586 changes: 89 additions & 497 deletions .rubocop.yml

Large diffs are not rendered by default.

Empty file added .rubocop_todo.yml
Empty file.
3 changes: 3 additions & 0 deletions .sync.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,6 @@ appveyor.yml:
- set: docker/centos-7
options:
env: PUPPET_INSTALL_TYPE=agent BEAKER_debug=true BEAKER_set=@@SET@@ SPEC_OPTS=""--tag docker"
extras:
- rvm: 2.1.9
script: bundle exec rake rubocop
4 changes: 3 additions & 1 deletion .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,13 @@ matrix:
script: bundle exec rake beaker
services: docker
sudo: required
- rvm: 2.4.0
- rvm: 2.4.1
bundler_args: --without system_tests
env: PUPPET_GEM_VERSION="~> 5.0"
- rvm: 2.1.9
bundler_args: --without system_tests
env: PUPPET_GEM_VERSION="~> 4.0"
- rvm: 2.1.9
script: bundle exec rake rubocop
notifications:
email: false
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
## Supported Release 1.11.0
### Summary
This release is to implement Rubocop changes within the module.

#### Added
- Rubocop has been implemented in the module.

### Changed
- Module sync was updated.
- Unparsable rules are now skipped with a warning.

## Supported Release 1.10.0
### Summary
This is a clean release prior to the module being run through rubocop.
Expand Down
4 changes: 2 additions & 2 deletions lib/facter/ip6tables_version.rb
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
Facter.add(:ip6tables_version) do
confine :kernel => :Linux
confine kernel: :Linux
setcode do
version = Facter::Util::Resolution.exec('ip6tables --version')
if version
version.match(/\d+\.\d+\.\d+/).to_s
version.match(%r{\d+\.\d+\.\d+}).to_s
else
nil
end
Expand Down
16 changes: 8 additions & 8 deletions lib/facter/iptables_persistent_version.rb
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
Facter.add(:iptables_persistent_version) do
confine :operatingsystem => %w{Debian Ubuntu}
confine operatingsystem: %w[Debian Ubuntu]
setcode do
# Throw away STDERR because dpkg >= 1.16.7 will make some noise if the
# package isn't currently installed.
os = Facter.value(:operatingsystem)
os_release = Facter.value(:operatingsystemrelease)
if (os == 'Debian' and (Puppet::Util::Package.versioncmp(os_release, '8.0') >= 0)) or
(os == 'Ubuntu' and (Puppet::Util::Package.versioncmp(os_release, '14.10') >= 0))
cmd = "dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null"
else
cmd = "dpkg-query -Wf '${Version}' iptables-persistent 2>/dev/null"
end
cmd = if (os == 'Debian' && (Puppet::Util::Package.versioncmp(os_release, '8.0') >= 0)) ||
(os == 'Ubuntu' && (Puppet::Util::Package.versioncmp(os_release, '14.10') >= 0))
"dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null"
else
"dpkg-query -Wf '${Version}' iptables-persistent 2>/dev/null"
end
version = Facter::Util::Resolution.exec(cmd)

if version.nil? or !version.match(/\d+\.\d+/)
if version.nil? || !version.match(%r{\d+\.\d+})
nil
else
version
Expand Down
4 changes: 2 additions & 2 deletions lib/facter/iptables_version.rb
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
Facter.add(:iptables_version) do
confine :kernel => :Linux
confine kernel: :Linux
setcode do
version = Facter::Util::Resolution.exec('iptables --version')
if version
version.match(/\d+\.\d+\.\d+/).to_s
version.match(%r{\d+\.\d+\.\d+}).to_s
else
nil
end
Expand Down
13 changes: 8 additions & 5 deletions lib/puppet/provider/firewall.rb
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
#
# firewall.rb
#
class Puppet::Provider::Firewall < Puppet::Provider

# Prefetch our rule list. This is ran once every time before any other
# action (besides initialization of each object).
def self.prefetch(resources)
debug("[prefetch(resources)]")
debug('[prefetch(resources)]')
instances.each do |prov|
if resource = resources[prov.name] || resources[prov.name.downcase]
resource = resources[prov.name] || resources[prov.name.downcase]
if resource
resource.provider = prov
end
end
Expand All @@ -15,7 +18,7 @@ def self.prefetch(resources)
# existing status with properties[:foo].
def properties
if @property_hash.empty?
@property_hash = query || {:ensure => :absent}
@property_hash = query || { ensure: :absent }
@property_hash[:ensure] = :absent if @property_hash.empty?
end
@property_hash.dup
Expand All @@ -25,7 +28,7 @@ def properties
# getting some double entendre here....
def query
self.class.instances.each do |instance|
if instance.name == self.name or instance.name.downcase == self.name
if instance.name == name || instance.name.downcase == name
return instance.properties
end
end
Expand Down
281 changes: 137 additions & 144 deletions lib/puppet/provider/firewall/ip6tables.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :ip6tables do
@doc = "Ip6tables type provider"
Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6tables do
@doc = 'Ip6tables type provider'

has_feature :iptables
has_feature :connection_limiting
Expand Down Expand Up @@ -35,28 +35,22 @@
has_feature :queue_num
has_feature :queue_bypass

optional_commands({
:ip6tables => 'ip6tables',
:ip6tables_save => 'ip6tables-save',
})
optional_commands(ip6tables: 'ip6tables',
ip6tables_save: 'ip6tables-save')

confine :kernel => :linux
confine kernel: :linux

ip6tables_version = Facter.value('ip6tables_version')
if (ip6tables_version and Puppet::Util::Package.versioncmp(ip6tables_version, '1.4.1') < 0)
mark_flag = '--set-mark'
else
mark_flag = '--set-xmark'
end

mark_flag = if ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.4.1') < 0
'--set-mark'
else
'--set-xmark'
end

def initialize(*args)
ip6tables_version = Facter.value('ip6tables_version')
if ip6tables_version and ip6tables_version.match /1\.3\.\d/
raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables'
else
super
end
raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d})
super
end

def self.iptables(*args)
Expand All @@ -67,107 +61,107 @@ def self.iptables_save(*args)
ip6tables_save(*args)
end

@protocol = "IPv6"
@protocol = 'IPv6'

