diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
@@ -117,6 +117,34 @@
       :sport => ["15","512-1024"],
     },
   },
+  'dst_type_1' => {
+    :line => '-A INPUT -m addrtype --dst-type LOCAL',
+    :table => 'filter',
+    :params => {
+      :dst_type => 'LOCAL',
+    },
+  },
+  'src_type_1' => {
+    :line => '-A INPUT -m addrtype --src-type LOCAL',
+    :table => 'filter',
+    :params => {
+      :src_type => 'LOCAL',
+    },
+  },
+  'dst_range_1' => {
+    :line => '-A INPUT -m iprange --dst-range 10.0.0.2-10.0.0.20',
+    :table => 'filter',
+    :params => {
+      :dst_range => '10.0.0.2-10.0.0.20',
+    },
+  },
+  'src_range_1' => {
+    :line => '-A INPUT -m iprange --src-range 10.0.0.2-10.0.0.20',
+    :table => 'filter',
+    :params => {
+      :src_range => '10.0.0.2-10.0.0.20',
+    },
+  },
   'tcp_flags_1' => {
     :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
     :table => 'filter',
@@ -167,12 +195,22 @@
       :jump => 'LOG'
     },
   },
-  'load_limit_module' => {
+  'load_limit_module_and_implicit_burst' => {
     :line => '-A INPUT -m multiport --dports 123 -m comment --comment "057 INPUT limit NTP" -m limit --limit 15/hour',
     :table => 'filter',
     :params => {
       :dport => ['123'],
-      :limit => '15/hour'
+      :limit => '15/hour',
+      :burst => '5'
+    },
+  },
+  'limit_with_explicit_burst' => {
+    :line => '-A INPUT -m multiport --dports 123 -m comment --comment "057 INPUT limit NTP" -m limit --limit 30/hour --limit-burst 10',
+    :table => 'filter',
+    :params => {
+      :dport => ['123'],
+      :limit => '30/hour',
+      :burst => '10'
     },
   },
   'proto_ipencap' => {
@@ -299,9 +337,10 @@
     },
   },
   'isfragment_option' => {
-    :line => '-A INPUT -f -j ACCEPT',
+    :line => '-A INPUT -f -m comment --comment "010 a-f comment with dashf" -j ACCEPT',
     :table => 'filter',
     :params => {
+      :name => '010 a-f comment with dashf',
       :action => 'accept',
       :isfragment => true,
     },
@@ -478,6 +517,38 @@
     },
     :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "15,512:1024", "-m", "comment", "--comment", "100 sport range"],
   },
+  'dst_type_1' => {
+    :params => {
+      :name => '000 dst_type',
+      :table => 'filter',
+      :dst_type => 'LOCAL',
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'addrtype', '--dst-type', :LOCAL, '-m', 'comment', '--comment', '000 dst_type'],
+  },
+  'src_type_1' => {
+    :params => {
+      :name => '000 src_type',
+      :table => 'filter',
+      :src_type => 'LOCAL',
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'addrtype', '--src-type', :LOCAL, '-m', 'comment', '--comment', '000 src_type'],
+  },
+  'dst_range_1' => {
+    :params => {
+      :name => '000 dst_range',
+      :table => 'filter',
+      :dst_range => '10.0.0.1-10.0.0.10',
+    },
+    :args => ['-t', :filter, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-p', :tcp, '-m', 'comment', '--comment', '000 dst_range'],
+  },
+  'src_range_1' => {
+    :params => {
+      :name => '000 src_range',
+      :table => 'filter',
+      :dst_range => '10.0.0.1-10.0.0.10',
+    },
+    :args => ['-t', :filter, '-m', 'iprange', '--dst-range', '10.0.0.1-10.0.0.10', '-p', :tcp, '-m', 'comment', '--comment', '000 src_range'],
+  },
   'tcp_flags_1' => {
     :params => {
       :name => "000 initiation",
@@ -532,7 +603,7 @@
     },
     :args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '956 INPUT log-level', '-m', 'state', '--state', 'NEW', '-j', 'LOG', '--log-level', '4'],
   },
-  'load_limit_module' => {
+  'load_limit_module_and_implicit_burst' => {
     :params => {
       :name => '057 INPUT limit NTP',
       :table => 'filter',
@@ -541,6 +612,16 @@
     },
     :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '123', '-m', 'comment', '--comment', '057 INPUT limit NTP', '-m', 'limit', '--limit', '15/hour'],
   },
+  'limit_with_explicit_burst' => {
+    :params => {
+      :name => '057 INPUT limit NTP',
+      :table => 'filter',
+      :dport => '123',
+      :limit => '30/hour',
+      :burst => '10'
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '123', '-m', 'comment', '--comment', '057 INPUT limit NTP', '-m', 'limit', '--limit', '30/hour', '--limit-burst', '10'],
+  },
   'proto_ipencap' => {
     :params => {
       :name => '0100 INPUT accept ipencap',
@@ -724,4 +805,13 @@
     },
     :args => ['-t', :filter, '-p', :all, '-f', '-m', 'comment', '--comment', '050 isfragment option', '-j', 'ACCEPT'],
   },
+  'isfragment_option not changing -f in comment' => {
+    :params => {
+      :name => '050 testcomment-with-fdashf',
+      :table => 'filter',
+      :proto => :all,
+      :action => 'accept',
+    },
+    :args => ['-t', :filter, '-p', :all, '-m', 'comment', '--comment', '050 testcomment-with-fdashf', '-j', 'ACCEPT'],
+  },
 }
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -21,7 +21,9 @@
 
