff', -# } -# PUPPETCODE -# it 'applies' do -# apply_manifest(pp, expect_failures: true) do |r| -# expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"}) -# end -# end - -# it 'does not contain the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).not_to match(%r{-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --dports 601 -m comment --comment "601 - test" -j ACCEPT}) -# end -# end -# end -# end - -# unless os[:family] == 'redhat' && os[:release].start_with?('8', '9') -# describe 'time tests' do -# context 'when set all time parameters' do -# pp1 = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '805 - time': -# proto => tcp, -# dport => '8080', -# action => accept, -# chain => 'OUTPUT', -# date_start => '2016-01-19T04:17:07', -# date_stop => '2038-01-19T04:17:07', -# time_start => '6:00', -# time_stop => '17:00:00', -# month_days => '7', -# week_days => 'Tue', -# kernel_timezone => true, -# provider => 'ip6tables', -# } -# PUPPETCODE -# it 'applies' do -# idempotent_apply(pp1) -# end - -# it 'contains the rule' do -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).to match( -# %r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Layout/LineLength -# ) -# end -# end -# end -# end -# end -# end - -# describe 'unless redhat 5 happy path', unless: (os[:family] == 'redhat' && os[:release].start_with?('5')) do -# before(:all) do -# pp = <<-PUPPETCODE -# firewall { '701 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '701', -# action => accept, -# physdev_in => 'eth0', -# } -# firewall { '702 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '702', -# action => accept, -# physdev_out => 'eth1', -# } -# firewall { '703 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '703', -# action => accept, -# physdev_in => 'eth0', -# physdev_out => 'eth1', -# } -# firewall { '704 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '704', -# action => accept, -# physdev_is_bridged => true, -# } -# firewall { '705 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '705', -# action => accept, -# physdev_in => 'eth0', -# physdev_is_bridged => true, -# } -# firewall { '706 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '706', -# action => accept, -# physdev_out => 'eth1', -# physdev_is_bridged => true, -# } -# firewall { '707 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '707', -# action => accept, -# physdev_in => 'eth0', -# physdev_out => 'eth1', -# physdev_is_bridged => true, -# } -# firewall { '708 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '708', -# action => accept, -# physdev_is_in => true, -# } -# firewall { '709 - test': -# provider => 'ip6tables', -# chain => 'FORWARD', -# proto => tcp, -# dport => '709', -# action => accept, -# physdev_is_out => true, -# } -# firewall { '1002 - set_dscp': -# proto => 'tcp', -# jump => 'DSCP', -# set_dscp => '0x01', -# dport => '997', -# chain => 'OUTPUT', -# table => 'mangle', -# provider => 'ip6tables', -# } -# firewall { '1003 EF - set_dscp_class': -# proto => 'tcp', -# jump => 'DSCP', -# dport => '997', -# set_dscp_class => 'EF', -# chain => 'OUTPUT', -# table => 'mangle', -# provider => 'ip6tables', -# } -# firewall { '502 - set_mss': -# proto => 'tcp', -# tcp_flags => 'SYN,RST SYN', -# jump => 'TCPMSS', -# set_mss => '1360', -# mss => '1361:1541', -# chain => 'FORWARD', -# table => 'mangle', -# provider => 'ip6tables', -# } -# firewall { '503 - clamp_mss_to_pmtu': -# proto => 'tcp', -# chain => 'FORWARD', -# tcp_flags => 'SYN,RST SYN', -# jump => 'TCPMSS', -# clamp_mss_to_pmtu => true, -# provider => 'ip6tables', -# } -# firewall { '803 - hashlimit_upto test ip6': -# chain => 'INPUT', -# provider => 'ip6tables', -# hashlimit_name => 'upto-ip6', -# hashlimit_upto => '16/sec', -# hashlimit_burst => '640', -# hashlimit_htable_size => '1000000', -# hashlimit_htable_max => '320000', -# hashlimit_htable_expire => '36000000', -# action => accept, -# } -# firewall { '503 match_mark ip6tables - test': -# proto => 'all', -# match_mark => '0x1', -# action => reject, -# provider => 'ip6tables', -# } - -# PUPPETCODE -# idempotent_apply(pp) -# end - -# let(:result) { run_shell('ip6tables-save') } - -# it 'physdev_in is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 701 -m comment --comment "701 - test" -j ACCEPT}) -# end -# it 'physdev_out is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --dports 702 -m comment --comment "702 - test" -j ACCEPT}) -# end -# it 'physdev_in and physdev_out is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m multiport --dports 703 -m comment --comment "703 - test" -j ACCEPT}) -# end -# it 'physdev_is_bridged is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-bridged -m multiport --dports 704 -m comment --comment "704 - test" -j ACCEPT}) -# end -# it 'physdev_in and physdev_is_bridged is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m multiport --dports 705 -m comment --comment "705 - test" -j ACCEPT}) -# end -# it 'physdev_out and physdev_is_bridged is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m multiport --dports 706 -m comment --comment "706 - test" -j ACCEPT}) -# end -# it 'physdev_in and physdev_out and physdev_is_bridged is set' do -# expect(result.stdout).to match( -# %r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 707 -m comment --comment "707 - test" -j ACCEPT} -# ) -# end -# it 'physdev_is_in is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-in -m multiport --dports 708 -m comment --comment "708 - test" -j ACCEPT}) -# end -# it 'physdev_is_out is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-is-out -m multiport --dports 709 -m comment --comment "709 - test" -j ACCEPT}) -# end -# it 'set_dscp is set' do -# expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01}) -# end -# it 'set_dscp_class is set' do -# expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) -# end -# it 'set_mss and mss is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360}) -# end -# it 'clamp_mss_to_pmtu is set' do -# expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu}) -# end -# it 'hashlimit_name set to "upto-ip6"' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Layout/LineLength : Cannot reduce line to required length -# end -# it 'match_mark is set' do -# expect(result.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable}) -# end -# end - -# describe 'ishasmorefrags/islastfrag/isfirstfrag', unless: (os[:family] == 'redhat' && os[:release].start_with?