@resource_map = {
:burst => "--limit-burst",
:checksum_fill => "--checksum-fill",
:clamp_mss_to_pmtu => "--clamp-mss-to-pmtu",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
:ctstate => "-m conntrack --ctstate",
:destination => "-d",
:dport => ["-m multiport --dports", "--dport"],
:dst_range => '--dst-range',
:dst_type => "--dst-type",
:gateway => "--gateway",
:gid => "--gid-owner",
:hop_limit => "-m hl --hl-eq",
:icmp => "-m icmp6 --icmpv6-type",
:iniface => "-i",
:ipsec_dir => "-m policy --dir",
:ipsec_policy => "--pol",
:ipset => "-m set --match-set",
:isfirstfrag => "-m frag --fragid 0 --fragfirst",
:ishasmorefrags => "-m frag --fragid 0 --fragmore",
:islastfrag => "-m frag --fragid 0 --fraglast",
:jump => "-j",
:length => "-m length --length",
:limit => "-m limit --limit",
:log_level => "--log-level",
:log_prefix => "--log-prefix",
:log_uid => "--log-uid",
:mask => "--mask",
:match_mark => "-m mark --mark",
:name => "-m comment --comment",
:mac_source => ["-m mac --mac-source", "--mac-source"],
:mss => "-m tcpmss --mss",
:outiface => "-o",
:pkttype => "-m pkttype --pkt-type",
:port => '-m multiport --ports',
:proto => "-p",
:queue_num => "--queue-num",
:queue_bypass => "--queue-bypass",
:rdest => "--rdest",
:reap => "--reap",
:recent => "-m recent",
:reject => "--reject-with",
:rhitcount => "--hitcount",
:rname => "--name",
:rseconds => "--seconds",
:rsource => "--rsource",
:rttl => "--rttl",
:set_dscp => '--set-dscp',
:set_dscp_class => '--set-dscp-class',
:set_mark => mark_flag,
:set_mss => '--set-mss',
:socket => "-m socket",
:source => "-s",
:sport => ["-m multiport --sports", "--sport"],
:src_range => '--src-range',
:src_type => "--src-type",
:stat_every => '--every',
:stat_mode => "-m statistic --mode",
:stat_packet => '--packet',
:stat_probability => '--probability',
:state => "-m state --state",
:string => "-m string --string",
:string_algo => "--algo",
:string_from => "--from",
:string_to => "--to",
:table => "-t",
:tcp_flags => "-m tcp --tcp-flags",
:todest => "--to-destination",
:toports => "--to-ports",
:tosource => "--to-source",
:uid => "--uid-owner",
:physdev_in => "--physdev-in",
:physdev_out => "--physdev-out",
:physdev_is_bridged => "--physdev-is-bridged",
:physdev_is_in => "--physdev-is-in",
:physdev_is_out => "--physdev-is-out",
:date_start => "--datestart",
:date_stop => "--datestop",
:time_start => "--timestart",
:time_stop => "--timestop",
:month_days => "--monthdays",
:week_days => "--weekdays",
:time_contiguous => "--contiguous",
:kernel_timezone => "--kerneltz",
:src_cc => "--source-country",
:dst_cc => "--destination-country",
:hashlimit_name => "--hashlimit-name",
:hashlimit_upto => "--hashlimit-upto",
:hashlimit_above => "--hashlimit-above",
:hashlimit_burst => "--hashlimit-burst",
:hashlimit_mode => "--hashlimit-mode",
:hashlimit_srcmask => "--hashlimit-srcmask",
:hashlimit_dstmask => "--hashlimit-dstmask",
:hashlimit_htable_size => "--hashlimit-htable-size",
:hashlimit_htable_max => "--hashlimit-htable-max",
:hashlimit_htable_expire => "--hashlimit-htable-expire",
:hashlimit_htable_gcinterval => "--hashlimit-htable-gcinterval",
burst: '--limit-burst',
checksum_fill: '--checksum-fill',
clamp_mss_to_pmtu: '--clamp-mss-to-pmtu',
connlimit_above: '-m connlimit --connlimit-above',
connlimit_mask: '--connlimit-mask',
connmark: '-m connmark --mark',
ctstate: '-m conntrack --ctstate',
destination: '-d',
dport: ['-m multiport --dports', '--dport'],
dst_range: '--dst-range',
dst_type: '--dst-type',
gateway: '--gateway',
gid: '--gid-owner',
hop_limit: '-m hl --hl-eq',
icmp: '-m icmp6 --icmpv6-type',
iniface: '-i',
ipsec_dir: '-m policy --dir',
ipsec_policy: '--pol',
ipset: '-m set --match-set',
isfirstfrag: '-m frag --fragid 0 --fragfirst',
ishasmorefrags: '-m frag --fragid 0 --fragmore',
islastfrag: '-m frag --fragid 0 --fraglast',
jump: '-j',
length: '-m length --length',
limit: '-m limit --limit',
log_level: '--log-level',
log_prefix: '--log-prefix',
log_uid: '--log-uid',
mask: '--mask',
match_mark: '-m mark --mark',
name: '-m comment --comment',
mac_source: ['-m mac --mac-source', '--mac-source'],
mss: '-m tcpmss --mss',
outiface: '-o',
pkttype: '-m pkttype --pkt-type',
port: '-m multiport --ports',
proto: '-p',
queue_num: '--queue-num',
queue_bypass: '--queue-bypass',
rdest: '--rdest',
reap: '--reap',
recent: '-m recent',
reject: '--reject-with',
rhitcount: '--hitcount',
rname: '--name',
rseconds: '--seconds',
rsource: '--rsource',
rttl: '--rttl',
set_dscp: '--set-dscp',
set_dscp_class: '--set-dscp-class',
set_mark: mark_flag,
set_mss: '--set-mss',
socket: '-m socket',
source: '-s',
sport: ['-m multiport --sports', '--sport'],
src_range: '--src-range',
src_type: '--src-type',
stat_every: '--every',
stat_mode: '-m statistic --mode',
stat_packet: '--packet',
stat_probability: '--probability',
state: '-m state --state',
string: '-m string --string',
string_algo: '--algo',
string_from: '--from',
string_to: '--to',
table: '-t',
tcp_flags: '-m tcp --tcp-flags',
todest: '--to-destination',
toports: '--to-ports',
tosource: '--to-source',
uid: '--uid-owner',
physdev_in: '--physdev-in',
physdev_out: '--physdev-out',
physdev_is_bridged: '--physdev-is-bridged',
physdev_is_in: '--physdev-is-in',
physdev_is_out: '--physdev-is-out',
date_start: '--datestart',
date_stop: '--datestop',
time_start: '--timestart',
time_stop: '--timestop',
month_days: '--monthdays',
week_days: '--weekdays',
time_contiguous: '--contiguous',
kernel_timezone: '--kerneltz',
src_cc: '--source-country',
dst_cc: '--destination-country',
hashlimit_name: '--hashlimit-name',
hashlimit_upto: '--hashlimit-upto',
hashlimit_above: '--hashlimit-above',
hashlimit_burst: '--hashlimit-burst',
hashlimit_mode: '--hashlimit-mode',
hashlimit_srcmask: '--hashlimit-srcmask',
hashlimit_dstmask: '--hashlimit-dstmask',
hashlimit_htable_size: '--hashlimit-htable-size',
hashlimit_htable_max: '--hashlimit-htable-max',
hashlimit_htable_expire: '--hashlimit-htable-expire',
hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',

}

Expand Down Expand Up @@ -206,39 +200,39 @@ def self.iptables_save(*args)
# ones.
#
@module_to_argument_mapping = {
:physdev => [:physdev_in, :physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out],
:addrtype => [:src_type, :dst_type],
:iprange => [:src_range, :dst_range],
:owner => [:uid, :gid],
:time => [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
:geoip => [:src_cc, :dst_cc],
:hashlimit => [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask,
:hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval],
physdev: [:physdev_in, :physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out],
addrtype: [:src_type, :dst_type],
iprange: [:src_range, :dst_range],
owner: [:uid, :gid],
time: [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone],
geoip: [:src_cc, :dst_cc],
hashlimit: [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask,
:hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval],

}

# Create property methods dynamically
(@resource_map.keys << :chain << :table << :action).each do |property|
if @known_booleans.include?(property) then
if @known_booleans.include?(property)
# The boolean properties default to '' which should be read as false
define_method "#{property}" do
@property_hash[property] = :false if @property_hash[property] == nil
define_method property.to_s do
@property_hash[property] = :false if @property_hash[property].nil?
@property_hash[property.to_sym]
end
else
define_method "#{property}" do
define_method property.to_s do
@property_hash[property.to_sym]
end
end

if property == :chain
define_method "#{property}=" do |value|
if @property_hash[:chain] != value
raise ArgumentError, "Modifying the chain for existing rules is not supported."
raise ArgumentError, 'Modifying the chain for existing rules is not supported.'
end
end
else
define_method "#{property}=" do |value|
define_method "#{property}=" do |_value|
@property_hash[:needs_change] = true
end
end
Expand All @@ -252,17 +246,16 @@ def self.iptables_save(*args)
# I put it when calling the command. So compability with manual changes
# not provided with current parser [georg.koester])
@resource_list = [:table, :source, :destination, :iniface, :outiface, :physdev_in,
:physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out,
:proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
:tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
:dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
:string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
:hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :name]

:physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out,
:proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
:tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
:dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
:string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
:hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :name]
end
572 changes: 283 additions & 289 deletions lib/puppet/provider/firewall/iptables.rb

Large diffs are not rendered by default.