('5', '6')) || (os[:family] == 'sles') do -# shared_examples 'is idempotent' do |values, line_match| -# pp2 = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '599 - test': -# ensure => present, -# proto => 'tcp', -# provider => 'ip6tables', -# #{values} -# } -# PUPPETCODE -# it "changes the values to #{values}" do -# idempotent_apply(pp2) - -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).to match(%r{#{line_match}}) -# end -# end -# end -# shared_examples "doesn't change" do |values, line_match| -# pp3 = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '599 - test': -# ensure => present, -# proto => 'tcp', -# provider => 'ip6tables', -# #{values} -# } -# PUPPETCODE -# it "doesn't change the values to #{values}" do -# apply_manifest(pp3, catch_changes: true) - -# run_shell('ip6tables-save') do |r| -# expect(r.stdout).to match(%r{#{line_match}}) -# end -# end -# end - -# describe 'adding a rule' do -# context 'when unset' do -# before :all do -# ip6tables_flush_all_tables -# end -# it_behaves_like 'is idempotent', '', %r{-A INPUT -p tcp -m comment --comment "599 - test"} -# end -# context 'when set to true' do -# before :all do -# ip6tables_flush_all_tables -# end -# it_behaves_like 'is idempotent', 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', -# %r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} -# end -# context 'when set to false' do -# before :all do -# ip6tables_flush_all_tables -# end -# it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} -# end -# end -# describe 'editing a rule' do -# context 'when unset or false' do -# before :each do -# ip6tables_flush_all_tables -# run_shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"') -# end -# context 'when current value is false' do -# it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} -# end -# context 'when current value is true' do -# it_behaves_like 'is idempotent', 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', -# %r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} -# end -# end -# context 'when set to true' do -# before :each do -# ip6tables_flush_all_tables -# run_shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"') -# end -# context 'when current value is false' do -# it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} -# end -# context 'when current value is true' do -# it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', -# %r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} -# end -# end -# end -# end +# frozen_string_literal: true + +require 'spec_helper_acceptance' + +describe 'firewall ipv6 attribute testing, exceptions' do + before(:all) do + iptables_flush_all_tables + ip6tables_flush_all_tables + if os[:family] == 'debian' && os[:release] == '10' + # in order to avoid this stderr: Warning: ip6tables-legacy tables present, use ip6tables-legacy-save to see them\n" + run_shell('update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy') + end + end + + describe 'standard attributes', unless: os[:family] == 'sles' do + describe 'dst_range' do + context 'when 2001::db8::1-2001:db8::ff' do + pp = <<-PUPPETCODE + class { '::firewall': } + firewall { '602 - test': + proto => tcp, + dport => '602', + jump => accept, + protocol => 'ip6tables', + dst_range => '2001::db8::1-2001:db8::ff', + } + PUPPETCODE + it 'applies' do + apply_manifest(pp, expect_failures: true) do |r| + expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"}) + end + end + + it 'does not contain the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p (tcp|6) -m iprange --dst-range 2001::db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - test" -j ACCEPT}) + end + end + end + end + + ['dst_type', 'src_type'].each do |type| + describe type.to_s do + context 'when BROKEN' do + pp = <<-PUPPETCODE + class { '::firewall': } + firewall { '603 - test': + proto => tcp, + jump => accept, + #{type} => 'BROKEN', + protocol => 'ip6tables', + } + PUPPETCODE + it 'fails' do + apply_manifest(pp, expect_failures: true) do |r| + expect(r.stderr).to match(%r{Error: Parameter #{type} failed}) + end + end + + it 'does not contain the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p (tcp|6) -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT}) + end + end + end + + context 'when duplicated LOCAL' do + pp = <<-PUPPETCODE + class { '::firewall': } + firewall { '619 - test': + proto => tcp, + jump => accept, + #{type} => ['LOCAL', 'LOCAL'], + protocol => 'ip6tables', + } + PUPPETCODE + it 'fails' do + apply_manifest(pp, expect_failures: true) do |r| + expect(r.stderr).to match(%r{#{type} elements must be unique}) + end + end + + it 'does not contain the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p (tcp|6) -m addrtype\s.*\sLOCAL -m addrtype\s.*\sLOCAL -m comment --comment "619 - test" -j ACCEPT}) + end + end + end + + context 'when multiple addrtype fail', if: (os[:family] == 'redhat' && os[:release].start_with?('5')) do + pp = <<-PUPPETCODE + class { '::firewall': } + firewall { '616 - test': + proto => tcp, + jump => accept, + #{type} => ['LOCAL', '! LOCAL'], + protocol => 'ip6tables', + } + PUPPETCODE + it 'fails' do + apply_manifest(pp, expect_failures: true) do |r| + expect(r.stderr).to match(%r{Multiple #{type} elements are available from iptables version}) + end + end + + it 'does not contain the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p (tcp|6) -m addrtype --#{type.tr('_', '-')} LOCAL -m addrtype ! --#{type.tr('_', '-')} LOCAL -m comment --comment "616 - test" -j ACCEPT}) + end + end + end + end + end + + describe 'hop_limit' do + context 'when invalid' do + pp = <<-PUPPETCODE + class { '::firewall': } + firewall { '571 - test': + ensure => present, + proto => tcp, + dport => '571', + jump => accept, + hop_limit => 'invalid', + protocol => 'ip6tables', + } + PUPPETCODE + it 'applies' do + apply_manifest(pp, expect_failures: true) do |r| + expect(r.stderr).to match(%r{Error: Parameter hop_limit failed}) + end + end + + it 'does not contain the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p (tcp|6)-m tcp --dport 571 -m comment --comment "571 - test" -m hl --hl-eq invalid -j ACCEPT}) + end + end + end + end + + # ipset is hard to test, only testing on ubuntu 14 + describe 'ipset', if: (os[:family] == 'redhat' && os[:release].start_with?