126 changes: 61 additions & 65 deletions lib/puppet/provider/firewallchain/iptables_chain.rb
Original file line number Diff line number Diff line change
@@ -1,78 +1,76 @@
Puppet::Type.type(:firewallchain).provide :iptables_chain do
include Puppet::Util::Firewall

@doc = "Iptables chain provider"
@doc = 'Iptables chain provider'

has_feature :iptables_chain
has_feature :policy

optional_commands({
:iptables => 'iptables',
:iptables_save => 'iptables-save',
:ip6tables => 'ip6tables',
:ip6tables_save => 'ip6tables-save',
:ebtables => 'ebtables',
:ebtables_save => 'ebtables-save',
})
optional_commands(iptables: 'iptables',
iptables_save: 'iptables-save',
ip6tables: 'ip6tables',
ip6tables_save: 'ip6tables-save',
ebtables: 'ebtables',
ebtables_save: 'ebtables-save')

defaultfor :kernel => :linux
confine :kernel => :linux
defaultfor kernel: :linux
confine kernel: :linux

# chain name is greedy so we anchor from the end.
# [\d+:\d+] doesn't exist on ebtables
Mapping = {
:IPv4 => {
:tables => method(:iptables),
:save => method(:iptables_save),
:re => /^:(.+)\s(\S+)\s\[\d+:\d+\]$/,
MAPPING = {
IPv4: {
tables: method(:iptables),
save: method(:iptables_save),
re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$},
},
:IPv6 => {
:tables => method(:ip6tables),
:save => method(:ip6tables_save),
:re => /^:(.+)\s(\S+)\s\[\d+:\d+\]$/,
IPv6: {
tables: method(:ip6tables),
save: method(:ip6tables_save),
re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$},
},
:ethernet => {
:tables => method(:ebtables),
:save => method(:ebtables_save),
:re => /^:(.+)\s(\S+)$/,
}
}
InternalChains = /^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$/
Tables = 'nat|mangle|filter|raw|rawpost|broute|security'
Nameformat = /^(.+):(#{Tables}):(IP(v[46])?|ethernet)$/
ethernet: {
tables: method(:ebtables),
save: method(:ebtables_save),
re: %r{^:(.+)\s(\S+)$},
},
}.freeze
INTERNAL_CHAINS = %r{^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$}
TABLES = 'nat|mangle|filter|raw|rawpost|broute|security'.freeze
NAME_FORMAT = %r{^(.+):(#{TABLES}):(IP(v[46])?|ethernet)$}

def create
allvalidchains do |t, chain, table, protocol|
if chain =~ InternalChains
if chain =~ INTERNAL_CHAINS
# can't create internal chains
warning "Attempting to create internal chain #{@resource[:name]}"
end
if properties[:ensure] == protocol
debug "Skipping Inserting chain #{chain} on table #{table} (#{protocol}) already exists"
else
debug "Inserting chain #{chain} on table #{table} (#{protocol}) using #{t}"
t.call ['-t',table,'-N',chain]
t.call ['-t', table, '-N', chain]
unless @resource[:policy].nil?
t.call ['-t',table,'-P',chain,@resource[:policy].to_s.upcase]
t.call ['-t', table, '-P', chain, @resource[:policy].to_s.upcase]
end
end
end
end

def destroy
allvalidchains do |t, chain, table|
if chain =~ InternalChains
if chain =~ INTERNAL_CHAINS
# can't delete internal chains
warning "Attempting to destroy internal chain #{@resource[:name]}"
end
debug "Deleting chain #{chain} on table #{table}"
t.call ['-t',table,'-X',chain]
t.call ['-t', table, '-X', chain]
end
end

def exists?
allvalidchains do |t, chain|
if chain =~ InternalChains
allvalidchains do |_t, chain|
if chain =~ INTERNAL_CHAINS
# If the chain isn't present, it's likely because the module isn't loaded.
# If this is true, then we fall into 2 cases
# 1) It'll be loaded on demand
Expand All @@ -88,29 +86,30 @@ def exists?
def policy=(value)
return if value == :empty
allvalidchains do |t, chain, table|
p = ['-t',table,'-P',chain,value.to_s.upcase]
p = ['-t', table, '-P', chain, value.to_s.upcase]
debug "[set policy] #{t} #{p}"
t.call p
end
end

def policy
debug "[get policy] #{@resource[:name]} =#{@property_hash[:policy].to_s.downcase}"
return @property_hash[:policy].to_s.downcase
@property_hash[:policy].to_s.downcase
end

def self.prefetch(resources)
debug("[prefetch(resources)]")
debug('[prefetch(resources)]')
instances.each do |prov|
if resource = resources[prov.name]
resource = resources[prov.name]
if resource
resource.provider = prov
end
end
end

def flush
debug("[flush]")
persist_iptables(@resource[:name].match(Nameformat)[3])
debug('[flush]')
persist_iptables(@resource[:name].match(NAME_FORMAT)[3])
# Clear the property hash so we re-initialize with updated values
@property_hash.clear
end
Expand All @@ -119,61 +118,58 @@ def flush
# existing status with properties[:foo].
def properties
if @property_hash.empty?
@property_hash = query || {:ensure => :absent}
@property_hash = query || { ensure: :absent }
end
@property_hash.dup
end

# Pull the current state of the list from the full list.
def query
self.class.instances.each do |instance|
if instance.name == self.name
debug "query found #{self.name}" % instance.properties.inspect
if instance.name == name
debug "query found #{name}" % instance.properties.inspect
return instance.properties
end
end
nil
end

def self.instances
debug "[instances]"
debug '[instances]'
table = nil
chains = []

Mapping.each { |p, c|
MAPPING.each do |p, c|
begin
c[:save].call.each_line do |line|
if line =~ c[:re] then
name = $1 + ':' + (table == 'filter' ? 'filter' : table) + ':' + p.to_s
policy = $2 == '-' ? nil : $2.downcase.to_sym
if line =~ c[:re]
name = Regexp.last_match(1) + ':' + ((table == 'filter') ? 'filter' : table) + ':' + p.to_s
policy = (Regexp.last_match(2) == '-') ? nil : Regexp.last_match(2).downcase.to_sym

chains << new({
:name => name,
:policy => policy,
:ensure => :present,
})
chains << new(name: name,
policy: policy,
ensure: :present)

debug "[instance] '#{name}' #{policy}"
elsif line =~ /^\*(\S+)/
table = $1
elsif line =~ %r{^\*(\S+)}
table = Regexp.last_match(1)
else
next
end
end
rescue Puppet::Error
rescue Puppet::Error # rubocop:disable Lint/HandleExceptions
# ignore command not found for ebtables or anything that doesn't exist
end
}
end

chains
end

def allvalidchains
@resource[:name].match(Nameformat)
chain = $1
table = $2
protocol = $3
yield Mapping[protocol.to_sym][:tables],chain,table,protocol.to_sym
@resource[:name].match(NAME_FORMAT)
chain = Regexp.last_match(1)
table = Regexp.last_match(2)
protocol = Regexp.last_match(3)
yield MAPPING[protocol.to_sym][:tables], chain, table, protocol.to_sym
end

end
688 changes: 337 additions & 351 deletions lib/puppet/type/firewall.rb

Large diffs are not rendered by default.

101 changes: 52 additions & 49 deletions lib/puppet/type/firewallchain.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# In this case I'm trying the relative path first, then falling back to normal
# mechanisms. This should be fixed in future versions of puppet but it looks
# like we'll need to maintain this for some time perhaps.
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__),"..",".."))
$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', '..'))
require 'puppet/util/firewall'

Puppet::Type.newtype(:firewallchain) do
Expand All @@ -23,8 +23,8 @@
those packages to ensure that any required binaries are installed.
EOS

feature :iptables_chain, "The provider provides iptables chain features."
feature :policy, "Default policy (inbuilt chains only)"
feature :iptables_chain, 'The provider provides iptables chain features.'
feature :policy, 'Default policy (inbuilt chains only)'

ensurable do
defaultvalues
Expand All @@ -40,46 +40,49 @@
isnamevar

validate do |value|
if value !~ Nameformat then
raise ArgumentError, "Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE, SECURITY or empty (alias for filter), chain can be anything without colons or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{$1}' chain:'#{$2}' protocol:'#{$3}'"
if value !~ NAME_FORMAT
raise ArgumentError, 'Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER,' \
' NAT, MANGLE, RAW, RAWPOST, BROUTE, SECURITY or empty (alias for filter), chain can be anything without colons' \
' or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being' \
" IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{Regexp.last_match(1)}' chain:'#{Regexp.last_match(2)}' protocol:'#{Regexp.last_match(3)}'"
else
chain = $1
table = $2
protocol = $3
chain = Regexp.last_match(1)
table = Regexp.last_match(2)
protocol = Regexp.last_match(3)
case table
when 'filter'
if chain =~ /^(PREROUTING|POSTROUTING|BROUTING)$/
if chain =~ %r{^(PREROUTING|POSTROUTING|BROUTING)$}
raise ArgumentError, "INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'filter'"
end
when 'mangle'
if chain =~ InternalChains && chain == 'BROUTING'
if chain =~ INTERNAL_CHAINS && chain == 'BROUTING'
raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, FORWARD and OUTPUT are the only inbuilt chains that can be used in table 'mangle'"
end
when 'nat'
if chain =~ /^(BROUTING|FORWARD)$/
if chain =~ %r{^(BROUTING|FORWARD)$}
raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table 'nat'"
end
if Gem::Version.new(Facter['kernelmajversion'].value.dup) < Gem::Version.new('3.7') and protocol =~/^(IP(v6)?)?$/
if Gem::Version.new(Facter['kernelmajversion'].value.dup) < Gem::Version.new('3.7') && protocol =~ %r{^(IP(v6)?)?$}
raise ArgumentError, "table nat isn't valid in IPv6. You must specify ':IPv4' as the name suffix"
end
when 'raw'
if chain =~ /^(POSTROUTING|BROUTING|INPUT|FORWARD)$/
raise ArgumentError,'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\''
if chain =~ %r{^(POSTROUTING|BROUTING|INPUT|FORWARD)$}
raise ArgumentError, 'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\''
end
when 'broute'
if protocol != 'ethernet'
raise ArgumentError,'BROUTE is only valid with protocol \'ethernet\''
raise ArgumentError, 'BROUTE is only valid with protocol \'ethernet\''
end
if chain =~ /^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$/
raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'broute\''
if chain =~ %r{^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$}
raise ArgumentError, 'BROUTING is the only inbuilt chain allowed on on table \'broute\''
end
when 'security'
if chain =~ /^(PREROUTING|POSTROUTING|BROUTING)$/
if chain =~ %r{^(PREROUTING|POSTROUTING|BROUTING)$}
raise ArgumentError, "INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'security'"
end
end
if chain == 'BROUTING' && ( protocol != 'ethernet' || table!='broute')
raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'BROUTE\' with protocol \'ethernet\' i.e. \'broute:BROUTING:enternet\''
if chain == 'BROUTING' && (protocol != 'ethernet' || table != 'broute')
raise ArgumentError, 'BROUTING is the only inbuilt chain allowed on on table \'BROUTE\' with protocol \'ethernet\' i.e. \'broute:BROUTING:enternet\''
end
end
end
Expand All @@ -101,15 +104,15 @@
defaultto do
# ethernet chain have an ACCEPT default while other haven't got an
# allowed value
if @resource[:name] =~ /:ethernet$/
if @resource[:name] =~ %r{:ethernet$}
:accept
else
nil
end
end
end

newparam(:purge, :boolean => true) do
newparam(:purge, boolean: true) do
desc <<-EOS
Purge unmanaged firewall rules in this chain
EOS
Expand Down Expand Up @@ -140,13 +143,13 @@
EOS

validate do |value|
unless value.is_a?(Array) or value.is_a?(String) or value == false
self.devfail "Ignore must be a string or an Array"
unless value.is_a?(Array) || value.is_a?(String) || value == false
devfail 'Ignore must be a string or an Array'
end
end
munge do |patterns| # convert into an array of {Regex}es
patterns = [patterns] if patterns.is_a?(String)
patterns.map{|p| Regexp.new(p)}
patterns.map { |p| Regexp.new(p) }
end
end

Expand All @@ -155,7 +158,7 @@
autorequire(:package) do
case value(:provider)
when :iptables_chain
%w{iptables iptables-persistent iptables-services}
%w[iptables iptables-persistent iptables-services]
else
[]
end
Expand All @@ -164,52 +167,52 @@
autorequire(:service) do
case value(:provider)
when :iptables, :ip6tables
%w{firewalld iptables ip6tables iptables-persistent netfilter-persistent}
%w[firewalld iptables ip6tables iptables-persistent netfilter-persistent]
else
[]
end
end

validate do
debug("[validate]")
debug('[validate]')

value(:name).match(Nameformat)
chain = $1
table = $2
protocol = $3
value(:name).match(NAME_FORMAT)
chain = Regexp.last_match(1)
table = Regexp.last_match(2)
protocol = Regexp.last_match(3)

# Check that we're not removing an internal chain
if chain =~ InternalChains && value(:ensure) == :absent
self.fail "Cannot remove in-built chains"
if chain =~ INTERNAL_CHAINS && value(:ensure) == :absent
raise 'Cannot remove in-built chains'
end

if value(:policy).nil? && protocol == 'ethernet'
self.fail "you must set a non-empty policy on all ethernet table chains"
raise 'you must set a non-empty policy on all ethernet table chains'
end

# Check that we're not setting a policy on a user chain
if chain !~ InternalChains &&
!value(:policy).nil? &&
protocol != 'ethernet'
if chain !~ INTERNAL_CHAINS &&
!value(:policy).nil? &&
protocol != 'ethernet'

self.fail "policy can only be set on in-built chains (with the exception of ethernet chains) (table:#{table} chain:#{chain} protocol:#{protocol})"
raise "policy can only be set on in-built chains (with the exception of ethernet chains) (table:#{table} chain:#{chain} protocol:#{protocol})"
end

# no DROP policy on nat table
if table == 'nat' &&
value(:policy) == :drop
value(:policy) == :drop

self.fail 'The "nat" table is not intended for filtering, the use of DROP is therefore inhibited'
raise 'The "nat" table is not intended for filtering, the use of DROP is therefore inhibited'
end
end

def generate
return [] unless self.purge?
return [] unless purge?

value(:name).match(Nameformat)
chain = $1
table = $2
protocol = $3
value(:name).match(NAME_FORMAT)
chain = Regexp.last_match(1)
table = Regexp.last_match(2)
protocol = Regexp.last_match(3)

provider = case protocol
when 'IPv4'
Expand All @@ -222,13 +225,13 @@ def generate
rules_resources = Puppet::Type.type(:firewall).instances

# Keep only rules in this chain
rules_resources.delete_if { |res| (res[:provider] != provider or res.provider.properties[:table].to_s != table or res.provider.properties[:chain] != chain) }
rules_resources.delete_if { |res| (res[:provider] != provider || res.provider.properties[:table].to_s != table || res.provider.properties[:chain] != chain) }

# Remove rules which match our ignore filter
rules_resources.delete_if {|res| value(:ignore).find_index{|f| res.provider.properties[:line].match(f)}} if value(:ignore)
rules_resources.delete_if { |res| value(:ignore).find_index { |f| res.provider.properties[:line].match(f) } } if value(:ignore)