('14')) do + before(:all) do + pp = <<-PUPPETCODE + exec { 'hackery pt 1': + command => 'service iptables-persistent flush', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + package { 'ipset': + ensure => present, + require => Exec['hackery pt 1'], + } + exec { 'hackery pt 2': + command => 'service iptables-persistent start', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + require => Package['ipset'], + } + class { '::firewall': } + exec { 'create ipset blacklist': + command => 'ipset create blacklist hash:ip,port family inet6 maxelem 1024 hashsize 65535 timeout 120', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + require => Package['ipset'], + } + -> exec { 'create ipset honeypot': + command => 'ipset create honeypot hash:ip family inet6 maxelem 1024 hashsize 65535 timeout 120', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + -> exec { 'add blacklist': + command => 'ipset add blacklist 2001:db8::1,80', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + -> exec { 'add honeypot': + command => 'ipset add honeypot 2001:db8::5', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + } + firewall { '612 - test': + ensure => present, + chain => 'INPUT', + proto => tcp, + jump => drop, + ipset => ['blacklist src,dst', '! honeypot dst'], + protocol => 'ip6tables', + require => Exec['add honeypot'], + } + PUPPETCODE + apply_manifest(pp, catch_failures: true) + end + + it 'contains the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{-A INPUT -p (tcp|6) -m set --match-set blacklist src,dst -m set ! --match-set honeypot dst -m comment --comment "612 - test" -j DROP}) + end + end + end + + describe 'src_range' do + context 'when 2001::db8::1-2001:db8::ff' do + pp = <<-PUPPETCODE + class { '::firewall': } + firewall { '601 - test': + proto => tcp, + dport => '601', + jump => accept, + protocol => 'ip6tables', + src_range => '2001::db8::1-2001:db8::ff', + } + PUPPETCODE + it 'applies' do + apply_manifest(pp, expect_failures: true) do |r| + expect(r.stderr).to match(%r{Invalid IP address "2001::db8::1" in range "2001::db8::1-2001:db8::ff"}) + end + end + + it 'does not contain the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).not_to match(%r{-A INPUT -p (tcp|6) -m iprange --src-range 2001::db8::1-2001:db8::ff-m tcp --dport 601 -m comment --comment "601 - test" -j ACCEPT}) + end + end + end + end + + unless os[:family] == 'redhat' && os[:release].start_with?('8', '9') + describe 'time tests' do + context 'when set all time parameters' do + pp1 = <<-PUPPETCODE + class { '::firewall': } + firewall { '805 - time': + proto => tcp, + dport => '8080', + jump => accept, + chain => 'OUTPUT', + date_start => '2016-01-19T04:17:07', + date_stop => '2038-01-19T04:17:07', + time_start => '6:00', + time_stop => '17:00:00', + month_days => 7, + week_days => 'Tue', + kernel_timezone => true, + protocol => 'ip6tables', + } + PUPPETCODE + it 'applies' do + idempotent_apply(pp1) + end + + it 'contains the rule' do + run_shell('ip6tables-save') do |r| + expect(r.stdout).to match( + %r{-A OUTPUT -p (tcp|6) -m tcp --dport 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Layout/LineLength + ) + end + end + end + end + end + end + + describe 'happy path' do + before(:all) do + pp = <<-PUPPETCODE + firewall { '701 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '701', + jump => accept, + physdev_in => 'eth0', + } + firewall { '702 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '702', + jump => accept, + physdev_out => 'eth1', + } + firewall { '703 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '703', + jump => accept, + physdev_in => 'eth0', + physdev_out => 'eth1', + } + firewall { '704 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '704', + jump => accept, + physdev_is_bridged => true, + } + firewall { '705 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '705', + jump => accept, + physdev_in => 'eth0', + physdev_is_bridged => true, + } + firewall { '706 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '706', + jump => accept, + physdev_out => 'eth1', + physdev_is_bridged => true, + } + firewall { '707 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '707', + jump => accept, + physdev_in => 'eth0', + physdev_out => 'eth1', + physdev_is_bridged => true, + } + firewall { '708 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '708', + jump => accept, + physdev_is_in => true, + } + firewall { '709 - test': + protocol => 'ip6tables', + chain => 'FORWARD', + proto => tcp, + dport => '709', + jump => accept, + physdev_is_out => true, + } + firewall { '1002 - set_dscp': + proto => 'tcp', + jump => 'DSCP', + set_dscp => '0x01', + dport => '997', + chain => 'OUTPUT', + table => 'mangle', + protocol => 'ip6tables', + } + firewall { '1003 EF - set_dscp_class': + proto => 'tcp', + jump => 'DSCP', + dport => '997', + set_dscp_class => 'ef', + chain => 'OUTPUT', + table => 'mangle', + protocol => 'ip6tables', + } + firewall { '502 - set_mss': + proto => 'tcp', + tcp_flags => 'SYN,RST SYN', + jump => 'TCPMSS', + set_mss => 1360, + mss => '1361:1541', + chain => 'FORWARD', + table => 'mangle', + protocol => 'ip6tables', + } + firewall { '503 - clamp_mss_to_pmtu': + proto => 'tcp', + chain => 'FORWARD', + tcp_flags => 'SYN,RST SYN', + jump => 'TCPMSS', + clamp_mss_to_pmtu => true, + protocol => 'ip6tables', + } + firewall { '803 - hashlimit_upto test ip6': + chain => 'INPUT', + protocol => 'ip6tables', + hashlimit_name => 'upto-ip6', + hashlimit_upto => '16/sec', + hashlimit_burst => 640, + hashlimit_htable_size => 1000000, + hashlimit_htable_max => 320000, + hashlimit_htable_expire => 36000000, + jump => accept, + } + firewall { '503 match_mark ip6tables - test': + proto => 'all', + match_mark => '0x1', + jump => reject, + protocol => 'ip6tables', + } + + PUPPETCODE + idempotent_apply(pp) + end + + let(:result) { run_shell('ip6tables-save') } + + it 'physdev_in is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-in eth0 -m tcp --dport 701 -m comment --comment "701 - test" -j ACCEPT}) + end + it 'physdev_out is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-out eth1 -m tcp --dport 702 -m comment --comment "702 - test" -j ACCEPT}) + end + it 'physdev_in and physdev_out is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-in eth0 --physdev-out eth1 -m tcp --dport 703 -m comment --comment "703 - test" -j ACCEPT}) + end + it 'physdev_is_bridged is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-is-bridged -m tcp --dport 704 -m comment --comment "704 - test" -j ACCEPT}) + end + it 'physdev_in and physdev_is_bridged is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-in eth0 --physdev-is-bridged -m tcp --dport 705 -m comment --comment "705 - test" -j ACCEPT}) + end + it 'physdev_out and physdev_is_bridged is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m tcp --dport 706 -m comment --comment "706 - test" -j ACCEPT}) + end + it 'physdev_in and physdev_out and physdev_is_bridged is set' do + expect(result.stdout).to match( + %r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m tcp --dport 707 -m comment --comment "707 - test" -j ACCEPT} + ) + end + it 'physdev_is_in is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-is-in -m tcp --dport 708 -m comment --comment "708 - test" -j ACCEPT}) + end + it 'physdev_is_out is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m physdev\s+--physdev-is-out -m tcp --dport 709 -m comment --comment "709 - test" -j ACCEPT}) + end + it 'set_dscp is set' do + expect(result.stdout).to match(%r{-A OUTPUT -p (tcp|6) -m tcp --dport 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01}) + end + it 'set_dscp_class is set' do + expect(result.stdout).to match(%r{-A OUTPUT -p (tcp|6) -m tcp --dport 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e}) + end + it 'set_mss and mss is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360}) + end + it 'clamp_mss_to_pmtu is set' do + expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu}) + end + it 'hashlimit_name set to "upto-ip6"' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Layout/LineLength : Cannot reduce line to required length + end + it 'match_mark is set' do + expect(result.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable}) + end + end + + describe 'ishasmorefrags/islastfrag/isfirstfrag', unless: os[:family] == 'sles' do + shared_examples 'is idempotent' do |values, line_match| + pp2 = <<-PUPPETCODE + class { '::firewall': } + firewall { '599 - test': + ensure => present, + proto => 'tcp', + protocol => 'ip6tables', + #{values} + } + PUPPETCODE + it "changes the values to #{values}" do + idempotent_apply(pp2) + + run_shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{#{line_match}}) + end + end + end + shared_examples "doesn't change" do |values, line_match| + pp3 = <<-PUPPETCODE + class { '::firewall': } + firewall { '599 - test': + ensure => present, + proto => 'tcp', + protocol => 'ip6tables', + #{values} + } + PUPPETCODE + it "doesn't change the values to #{values}" do + apply_manifest(pp3, catch_changes: true) + + run_shell('ip6tables-save') do |r| + expect(r.stdout).to match(%r{#{line_match}}) + end + end + end + + describe 'adding a rule' do + context 'when unset' do + before :all do + ip6tables_flush_all_tables + end + it_behaves_like 'is idempotent', '', %r{-A INPUT -p (tcp|6) -m comment --comment "599 - test"} + end + context 'when set to true' do + before :all do + ip6tables_flush_all_tables + end + it_behaves_like 'is idempotent', 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', + %r{-A INPUT -p (tcp|6) -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} + end + context 'when set to false' do + before :all do + ip6tables_flush_all_tables + end + it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"} + end + end + describe 'editing a rule' do + context 'when unset or false' do + before :each do + ip6tables_flush_all_tables + run_shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"') + end + context 'when current value is false' do + it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p (tcp|6) -m comment --comment "599 - test"} + end + context 'when current value is true' do + it_behaves_like 'is idempotent', 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', + %r{-A INPUT -p (tcp|6) -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} + end + end + context 'when set to true' do + before :each do + ip6tables_flush_all_tables + run_shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"') + end + context 'when current value is false' do + it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p (tcp|6) -m comment --comment "599 - test"} + end + context 'when current value is true' do + it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true', + %r{-A INPUT -p (tcp|6) -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"} + end + end + end + end # describe 'purge' do -# context 'when ipv6 chain purge', unless: os[:family] == 'redhat' && os[:release].start_with?('5') do +# context 'when ipv6 chain purge', do # after(:all) do # ip6tables_flush_all_tables # end @@ -572,7 +572,7 @@ # chain => 'OUTPUT', # proto => 'all', # source => '1::50', -# provider => 'ip6tables', +# protocol => 'ip6tables', # } # PUPPETCODE # it 'ignores managed rules' do @@ -604,32 +604,32 @@ # chain => 'INPUT', # proto => 'all', # source => '1::46', -# provider => 'ip6tables', +# protocol => 'ip6tables', # } # -> firewall { '013 input-1::45': # chain => 'INPUT', # proto => 'all', # source => '1::45', -# provider => 'ip6tables', +# protocol => 'ip6tables', # } # -> firewall { '012 input-1::44': # chain => 'INPUT', # proto => 'all', # source => '1::44', -# provider => 'ip6tables', +# protocol => 'ip6tables', # } # -> firewall { '011 input-1::43': # chain => 'INPUT', # proto => 'all', # source => '1::43', -# provider => 'ip6tables', +# protocol => 'ip6tables', # } # PUPPETCODE # it 'adds managed rules with ignored rules' do # apply_manifest(pp4, catch_failures: true) -# expect(result.stdout).to match(%r{-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp}) +# expect(result.stdout).to match(%r{-A INPUT -s 1::42(\/128)? -p (tcp|6)\s?\n-A INPUT -s 1::42(\/128)? -p (udp|17)}) # end # end # end -# end +end diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb index 8b79ba30c..586a5b6aa 100644 --- a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb @@ -1,404 +1,404 @@ -# # frozen_string_literal: true +# frozen_string_literal: true -# require 'spec_helper_acceptance' +require 'spec_helper_acceptance' -# describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redhat' && os[:release].start_with?('5', '6')) || (os[:family] == 'sles') do -# before :all do -# iptables_flush_all_tables -# ip6tables_flush_all_tables -# end +describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redhat' && os[:release].start_with?