# We mark all remaining rules for deletion, and then let the catalog override us on rules which should be present
rules_resources.each {|res| res[:ensure] = :absent}
rules_resources.each { |res| res[:ensure] = :absent }

rules_resources
end
Expand Down
214 changes: 106 additions & 108 deletions lib/puppet/util/firewall.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,39 +6,39 @@
module Puppet::Util::Firewall
# Translate the symbolic names for icmp packet types to integers
def icmp_name_to_number(value_icmp, protocol)
if value_icmp =~ /\d{1,2}$/
if value_icmp =~ %r{\d{1,2}$}
value_icmp
elsif protocol == 'inet'
case value_icmp
when "echo-reply" then "0"
when "destination-unreachable" then "3"
when "source-quench" then "4"
when "redirect" then "6"
when "echo-request" then "8"
when "router-advertisement" then "9"
when "router-solicitation" then "10"
when "time-exceeded" then "11"
when "parameter-problem" then "12"
when "timestamp-request" then "13"
when "timestamp-reply" then "14"
when "address-mask-request" then "17"
when "address-mask-reply" then "18"
else nil
when 'echo-reply' then '0'
when 'destination-unreachable' then '3'
when 'source-quench' then '4'
when 'redirect' then '6'
when 'echo-request' then '8'
when 'router-advertisement' then '9'
when 'router-solicitation' then '10'
when 'time-exceeded' then '11'
when 'parameter-problem' then '12'
when 'timestamp-request' then '13'
when 'timestamp-reply' then '14'
when 'address-mask-request' then '17'
when 'address-mask-reply' then '18'
else nil
end
elsif protocol == 'inet6'
case value_icmp
when "destination-unreachable" then "1"
when "too-big" then "2"
when "time-exceeded" then "3"
when "parameter-problem" then "4"
when "echo-request" then "128"
when "echo-reply" then "129"
when "router-solicitation" then "133"
when "router-advertisement" then "134"
when "neighbour-solicitation" then "135"
when "neighbour-advertisement" then "136"
when "redirect" then "137"
else nil
when 'destination-unreachable' then '1'
when 'too-big' then '2'
when 'time-exceeded' then '3'
when 'parameter-problem' then '4'
when 'echo-request' then '128'
when 'echo-reply' then '129'
when 'router-solicitation' then '133'
when 'router-advertisement' then '134'
when 'neighbour-solicitation' then '135'
when 'neighbour-advertisement' then '136'
when 'redirect' then '137'
else nil
end
else
raise ArgumentError, "unsupported protocol family '#{protocol}'"
Expand All @@ -47,23 +47,23 @@ def icmp_name_to_number(value_icmp, protocol)

# Convert log_level names to their respective numbers
def log_level_name_to_number(value)
#TODO make this 0-7 only
if value =~ /\d/
# TODO: make this 0-7 only
if value =~ %r{\d}
value
else
case value
when "panic" then "0"
when "alert" then "1"
when "crit" then "2"
when "err" then "3"
when "error" then "3"
when "warn" then "4"
when "warning" then "4"
when "not" then "5"
when "notice" then "5"
when "info" then "6"
when "debug" then "7"
else nil
when 'panic' then '0'
when 'alert' then '1'
when 'crit' then '2'
when 'err' then '3'
when 'error' then '3'
when 'warn' then '4'
when 'warning' then '4'
when 'not' then '5'
when 'notice' then '5'
when 'info' then '6'
when 'debug' then '7'
else nil
end
end
end
Expand All @@ -76,16 +76,13 @@ def log_level_name_to_number(value)
# nothing.
def string_to_port(value, proto)
proto = proto.to_s
unless proto =~ /^(tcp|udp)$/
unless proto =~ %r{^(tcp|udp)$}
proto = 'tcp'
end

m = value.to_s.match(/^(!\s+)?(\S+)/)
if m[2].match(/^\d+(-\d+)?$/)
return "#{m[1]}#{m[2]}"
else
return "#{m[1]}#{Socket.getservbyname(m[2], proto).to_s}"
end
m = value.to_s.match(%r{^(!\s+)?(\S+)})
return "#{m[1]}#{m[2]}" if m[2] =~ %r{^\d+(-\d+)?$}
"#{m[1]}#{Socket.getservbyname(m[2], proto)}"
end

# Takes an address and protocol and returns the address in CIDR notation.
Expand Down Expand Up @@ -117,7 +114,7 @@ def host_to_ip(value, proto = nil)
when :IPv6
Socket::AF_INET6
when nil
raise ArgumentError, "Proto must be specified for a hostname"
raise ArgumentError, 'Proto must be specified for a hostname'
else
raise ArgumentError, "Unsupported address family: #{proto}"
end
Expand All @@ -127,15 +124,15 @@ def host_to_ip(value, proto = nil)
begin
new_value = Puppet::Util::IPCidr.new(addr, family)
break
rescue
rescue # rubocop:disable Lint/HandleExceptions
end
end

raise "Failed to resolve hostname #{value}" unless new_value != nil
raise "Failed to resolve hostname #{value}" if new_value.nil?
value = new_value
end

return nil if value.prefixlen == 0
return nil if value.prefixlen.zero?
value.cidr
end

Expand All @@ -146,49 +143,49 @@ def host_to_ip(value, proto = nil)
# defined in host_to_ip for the host/address part.
#
def host_to_mask(value, proto)
match = value.match /(!)\s?(.*)$/
match = value.match %r{(!)\s?(.*)$}
return host_to_ip(value, proto) unless match

cidr = host_to_ip(match[2], proto)
return nil if cidr == nil
return nil if cidr.nil?
"#{match[1]} #{cidr}"
end

# Validates the argument is int or hex, and returns valid hex
# conversion of the value or nil otherwise.
def to_hex32(value)
begin
value = Integer(value)
if value.between?(0, 0xffffffff)
return '0x' + value.to_s(16)
end
rescue ArgumentError
# pass
begin
value = Integer(value)
if value.between?(0, 0xffffffff)
return '0x' + value.to_s(16)
end
return nil
rescue ArgumentError # rubocop:disable Lint/HandleExceptions
# pass
end
nil
end

def persist_iptables(proto)
debug("[persist_iptables]")
debug('[persist_iptables]')

# Basic normalisation for older Facter
os_key = Facter.value(:osfamily)
os_key ||= case Facter.value(:operatingsystem)
when 'RedHat', 'CentOS', 'Fedora', 'Scientific', 'SL', 'SLC', 'Ascendos', 'CloudLinux', 'PSBM', 'OracleLinux', 'OVS', 'OEL', 'Amazon', 'XenServer', 'VirtuozzoLinux'
'RedHat'
when 'Debian', 'Ubuntu'
'Debian'
else
Facter.value(:operatingsystem)
end
when 'RedHat', 'CentOS', 'Fedora', 'Scientific', 'SL', 'SLC', 'Ascendos', 'CloudLinux', 'PSBM', 'OracleLinux', 'OVS', 'OEL', 'Amazon', 'XenServer', 'VirtuozzoLinux'
'RedHat'
when 'Debian', 'Ubuntu'
'Debian'
else
Facter.value(:operatingsystem)
end

# Older iptables-persistent doesn't provide save action.
if os_key == 'Debian'
# We need to call flush to clear Facter cache as it's possible the cached value will be nil due to the fact
# that the iptables-persistent package was potentially installed after the initial Fact gathering.
Facter.fact(:iptables_persistent_version).flush
persist_ver = Facter.value(:iptables_persistent_version)
if (persist_ver and Puppet::Util::Package.versioncmp(persist_ver, '0.5.0') < 0)
if persist_ver && Puppet::Util::Package.versioncmp(persist_ver, '0.5.0') < 0
os_key = 'Debian_manual'
end
end
Expand All @@ -199,47 +196,48 @@ def persist_iptables(proto)
end

# RHEL 7 and newer also use systemd to persist iptable rules
if os_key == 'RedHat' && ['RedHat','CentOS','Scientific','SL','SLC','Ascendos','CloudLinux','PSBM','OracleLinux','OVS','OEL','XenServer','VirtuozzoLinux'].include?(Facter.value(:operatingsystem)) && Facter.value(:operatingsystemrelease).to_i >= 7
if os_key == 'RedHat' && %w[RedHat CentOS Scientific SL SLC Ascendos CloudLinux PSBM OracleLinux OVS OEL XenServer VirtuozzoLinux]
.include?(Facter.value(:operatingsystem)) && Facter.value(:operatingsystemrelease).to_i >= 7
os_key = 'Fedora'
end

cmd = case os_key.to_sym
when :RedHat
case proto.to_sym
when :IPv4
%w{/sbin/service iptables save}
when :IPv6
%w{/sbin/service ip6tables save}
end
when :Fedora
case proto.to_sym
when :IPv4
%w{/usr/libexec/iptables/iptables.init save}
when :IPv6
%w{/usr/libexec/iptables/ip6tables.init save}
end
when :Debian
case proto.to_sym
when :IPv4, :IPv6
if (persist_ver and Puppet::Util::Package.versioncmp(persist_ver, '1.0') > 0)
%w{/usr/sbin/service netfilter-persistent save}
else
%w{/usr/sbin/service iptables-persistent save}
end
end
when :Debian_manual
case proto.to_sym
when :IPv4
["/bin/sh", "-c", "/sbin/iptables-save > /etc/iptables/rules"]
end
when :Archlinux
case proto.to_sym
when :IPv4
["/bin/sh", "-c", "/usr/sbin/iptables-save > /etc/iptables/iptables.rules"]
when :IPv6
["/bin/sh", "-c", "/usr/sbin/ip6tables-save > /etc/iptables/ip6tables.rules"]
end
end
when :RedHat
case proto.to_sym
when :IPv4
%w[/sbin/service iptables save]
when :IPv6
%w[/sbin/service ip6tables save]
end
when :Fedora
case proto.to_sym
when :IPv4
%w[/usr/libexec/iptables/iptables.init save]
when :IPv6
%w[/usr/libexec/iptables/ip6tables.init save]
end
when :Debian
case proto.to_sym
when :IPv4, :IPv6
if persist_ver && Puppet::Util::Package.versioncmp(persist_ver, '1.0') > 0
%w[/usr/sbin/service netfilter-persistent save]
else
%w[/usr/sbin/service iptables-persistent save]
end
end
when :Debian_manual
case proto.to_sym
when :IPv4
['/bin/sh', '-c', '/sbin/iptables-save > /etc/iptables/rules']
end
when :Archlinux
case proto.to_sym
when :IPv4
['/bin/sh', '-c', '/usr/sbin/iptables-save > /etc/iptables/iptables.rules']
when :IPv6
['/bin/sh', '-c', '/usr/sbin/ip6tables-save > /etc/iptables/ip6tables.rules']
end
end

# Catch unsupported OSs from the case statement above.
if cmd.nil?
Expand Down
62 changes: 28 additions & 34 deletions lib/puppet/util/ipcidr.rb
Original file line number Diff line number Diff line change
@@ -1,42 +1,36 @@

require 'ipaddr'

# IPCidr object wrapper for IPAddr
module Puppet
module Util
class IPCidr < IPAddr
def initialize(ipaddr, family = Socket::AF_UNSPEC)
begin
super(ipaddr, family)
rescue ArgumentError => e
if e.message =~ /invalid address/
raise ArgumentError, "Invalid address from IPAddr.new: #{ipaddr}"
else
raise e
end
end
end
module Puppet::Util
# IPCidr object wrapper for IPAddr
class IPCidr < IPAddr
def initialize(ipaddr, family = Socket::AF_UNSPEC)
super(ipaddr, family)
rescue ArgumentError => e
raise ArgumentError, "Invalid address from IPAddr.new: #{ipaddr}" if e.message =~ %r{invalid address}
raise e
end

def netmask
_to_string(@mask_addr)
end
def netmask
_to_string(@mask_addr)
end

def prefixlen
m = case @family
when Socket::AF_INET
IN4MASK
when Socket::AF_INET6
IN6MASK
else
raise "unsupported address family"
end
return $1.length if /\A(1*)(0*)\z/ =~ (@mask_addr & m).to_s(2)
raise "bad addr_mask format"
end
def prefixlen
m = case @family
when Socket::AF_INET
IN4MASK
when Socket::AF_INET6
IN6MASK
else
raise 'unsupported address family'
end
return Regexp.last_match(1).length if %r{\A(1*)(0*)\z} =~ (@mask_addr & m).to_s(2)
raise 'bad addr_mask format'
end

def cidr
cidr = sprintf("%s/%s", self.to_s, self.prefixlen)
cidr
end
def cidr
cidr = '%s/%s' % [to_s, prefixlen]
cidr
end
end
end
2 changes: 1 addition & 1 deletion metadata.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "puppetlabs-firewall",
"version": "1.10.0",
"version": "1.11.0",
"author": "Puppet Labs",
"summary": "Manages Firewalls such as iptables",
"license": "Apache-2.0",
Expand Down
35 changes: 17 additions & 18 deletions spec/acceptance/change_source_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@
end

describe 'when unmanaged rules exist' do
it 'applies with 8.0.0.1 first' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
Expand All @@ -22,54 +21,54 @@ class { '::firewall': }
action => accept,
source => '8.0.0.2',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies with 8.0.0.1 first' do
apply_manifest(pp1, catch_failures: true)
end

it 'adds a unmanaged rule without a comment' do
shell('iptables -A INPUT -t filter -s 8.0.0.3/32 -p tcp -m multiport --ports 102 -j ACCEPT')
expect(shell('iptables-save').stdout).to match(/-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT/)
expect(shell('iptables-save').stdout).to match(%r{-A INPUT -s 8\.0\.0\.3(\/32)? -p tcp -m multiport --ports 102 -j ACCEPT})
end

it 'contains the changable 8.0.0.1 rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/)
expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.1(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT})
end
end
it 'contains the static 8.0.0.2 rule' do
it 'contains the static 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/)
expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT})
end
end

it 'changes to 8.0.0.4 second' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
port => '101',
action => accept,
source => '8.0.0.4',
}
EOS

expect(apply_manifest(pp, :catch_failures => true).stdout).to match(/Notice: \/Stage\[main\]\/Main\/Firewall\[101 test source changes\]\/source: source changed '8\.0\.0\.1\/32' to '8\.0\.0\.4\/32'/)
EOS
it 'changes to 8.0.0.4 second' do
expect(apply_manifest(pp2, catch_failures: true).stdout)
.to match(%r{Notice: \/Stage\[main\]\/Main\/Firewall\[101 test source changes\]\/source: source changed '8\.0\.0\.1\/32' to '8\.0\.0\.4\/32'})
end

it 'does not contain the old changing 8.0.0.1 rule' do
shell('iptables-save') do |r|
expect(r.stdout).to_not match(/8\.0\.0\.1/)
expect(r.stdout).not_to match(%r{8\.0\.0\.1})
end
end
it 'contains the staic 8.0.0.2 rule' do
it 'contains the staic 8.0.0.2 rule' do # rubocop:disable RSpec/RepeatedExample : The values being matched differ
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT/)
expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.2(\/32)? -p tcp -m multiport --ports 100 -m comment --comment "100 test source static" -j ACCEPT})
end
end
it 'contains the changing new 8.0.0.4 rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT/)
expect(r.stdout).to match(%r{-A INPUT -s 8\.0\.0\.4(\/32)? -p tcp -m multiport --ports 101 -m comment --comment "101 test source changes" -j ACCEPT})
end
end
end
Expand Down
16 changes: 8 additions & 8 deletions spec/acceptance/class_spec.rb
Original file line number Diff line number Diff line change
@@ -1,33 +1,33 @@
require 'spec_helper_acceptance'

describe "firewall class" do
it 'should run successfully' do
describe 'firewall class' do
it 'runs successfully' do
pp = "class { 'firewall': }"

# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, catch_failures: true)
if do_catch_changes
expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero
expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero
end
end

it 'ensure => stopped:' do
pp = "class { 'firewall': ensure => stopped }"

# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, catch_failures: true)
if do_catch_changes
expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero
expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero
end
end

it 'ensure => running:' do
pp = "class { 'firewall': ensure => running }"

# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, catch_failures: true)
if do_catch_changes
expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero
expect(apply_manifest(pp, catch_failures: true).exit_code).to be_zero
end
end
end
36 changes: 17 additions & 19 deletions spec/acceptance/connlimit_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,37 +6,35 @@
ip6tables_flush_all_tables
end

if default['platform'] !~ /sles-10/
if default['platform'] !~ %r{sles-10}
describe 'connlimit_above' do
context '10' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall { '500 - test':
proto => tcp,
dport => '2222',
connlimit_above => '10',
action => reject,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save') do |r|
#connlimit-saddr is added in Ubuntu 14.04.
expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 32 (--connlimit-saddr )?-m comment --comment "500 - test" -j REJECT --reject-with icmp-port-unreachable/)
# connlimit-saddr is added in Ubuntu 14.04.
expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 32 (--connlimit-saddr )?-m comment --comment "500 - test" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to required size
end
end
end
end

describe 'connlimit_mask' do
context '24' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall { '501 - test':
proto => tcp,
Expand All @@ -45,16 +43,16 @@ class { '::firewall': }
connlimit_mask => '24',
action => reject,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save') do |r|
#connlimit-saddr is added in Ubuntu 14.04.
expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - test" -j REJECT --reject-with icmp-port-unreachable/)
# connlimit-saddr is added in Ubuntu 14.04.
expect(r.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - test" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to required size
end
end
end
Expand Down
14 changes: 6 additions & 8 deletions spec/acceptance/connmark_spec.rb
Original file line number Diff line number Diff line change
@@ -1,25 +1,23 @@
require 'spec_helper_acceptance'

describe 'connmark property' do

describe 'connmark' do
context '50' do
it 'applies' do
pp = <<-EOS
pp = <<-EOS
class { '::firewall': }
firewall { '502 - test':
proto => 'all',
connmark => '0x1',
action => reject,
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - test" -j REJECT --reject-with icmp-port-unreachable/)
expect(r.stdout).to match(%r{-A INPUT -m connmark --mark 0x1 -m comment --comment "502 - test" -j REJECT --reject-with icmp-port-unreachable})
end
end
end
Expand Down
375 changes: 179 additions & 196 deletions spec/acceptance/firewall_bridging_spec.rb

Large diffs are not rendered by default.

3 changes: 1 addition & 2 deletions spec/acceptance/firewall_clusterip_spec.rb
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@

# These tests have been commented out, as there are suspicions that the clusterIP ipt module is causing system reboots.


# require 'spec_helper_acceptance'

# describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
Expand Down Expand Up @@ -40,7 +39,7 @@
# it 'should contain the rule' do
# pending("MODULES-2124 should be resolved for clusterip RHEL7 support") if default['platform'] =~ /el-7/
# shell('iptables-save') do |r|
# expect(r.stdout).to match(/-A FORWARD -d (1.1.1.1\/32|1.1.1.1) -i eth0 -p tcp -m comment --comment "830 - clusterip test" -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:00:00 --total-nodes 2 --local-node 1 --hash-init 1337/)
# expect(r.stdout).to match(/-A FORWARD -d (1.1.1.1\/32|1.1.1.1) -i eth0 -p tcp -m comment --comment "830 - clusterip test" -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:00:00 --total-nodes 2 --local-node 1 --hash-init 1337/) # rubocop:disable Metrics/LineLength : Cannot reduce length to required size
# end
# end
# end
Expand Down
55 changes: 25 additions & 30 deletions spec/acceptance/firewall_dscp_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,7 @@

describe 'dscp ipv4 tests' do
context 'set_dscp 0x01' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall {
'1000 - set_dscp':
Expand All @@ -20,21 +19,20 @@ class { '::firewall': }
chain => 'OUTPUT',
table => 'mangle',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save -t mangle') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01/)
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1000 - set_dscp" -j DSCP --set-dscp 0x01})
end
end
end

context 'set_dscp_class EF' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall {
'1001 EF - set_dscp_class':
Expand All @@ -45,24 +43,23 @@ class { '::firewall': }
chain => 'OUTPUT',
table => 'mangle',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e/)
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
end
end
end
end

if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'dscp ipv6 tests' do
context 'set_dscp 0x01' do
it 'applies' do
pp = <<-EOS
pp3 = <<-EOS
class { '::firewall': }
firewall {
'1002 - set_dscp':
Expand All @@ -74,21 +71,20 @@ class { '::firewall': }
table => 'mangle',
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp3, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('ip6tables-save -t mangle') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01/)
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1002 - set_dscp" -j DSCP --set-dscp 0x01})
end
end
end

context 'set_dscp_class EF' do
it 'applies' do
pp = <<-EOS
pp4 = <<-EOS
class { '::firewall': }
firewall {
'1003 EF - set_dscp_class':
Expand All @@ -100,18 +96,17 @@ class { '::firewall': }
table => 'mangle',
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp4, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e/)
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --ports 997 -m comment --comment "1003 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
end
end
end
end
end

end
80 changes: 37 additions & 43 deletions spec/acceptance/firewall_gid_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,99 +6,93 @@
ip6tables_flush_all_tables
end

describe "gid tests" do
describe 'gid tests' do
context 'gid set to root' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall { '801 - test':
chain => 'OUTPUT',
action => accept,
gid => 'root',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - test" -j ACCEPT})
end
end
end

context 'gid set to !root' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall { '802 - test':
chain => 'OUTPUT',
action => accept,
gid => '!root',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "802 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "802 - test" -j ACCEPT})
end
end
end

context 'gid set to 0' do
it 'applies' do
pp = <<-EOS
pp3 = <<-EOS
class { '::firewall': }
firewall { '803 - test':
chain => 'OUTPUT',
action => accept,
gid => '0',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "803 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "803 - test" -j ACCEPT})
end
end
end

context 'gid set to !0' do
it 'applies' do
pp = <<-EOS
pp4 = <<-EOS
class { '::firewall': }
firewall { '804 - test':
chain => 'OUTPUT',
action => accept,
gid => '!0',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "804 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --gid-owner (0|root) -m comment --comment "804 - test" -j ACCEPT})
end
end
end

end

end
147 changes: 70 additions & 77 deletions spec/acceptance/firewall_iptmodules_spec.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
require 'spec_helper_acceptance'
require 'spec_helper_acceptance'

describe 'firewall iptmodules' do
before :all do
Expand All @@ -8,8 +8,7 @@

describe 'iptables ipt_modules tests' do
context 'all the modules with multiple args' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
Expand All @@ -26,22 +25,21 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
end
end
end

context 'all the modules with single args' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
Expand All @@ -54,26 +52,25 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
end
end
end
end

#iptables version 1.3.5 is not suppored by the ip6tables provider
if default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-14\.04/
describe 'ip6tables ipt_modules tests' do
context 'all the modules with multiple args' do
it 'applies' do
pp = <<-EOS
# iptables version 1.3.5 is not suppored by the ip6tables provider
if default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{ubuntu-14\.04}
describe 'ip6tables ipt_modules tests' do
context 'all the modules with multiple args' do
pp3 = <<-EOS
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
Expand All @@ -91,22 +88,21 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
end
EOS
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable/)
end
it 'contains the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
end
end
end

context 'all the modules with single args' do
it 'applies' do
pp = <<-EOS
context 'all the modules with single args' do
pp4 = <<-EOS
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
Expand All @@ -120,26 +116,25 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
end
EOS
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable/)
end
it 'contains the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
end
end
end
# Older OSes don't have addrtype so we leave those properties out.
# el-5 doesn't support ipv6 by default
elsif default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
describe 'ip6tables ipt_modules tests' do
context 'all the modules with multiple args' do
it 'applies' do
pp = <<-EOS
end
# Older OSes don't have addrtype so we leave those properties out.
# el-5 doesn't support ipv6 by default
elsif default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'ip6tables ipt_modules tests' do
context 'all the modules with multiple args' do
pp5 = <<-EOS
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
Expand All @@ -155,22 +150,21 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
end
EOS
it 'applies' do
apply_manifest(pp5, catch_failures: true)
apply_manifest(pp5, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable/)
end
it 'contains the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
end
end
end

context 'all the modules with single args' do
it 'applies' do
pp = <<-EOS
context 'all the modules with single args' do
pp6 = <<-EOS
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
Expand All @@ -183,19 +177,18 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
end
EOS
it 'applies' do
apply_manifest(pp6, catch_failures: true)
apply_manifest(pp6, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable/)
end
it 'contains the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength : Cannot reduce length to the required size
end
end
end
end

end
end
55 changes: 25 additions & 30 deletions spec/acceptance/firewall_mss_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,7 @@

describe 'mss ipv4 tests' do
context '1360' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall {
'502 - set_mss':
Expand All @@ -21,21 +20,20 @@ class { '::firewall': }
chain => 'FORWARD',
table => 'mangle',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save -t mangle') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360/)
expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360})
end
end
end

context 'clamp_mss_to_pmtu' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
Expand All @@ -45,24 +43,23 @@ class { '::firewall': }
jump => 'TCPMSS',
clamp_mss_to_pmtu => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
end
end
end
end

if default['platform'] !~ /el-5/ and default['platform'] !~ /sles-10/
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'mss ipv6 tests' do
context '1360' do
it 'applies' do
pp = <<-EOS
pp3 = <<-EOS
class { '::firewall': }
firewall {
'502 - set_mss':
Expand All @@ -75,21 +72,20 @@ class { '::firewall': }
table => 'mangle',
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp3, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('ip6tables-save -t mangle') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360/)
expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "502 - set_mss" -j TCPMSS --set-mss 1360})
end
end
end

context 'clamp_mss_to_pmtu' do
it 'applies' do
pp = <<-EOS
pp4 = <<-EOS
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
Expand All @@ -100,18 +96,17 @@ class { '::firewall': }
clamp_mss_to_pmtu => true,
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp4, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
expect(r.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
end
end
end
end
end

end
1,525 changes: 713 additions & 812 deletions spec/acceptance/firewall_spec.rb

Large diffs are not rendered by default.