('5', '6')) || (os[:family] == 'sles') do + before :all do + iptables_flush_all_tables + ip6tables_flush_all_tables + end -# describe 'attributes test' do -# before(:all) do -# # On RHEL 9 this must be lower case, on all others it must be upper case -# mac_source = if os[:family] == 'redhat' && os[:release].start_with?('9') -# '0a:1b:3c:4d:5e:6f' -# else -# '0A:1B:3C:4D:5E:6F' -# end + describe 'attributes test' do + before(:all) do + # On RHEL 9 this must be lower case, on all others it must be upper case + mac_source = if os[:family] == 'redhat' && os[:release].start_with?('9') + '0a:1b:3c:4d:5e:6f' + else + '0A:1B:3C:4D:5E:6F' + end -# pp = <<-PUPPETCODE -# class { '::firewall': } -# firewall { '571 - hop_limit': -# ensure => present, -# proto => tcp, -# dport => '571', -# action => accept, -# hop_limit => '5', -# provider => 'ip6tables', -# } -# firewall { '576 - checksum_fill': -# proto => udp, -# table => 'mangle', -# outiface => 'virbr0', -# chain => 'POSTROUTING', -# dport => '68', -# jump => 'CHECKSUM', -# checksum_fill => true, -# provider => ip6tables, -# } -# firewall { '587 - ishasmorefrags true': -# ensure => present, -# proto => tcp, -# dport => '587', -# action => accept, -# ishasmorefrags => true, -# provider => 'ip6tables', -# } -# firewall { '588 - ishasmorefrags false': -# ensure => present, -# proto => tcp, -# dport => '588', -# action => accept, -# ishasmorefrags => false, -# provider => 'ip6tables', -# } -# firewall { '589 - islastfrag true': -# ensure => present, -# proto => tcp, -# dport => '589', -# action => accept, -# islastfrag => true, -# provider => 'ip6tables', -# } -# firewall { '590 - islastfrag false': -# ensure => present, -# proto => tcp, -# dport => '590', -# action => accept, -# islastfrag => false, -# provider => 'ip6tables', -# } -# firewall { '591 - isfirstfrag true': -# ensure => present, -# proto => tcp, -# dport => '591', -# action => accept, -# isfirstfrag => true, -# provider => 'ip6tables', -# } -# firewall { '592 - isfirstfrag false': -# ensure => present, -# proto => tcp, -# dport => '592', -# action => accept, -# isfirstfrag => false, -# provider => 'ip6tables', -# } -# firewall { '593 - tcpfrags': -# proto => tcp, -# action => accept, -# tcp_flags => 'FIN,SYN ACK', -# provider => 'ip6tables', -# } -# firewall { '601 - src_range': -# proto => tcp, -# dport => '601', -# action => accept, -# src_range => '2001:db8::1-2001:db8::ff', -# provider => 'ip6tables', -# } -# firewall { '602 - dst_range': -# proto => tcp, -# dport => '602', -# action => accept, -# dst_range => '2001:db8::1-2001:db8::ff', -# provider => 'ip6tables', -# } -# firewall { '604 - mac_source': -# ensure => present, -# source => '2001:db8::1/128', -# mac_source => '#{mac_source}', -# chain => 'INPUT', -# provider => 'ip6tables', -# } -# firewall { '605 - socket true': -# ensure => present, -# proto => tcp, -# dport => '605', -# action => accept, -# chain => 'INPUT', -# socket => true, -# provider => 'ip6tables', -# } -# firewall { '606 - socket false': -# ensure => present, -# proto => tcp, -# dport => '606', -# action => accept, -# chain => 'INPUT', -# socket => false, -# provider => 'ip6tables', -# } -# firewall { '607 - ipsec_policy ipsec': -# ensure => 'present', -# action => 'reject', -# chain => 'OUTPUT', -# destination => '2001:db8::1/128', -# ipsec_dir => 'out', -# ipsec_policy => 'ipsec', -# proto => 'all', -# reject => 'icmp6-adm-prohibited', -# table => 'filter', -# provider => 'ip6tables', -# } -# firewall { '608 - ipsec_policy none': -# ensure => 'present', -# action => 'reject', -# chain => 'OUTPUT', -# destination => '2001:db8::1/128', -# ipsec_dir => 'out', -# ipsec_policy => 'none', -# proto => 'all', -# reject => 'icmp6-adm-prohibited', -# table => 'filter', -# provider => 'ip6tables', -# } -# firewall { '609 - ipsec_dir out': -# ensure => 'present', -# action => 'reject', -# chain => 'OUTPUT', -# destination => '2001:db8::1/128', -# ipsec_dir => 'out', -# ipsec_policy => 'ipsec', -# proto => 'all', -# reject => 'icmp6-adm-prohibited', -# table => 'filter', -# provider => 'ip6tables', -# } -# firewall { '610 - ipsec_dir in': -# ensure => 'present', -# action => 'reject', -# chain => 'INPUT', -# destination => '2001:db8::1/128', -# ipsec_dir => 'in', -# ipsec_policy => 'none', -# proto => 'all', -# reject => 'icmp6-adm-prohibited', -# table => 'filter', -# provider => 'ip6tables', -# } -# firewall { '611 - set_mark': -# ensure => present, -# chain => 'OUTPUT', -# proto => tcp, -# dport => '611', -# jump => 'MARK', -# table => 'mangle', -# set_mark => '0x3e8/0xffffffff', -# provider => 'ip6tables', -# } -# firewall { '613 - dst_type MULTICAST': -# proto => tcp, -# action => accept, -# dst_type => 'MULTICAST', -# provider => 'ip6tables', -# } -# firewall { '614 - src_type MULTICAST': -# proto => tcp, -# action => accept, -# src_type => 'MULTICAST', -# provider => 'ip6tables', -# } -# firewall { '615 - dst_type ! MULTICAST': -# proto => tcp, -# action => accept, -# dst_type => '! MULTICAST', -# provider => 'ip6tables', -# } -# firewall { '616 - src_type ! MULTICAST': -# proto => tcp, -# action => accept, -# src_type => '! MULTICAST', -# provider => 'ip6tables', -# } -# firewall { '619 - dst_type multiple values': -# proto => tcp, -# action => accept, -# dst_type => ['LOCAL', '! LOCAL'], -# provider => 'ip6tables', -# } -# firewall { '620 - src_type multiple values': -# proto => tcp, -# action => accept, -# src_type => ['LOCAL', '! LOCAL'], -# provider => 'ip6tables', -# } -# firewall { '801 - ipt_modules tests': -# proto => tcp, -# dport => '8080', -# action => reject, -# chain => 'OUTPUT', -# provider => 'ip6tables', -# uid => 0, -# gid => 404, -# src_range => "2001::-2002::", -# dst_range => "2003::-2004::", -# src_type => 'LOCAL', -# dst_type => 'UNICAST', -# physdev_in => "eth0", -# physdev_out => "eth1", -# physdev_is_bridged => true, -# } -# firewall { '802 - ipt_modules tests': -# proto => tcp, -# dport => '8080', -# action => reject, -# chain => 'OUTPUT', -# provider => 'ip6tables', -# gid => 404, -# dst_range => "2003::-2004::", -# dst_type => 'UNICAST', -# physdev_out => "eth1", -# physdev_is_bridged => true, -# } -# firewall { '806 - hashlimit_above test ipv6': -# chain => 'INPUT', -# provider => 'ip6tables', -# proto => 'tcp', -# hashlimit_name => 'above-ip6', -# hashlimit_above => '526/sec', -# hashlimit_htable_gcinterval => '10', -# hashlimit_mode => 'srcip,dstip', -# action => accept, -# } -# firewall { '811 - tee_gateway6': -# chain => 'PREROUTING', -# table => 'mangle', -# jump => 'TEE', -# gateway => '2001:db8::1', -# proto => all, -# provider => 'ip6tables', -# } -# firewall { '812 - hex_string': -# chain => 'INPUT', -# proto => 'tcp', -# string_hex => '|f4 6d 04 25 b2 02 00 0a|', -# string_algo => 'kmp', -# string_to => '65535', -# action => accept, -# provider => 'ip6tables', -# } -# firewall { '500 allow v6 non-any queries': -# chain => 'OUTPUT', -# proto => 'udp', -# dport => '53', -# string_hex => '! |0000ff0001|', -# string_algo => 'bm', -# to => '65535', -# action => 'accept', -# provider => 'ip6tables', -# } -# PUPPETCODE -# idempotent_apply(pp) -# end -# let(:result) { run_shell('ip6tables-save') } + pp = <<-PUPPETCODE + class { '::firewall': } + firewall { '571 - hop_limit': + ensure => present, + proto => tcp, + dport => '571', + jump => accept, + hop_limit => '5', + protocol => 'ip6tables', + } + firewall { '576 - checksum_fill': + proto => udp, + table => 'mangle', + outiface => 'virbr0', + chain => 'POSTROUTING', + dport => '68', + jump => 'CHECKSUM', + checksum_fill => true, + protocol => ip6tables, + } + firewall { '587 - ishasmorefrags true': + ensure => present, + proto => tcp, + dport => '587', + jump => accept, + ishasmorefrags => true, + protocol => 'ip6tables', + } + firewall { '588 - ishasmorefrags false': + ensure => present, + proto => tcp, + dport => '588', + jump => accept, + ishasmorefrags => false, + protocol => 'ip6tables', + } + firewall { '589 - islastfrag true': + ensure => present, + proto => tcp, + dport => '589', + jump => accept, + islastfrag => true, + protocol => 'ip6tables', + } + firewall { '590 - islastfrag false': + ensure => present, + proto => tcp, + dport => '590', + jump => accept, + islastfrag => false, + protocol => 'ip6tables', + } + firewall { '591 - isfirstfrag true': + ensure => present, + proto => tcp, + dport => '591', + jump => accept, + isfirstfrag => true, + protocol => 'ip6tables', + } + firewall { '592 - isfirstfrag false': + ensure => present, + proto => tcp, + dport => '592', + jump => accept, + isfirstfrag => false, + protocol => 'ip6tables', + } + firewall { '593 - tcpfrags': + proto => tcp, + jump => accept, + tcp_flags => 'FIN,SYN ACK', + protocol => 'ip6tables', + } + firewall { '601 - src_range': + proto => tcp, + dport => '601', + jump => accept, + src_range => '2001:db8::1-2001:db8::ff', + protocol => 'ip6tables', + } + firewall { '602 - dst_range': + proto => tcp, + dport => '602', + jump => accept, + dst_range => '2001:db8::1-2001:db8::ff', + protocol => 'ip6tables', + } + firewall { '604 - mac_source': + ensure => present, + source => '2001:db8::1/128', + mac_source => '#{mac_source}', + chain => 'INPUT', + protocol => 'ip6tables', + } + firewall { '605 - socket true': + ensure => present, + proto => tcp, + dport => '605', + jump => accept, + chain => 'INPUT', + socket => true, + protocol => 'ip6tables', + } + firewall { '606 - socket false': + ensure => present, + proto => tcp, + dport => '606', + jump => accept, + chain => 'INPUT', + socket => false, + protocol => 'ip6tables', + } + firewall { '607 - ipsec_policy ipsec': + ensure => 'present', + jump => 'reject', + chain => 'OUTPUT', + destination => '2001:db8::1/128', + ipsec_dir => 'out', + ipsec_policy => 'ipsec', + proto => 'all', + reject => 'icmp6-adm-prohibited', + table => 'filter', + protocol => 'ip6tables', + } + firewall { '608 - ipsec_policy none': + ensure => 'present', + jump => 'reject', + chain => 'OUTPUT', + destination => '2001:db8::1/128', + ipsec_dir => 'out', + ipsec_policy => 'none', + proto => 'all', + reject => 'icmp6-adm-prohibited', + table => 'filter', + protocol => 'ip6tables', + } + firewall { '609 - ipsec_dir out': + ensure => 'present', + jump => 'reject', + chain => 'OUTPUT', + destination => '2001:db8::1/128', + ipsec_dir => 'out', + ipsec_policy => 'ipsec', + proto => 'all', + reject => 'icmp6-adm-prohibited', + table => 'filter', + protocol => 'ip6tables', + } + firewall { '610 - ipsec_dir in': + ensure => 'present', + jump => 'reject', + chain => 'INPUT', + destination => '2001:db8::1/128', + ipsec_dir => 'in', + ipsec_policy => 'none', + proto => 'all', + reject => 'icmp6-adm-prohibited', + table => 'filter', + protocol => 'ip6tables', + } + firewall { '611 - set_mark': + ensure => present, + chain => 'OUTPUT', + proto => tcp, + dport => '611', + jump => 'MARK', + table => 'mangle', + set_mark => '0x3e8/0xffffffff', + protocol => 'ip6tables', + } + firewall { '613 - dst_type MULTICAST': + proto => tcp, + jump => accept, + dst_type => 'MULTICAST', + protocol => 'ip6tables', + } + firewall { '614 - src_type MULTICAST': + proto => tcp, + jump => accept, + src_type => 'MULTICAST', + protocol => 'ip6tables', + } + firewall { '615 - dst_type ! MULTICAST': + proto => tcp, + jump => accept, + dst_type => '! MULTICAST', + protocol => 'ip6tables', + } + firewall { '616 - src_type ! MULTICAST': + proto => tcp, + jump => accept, + src_type => '! MULTICAST', + protocol => 'ip6tables', + } + firewall { '619 - dst_type multiple values': + proto => tcp, + jump => accept, + dst_type => ['LOCAL', '! LOCAL'], + protocol => 'ip6tables', + } + firewall { '620 - src_type multiple values': + proto => tcp, + jump => accept, + src_type => ['LOCAL', '! LOCAL'], + protocol => 'ip6tables', + } + firewall { '801 - ipt_modules tests': + proto => tcp, + dport => '8080', + jump => reject, + chain => 'OUTPUT', + protocol => 'ip6tables', + uid => 0, + gid => 404, + src_range => "2001::-2002::", + dst_range => "2003::-2004::", + src_type => 'LOCAL', + dst_type => 'UNICAST', + physdev_in => "eth0", + physdev_out => "eth1", + physdev_is_bridged => true, + } + firewall { '802 - ipt_modules tests': + proto => tcp, + dport => '8080', + jump => reject, + chain => 'OUTPUT', + protocol => 'ip6tables', + gid => 404, + dst_range => "2003::-2004::", + dst_type => 'UNICAST', + physdev_out => "eth1", + physdev_is_bridged => true, + } + firewall { '806 - hashlimit_above test ipv6': + chain => 'INPUT', + protocol => 'ip6tables', + proto => 'tcp', + hashlimit_name => 'above-ip6', + hashlimit_above => '526/sec', + hashlimit_htable_gcinterval => 10, + hashlimit_mode => 'srcip,dstip', + jump => accept, + } + firewall { '811 - tee_gateway6': + chain => 'PREROUTING', + table => 'mangle', + jump => 'TEE', + gateway => '2001:db8::1', + proto => all, + protocol => 'ip6tables', + } + firewall { '812 - hex_string': + chain => 'INPUT', + proto => 'tcp', + string_hex => '|f4 6d 04 25 b2 02 00 0a|', + string_algo => 'kmp', + string_to => 65535, + jump => accept, + protocol => 'ip6tables', + } + firewall { '500 allow v6 non-any queries': + chain => 'OUTPUT', + proto => 'udp', + dport => '53', + string_hex => '! |0000ff0001|', + string_algo => 'bm', + string_to => 65535, + jump => 'accept', + protocol => 'ip6tables', + } + PUPPETCODE + idempotent_apply(pp) + end + let(:result) { run_shell('ip6tables-save') } -# it 'hop_limit is set' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 571 -m hl --hl-eq 5 -m comment --comment "571 - hop_limit" -j ACCEPT}) -# end -# it 'checksum_fill is set' do -# expect(result.stdout).to match(%r{-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - checksum_fill" -j CHECKSUM --checksum-fill}) -# end -# it 'ishasmorefrags when true' do -# expect(result.stdout).to match(%r{A INPUT -p tcp -m frag --fragid 0 --fragmore -m multiport --dports 587 -m comment --comment "587 - ishasmorefrags true" -j ACCEPT}) -# end -# it 'ishasmorefrags when false' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 588 -m comment --comment "588 - ishasmorefrags false" -j ACCEPT}) -# end -# it 'islastfrag when true' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fraglast -m multiport --dports 589 -m comment --comment "589 - islastfrag true" -j ACCEPT}) -# end -# it 'islastfrag when false' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 590 -m comment --comment "590 - islastfrag false" -j ACCEPT}) -# end -# it 'isfirstfrag when true' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m frag --fragid 0 --fragfirst -m multiport --dports 591 -m comment --comment "591 - isfirstfrag true" -j ACCEPT}) -# end -# it 'isfirstfrag when false' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 592 -m comment --comment "592 - isfirstfrag false" -j ACCEPT}) -# end -# it 'tcp_flags is set' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN ACK -m comment --comment "593 - tcpfrags" -j ACCEPT}) -# end -# it 'src_range is set' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --src-range 2001:db8::1-2001:db8::ff -m multiport --dports 601 -m comment --comment "601 - src_range" -j ACCEPT}) -# end -# it 'dst_range is set' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m iprange --dst-range 2001:db8::1-2001:db8::ff -m multiport --dports 602 -m comment --comment "602 - dst_range" -j ACCEPT}) -# end -# it 'mac_source is set' do -# expect(result.stdout).to match(%r{-A INPUT -s 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -p tcp -m mac --mac-source 0(a|A):1(b|B):3(c|C):4(d|D):5(e|E):6(f|F) -m comment --comment "604 - mac_source"}) # rubocop:disable Layout/LineLength -# end -# it 'socket when true' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 605 -m socket -m comment --comment "605 - socket true" -j ACCEPT}) -# end -# it 'socket when false' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 606 -m comment --comment "606 - socket false" -j ACCEPT}) -# end -# it 'ipsec_policy when ipsec' do -# expect(result.stdout).to match( -# %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "607 - ipsec_policy ipsec" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength -# ) -# end -# it 'ipsec_policy when none' do -# expect(result.stdout).to match( -# %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol none -m comment --comment "608 - ipsec_policy none" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength -# ) -# end -# it 'ipsec_dir when out' do -# expect(result.stdout).to match( -# %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "609 - ipsec_dir out" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength -# ) -# end -# it 'ipsec_dir when in' do -# expect(result.stdout).to match( -# %r{-A INPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir in --pol none -m comment --comment "610 - ipsec_dir in" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength -# ) -# end -# it 'set_mark is set' do -# expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 611 -m comment --comment "611 - set_mark" -j MARK --set-xmark 0x3e8\/0xffffffff}) -# end -# it 'dst_type when MULTICAST' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s--dst-type\sMULTICAST -m comment --comment "613 - dst_type MULTICAST" -j ACCEPT}) -# end -# it 'src_type when MULTICAST' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype\s--src-type\sMULTICAST -m comment --comment "614 - src_type MULTICAST" -j ACCEPT}) -# end -# it 'dst_type when ! MULTICAST' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype( !\s--dst-type\sMULTICAST|\s--dst-type\s! MULTICAST) -m comment --comment "615 - dst_type ! MULTICAST" -j ACCEPT}) -# end -# it 'src_type when ! MULTICAST' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype( !\s--src-type\sMULTICAST|\s--src-type\s! MULTICAST) -m comment --comment "616 - src_type ! MULTICAST" -j ACCEPT}) -# end -# it 'dst_type when multiple values' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype --dst-type LOCAL -m addrtype ! --dst-type LOCAL -m comment --comment "619 - dst_type multiple values" -j ACCEPT}) -# end -# it 'src_type when multiple values' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype --src-type LOCAL -m addrtype ! --src-type LOCAL -m comment --comment "620 - src_type multiple values" -j ACCEPT}) -# end -# it 'all the modules with multiple args is set' do -# expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength -# end -# it 'all the modules with single args is set' do -# expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength -# end -# it 'tee_gateway is set' do -# expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1}) -# end -# it 'hashlimit_above is set' do -# regex_array = [%r{-A INPUT}, %r{-p tcp}, %r{--hashlimit-above 526\/sec}, %r{--hashlimit-mode srcip,dstip}, -# %r{--hashlimit-name above-ip6}, %r{--hashlimit-htable-gcinterval 10}, %r{-j ACCEPT}] -# regex_array.each do |regex| -# expect(result.stdout).to match(regex) -# end -# end -# it 'checks hex_string value' do -# expect(result.stdout).to match(%r{-A INPUT -p tcp -m string --hex-string "|f46d0425b202000a|" --algo kmp --to 65535 -m comment --comment "812 - hex_string" -j ACCEPT}) -# end -# it 'checks hex_string value which include negation operator' do -# regex_string = %r{-A OUTPUT -p udp -m multiport --dports 53 -m string ! --hex-string "|0000ff0001|" --algo bm --to 65535 -m comment --comment "500 allow v6 non-any queries" -j ACCEPT} -# expect(result.stdout).to