29 changes: 13 additions & 16 deletions spec/acceptance/firewall_tee_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,10 @@
ip6tables_flush_all_tables
end

if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /ubuntu-1204/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/
if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{ubuntu-1204} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7}
describe 'tee_gateway' do
context '10.0.0.2' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall {
'810 - tee_gateway':
Expand All @@ -20,23 +19,22 @@ class { '::firewall': }
gateway => '10.0.0.2',
proto => all,
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('iptables-save -t mangle') do |r|
expect(r.stdout).to match(/-A PREROUTING -m comment --comment "810 - tee_gateway" -j TEE --gateway 10.0.0.2/)
expect(r.stdout).to match(%r{-A PREROUTING -m comment --comment "810 - tee_gateway" -j TEE --gateway 10.0.0.2})
end
end
end
end

describe 'tee_gateway6' do
context '2001:db8::1' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall {
'811 - tee_gateway6':
Expand All @@ -47,18 +45,17 @@ class { '::firewall': }
proto => all,
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end

it 'should contain the rule' do
it 'contains the rule' do
shell('ip6tables-save -t mangle') do |r|
expect(r.stdout).to match(/-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1/)
expect(r.stdout).to match(%r{-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1})
end
end
end
end
end

end
44 changes: 21 additions & 23 deletions spec/acceptance/firewall_time_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,10 @@
ip6tables_flush_all_tables
end

if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/
describe "time tests ipv4" do
if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7}
describe 'time tests ipv4' do
context 'set all time parameters' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
Expand All @@ -25,24 +24,23 @@ class { '::firewall': }
week_days => 'Tue',
kernel_timezone => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line length to the required size
end
end
end
end

describe "time tests ipv6" do
describe 'time tests ipv6' do
context 'set all time parameters' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
Expand All @@ -58,16 +56,16 @@ class { '::firewall': }
kernel_timezone => true,
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line length to the required size
end
end
end
end
Expand Down
80 changes: 37 additions & 43 deletions spec/acceptance/firewall_uid_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,99 +6,93 @@
ip6tables_flush_all_tables
end

describe "uid tests" do
describe 'uid tests' do
context 'uid set to root' do
it 'applies' do
pp = <<-EOS
pp1 = <<-EOS
class { '::firewall': }
firewall { '801 - test':
chain => 'OUTPUT',
action => accept,
uid => 'root',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "801 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "801 - test" -j ACCEPT})
end
end
end

context 'uid set to !root' do
it 'applies' do
pp = <<-EOS
pp2 = <<-EOS
class { '::firewall': }
firewall { '802 - test':
chain => 'OUTPUT',
action => accept,
uid => '!root',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "802 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "802 - test" -j ACCEPT})
end
end
end

context 'uid set to 0' do
it 'applies' do
pp = <<-EOS
pp3 = <<-EOS
class { '::firewall': }
firewall { '803 - test':
chain => 'OUTPUT',
action => accept,
uid => '0',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "803 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner --uid-owner (0|root) -m comment --comment "803 - test" -j ACCEPT})
end
end
end

context 'uid set to !0' do
it 'applies' do
pp = <<-EOS
pp4 = <<-EOS
class { '::firewall': }
firewall { '804 - test':
chain => 'OUTPUT',
action => accept,
uid => '!0',
proto => 'all',
}
EOS

apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
EOS
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - test" -j ACCEPT/)
end
it 'contains the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(%r{-A OUTPUT -m owner ! --uid-owner (0|root) -m comment --comment "804 - test" -j ACCEPT})
end
end
end

end

end
66 changes: 33 additions & 33 deletions spec/acceptance/firewallchain_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,48 +8,47 @@

describe 'ensure' do
context 'present' do
it 'applies cleanly' do
pp = <<-EOS
pp1 = <<-EOS
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => present,
}
EOS
EOS
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
end

it 'finds the chain' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/MY_CHAIN/)
expect(r.stdout).to match(%r{MY_CHAIN})
end
end
end

context 'absent' do
it 'applies cleanly' do
pp = <<-EOS
pp2 = <<-EOS
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => absent,
}
EOS
EOS
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
end

it 'fails to find the chain' do
shell('iptables-save') do |r|
expect(r.stdout).to_not match(/MY_CHAIN/)
expect(r.stdout).not_to match(%r{MY_CHAIN})
end
end
end
end

# XXX purge => false is not yet implemented
#context 'adding a firewall rule to a chain:' do
# it 'applies cleanly' do
# pp = <<-EOS
# context 'adding a firewall rule to a chain:' do
# pp3 = <<-EOS
# firewallchain { 'MY_CHAIN:filter:IPv4':
# ensure => present,
# }
Expand All @@ -60,15 +59,15 @@
# dport => 5000,
# }
# EOS
# it 'applies cleanly' do
# # Run it twice and test for idempotency
# apply_manifest(pp, :catch_failures => true)
# apply_manifest(pp, :catch_changes => do_catch_changes)
# apply_manifest(pp3, :catch_failures => true)
# apply_manifest(pp3, :catch_changes => do_catch_changes)
# end
#end
# end

#context 'not purge firewallchain chains:' do
# it 'does not purge the rule' do
# pp = <<-EOS
# context 'not purge firewallchain chains:' do
# pp4 = <<-EOS
# firewallchain { 'MY_CHAIN:filter:IPv4':
# ensure => present,
# purge => false,
Expand All @@ -78,48 +77,49 @@
# purge => true,
# }
# EOS
# it 'does not purge the rule' do
# # Run it twice and test for idempotency
# apply_manifest(pp, :catch_failures => true) do |r|
# apply_manifest(pp4, :catch_failures => true) do |r|
# expect(r.stdout).to_not match(/removed/)
# expect(r.stderr).to eq('')
# end
# apply_manifest(pp, :catch_changes => do_catch_changes)
# apply_manifest(pp4, :catch_changes => do_catch_changes)
# end

# it 'still has the rule' do
# pp = <<-EOS
# pp5 = <<-EOS
# firewall { '100 my rule':
# chain => 'MY_CHAIN',
# action => 'accept',
# proto => 'tcp',
# dport => 5000,
# }
# EOS
# it 'still has the rule' do
# # Run it twice and test for idempotency
# apply_manifest(pp, :catch_changes => do_catch_changes)
# apply_manifest(pp5, :catch_changes => do_catch_changes)
# end
#end
# end

describe 'policy' do
after :all do
shell('iptables -t filter -P FORWARD ACCEPT')
end

context 'DROP' do
it 'applies cleanly' do
pp = <<-EOS
pp6 = <<-EOS
firewallchain { 'FORWARD:filter:IPv4':
policy => 'drop',
}
EOS
EOS
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => do_catch_changes)
apply_manifest(pp6, catch_failures: true)
apply_manifest(pp6, catch_changes: do_catch_changes)
end

it 'finds the chain' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/FORWARD DROP/)
expect(r.stdout).to match(%r{FORWARD DROP})
end
end
end
Expand Down
Loading