match(regex_string) -# end -# end -# end + it 'hop_limit is set' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m tcp --dport 571 -m hl --hl-eq 5 -m comment --comment "571 - hop_limit" -j ACCEPT}) + end + it 'checksum_fill is set' do + expect(result.stdout).to match(%r{-A POSTROUTING -o virbr0 -p (udp|17) -m udp --dport 68 -m comment --comment "576 - checksum_fill" -j CHECKSUM --checksum-fill}) + end + it 'ishasmorefrags when true' do + expect(result.stdout).to match(%r{A INPUT -p (tcp|6) -m frag --fragid 0 --fragmore -m tcp --dport 587 -m comment --comment "587 - ishasmorefrags true" -j ACCEPT}) + end + it 'ishasmorefrags when false' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m tcp --dport 588 -m comment --comment "588 - ishasmorefrags false" -j ACCEPT}) + end + it 'islastfrag when true' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m frag --fragid 0 --fraglast -m tcp --dport 589 -m comment --comment "589 - islastfrag true" -j ACCEPT}) + end + it 'islastfrag when false' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m tcp --dport 590 -m comment --comment "590 - islastfrag false" -j ACCEPT}) + end + it 'isfirstfrag when true' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m frag --fragid 0 --fragfirst -m tcp --dport 591 -m comment --comment "591 - isfirstfrag true" -j ACCEPT}) + end + it 'isfirstfrag when false' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m tcp --dport 592 -m comment --comment "592 - isfirstfrag false" -j ACCEPT}) + end + it 'tcp_flags is set' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m tcp --tcp-flags FIN,SYN ACK -m comment --comment "593 - tcpfrags" -j ACCEPT}) + end + it 'src_range is set' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m iprange --src-range 2001:db8::1-2001:db8::ff -m tcp --dport 601 -m comment --comment "601 - src_range" -j ACCEPT}) + end + it 'dst_range is set' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m iprange --dst-range 2001:db8::1-2001:db8::ff -m tcp --dport 602 -m comment --comment "602 - dst_range" -j ACCEPT}) + end + it 'mac_source is set' do + expect(result.stdout).to match(%r{-A INPUT -s 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -p (tcp|6) -m mac --mac-source 0(a|A):1(b|B):3(c|C):4(d|D):5(e|E):6(f|F) -m comment --comment "604 - mac_source"}) # rubocop:disable Layout/LineLength + end + it 'socket when true' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m tcp --dport 605 -m socket -m comment --comment "605 - socket true" -j ACCEPT}) + end + it 'socket when false' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m tcp --dport 606 -m comment --comment "606 - socket false" -j ACCEPT}) + end + it 'ipsec_policy when ipsec' do + expect(result.stdout).to match( + %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "607 - ipsec_policy ipsec" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength + ) + end + it 'ipsec_policy when none' do + expect(result.stdout).to match( + %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol none -m comment --comment "608 - ipsec_policy none" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength + ) + end + it 'ipsec_dir when out' do + expect(result.stdout).to match( + %r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "609 - ipsec_dir out" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength + ) + end + it 'ipsec_dir when in' do + expect(result.stdout).to match( + %r{-A INPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir in --pol none -m comment --comment "610 - ipsec_dir in" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength + ) + end + it 'set_mark is set' do + expect(result.stdout).to match(%r{-A OUTPUT -p (tcp|6) -m tcp --dport 611 -m comment --comment "611 - set_mark" -j MARK --set-xmark 0x3e8\/0xffffffff}) + end + it 'dst_type when MULTICAST' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype\s--dst-type\sMULTICAST -m comment --comment "613 - dst_type MULTICAST" -j ACCEPT}) + end + it 'src_type when MULTICAST' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype\s--src-type\sMULTICAST -m comment --comment "614 - src_type MULTICAST" -j ACCEPT}) + end + it 'dst_type when ! MULTICAST' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype( !\s--dst-type\sMULTICAST|\s--dst-type\s! MULTICAST) -m comment --comment "615 - dst_type ! MULTICAST" -j ACCEPT}) + end + it 'src_type when ! MULTICAST' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype( !\s--src-type\sMULTICAST|\s--src-type\s! MULTICAST) -m comment --comment "616 - src_type ! MULTICAST" -j ACCEPT}) + end + it 'dst_type when multiple values' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype --dst-type LOCAL -m addrtype ! --dst-type LOCAL -m comment --comment "619 - dst_type multiple values" -j ACCEPT}) + end + it 'src_type when multiple values' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype --src-type LOCAL -m addrtype ! --src-type LOCAL -m comment --comment "620 - src_type multiple values" -j ACCEPT}) + end + it 'all the modules with multiple args is set' do + expect(result.stdout).to match(%r{-A OUTPUT -p (tcp|6) -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m tcp --dport 8080 -m addrtype --src-type LOCAL -m addrtype --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength + end + it 'all the modules with single args is set' do + expect(result.stdout).to match(%r{-A OUTPUT -p (tcp|6) -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m tcp --dport 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength + end + it 'tee_gateway is set' do + expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1}) + end + it 'hashlimit_above is set' do + regex_array = [%r{-A INPUT}, %r{-p (tcp|6)}, %r{--hashlimit-above 526\/sec}, %r{--hashlimit-mode srcip,dstip}, + %r{--hashlimit-name above-ip6}, %r{--hashlimit-htable-gcinterval 10}, %r{-j ACCEPT}] + regex_array.each do |regex| + expect(result.stdout).to match(regex) + end + end + it 'checks hex_string value' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m string --hex-string "|f46d0425b202000a|" --algo kmp --to 65535 -m comment --comment "812 - hex_string" -j ACCEPT}) + end + it 'checks hex_string value which include negation operator' do + regex_string = %r{-A OUTPUT -p (udp|17) -m udp --dport 53 -m string ! --hex-string "|0000ff0001|" --algo bm --to 65535 -m comment --comment "500 allow v6 non-any queries" -j ACCEPT} + expect(result.stdout).to match(regex_string) + end + end +end