 RSpec.configure do |config|
   config.tty = true
-  config.mock_with :mocha
+  config.mock_with :rspec do |c|
+    c.syntax = :expect
+  end
   config.module_path = File.join(fixture_path, 'modules')
   config.manifest_dir = File.join(fixture_path, 'manifests')
 end
diff --git a/spec/system/params_spec.rb b/spec/system/params_spec.rb
@@ -124,4 +124,43 @@ def pp(params)
       r.exit_code.should be_zero
     end
   end
+
+  it 'test src_range rule' do
+    iptables_flush_all_tables
+
+    ppm = pp({
+      'name'      => '997 block src ip range',
+      'chain'     => 'INPUT',
+      'proto'     => 'all',
+      'action'    => 'drop',
+      'src_range' => '"10.0.0.1-10.0.0.10"',
+    })
+    puppet_apply(ppm) do |r|
+      r.exit_code.should == 2
+      r.stderr.should be_empty
+      r.refresh
+      r.stderr.should be_empty
+      r.exit_code.should be_zero
+    end
+  end
+
+  it 'test dst_range rule' do
+    iptables_flush_all_tables
+
+    ppm = pp({
+      'name'      => '998 block dst ip range',
+      'chain'     => 'INPUT',
+      'proto'     => 'all',
+      'action'    => 'drop',
+      'dst_range' => '"10.0.0.2-10.0.0.20"',
+    })
+    puppet_apply(ppm) do |r|
+      r.exit_code.should == 2
+      r.stderr.should be_empty
+      r.refresh
+      r.stderr.should be_empty
+      r.exit_code.should be_zero
+    end
+  end
+
 end
diff --git a/spec/unit/puppet/provider/iptables_chain_spec.rb b/spec/unit/puppet/provider/iptables_chain_spec.rb
@@ -15,32 +15,32 @@
 
   it "should default to iptables provider if /sbin/(eb|ip|ip6)tables[-save] exists" do
     # Stub lookup for /sbin/iptables & /sbin/iptables-save
-    exists.any_instance.stubs(:which).with("ebtables").
-      returns "/sbin/ebtables"
-    exists.any_instance.stubs(:which).with("ebtables-save").
-      returns "/sbin/ebtables-save"
+    allow(exists).to receive(:which).with("ebtables").
+      and_return "/sbin/ebtables"
+    allow(exists).to receive(:which).with("ebtables-save").
+      and_return "/sbin/ebtables-save"
 
-    exists.any_instance.stubs(:which).with("iptables").
-      returns "/sbin/iptables"
-    exists.any_instance.stubs(:which).with("iptables-save").
-      returns "/sbin/iptables-save"
+    allow(exists).to receive(:which).with("iptables").
+      and_return "/sbin/iptables"
+    allow(exists).to receive(:which).with("iptables-save").
+      and_return "/sbin/iptables-save"
 
-    exists.any_instance.stubs(:which).with("ip6tables").
-      returns "/sbin/ip6tables"
-    exists.any_instance.stubs(:which).with("ip6tables-save").
-      returns "/sbin/ip6tables-save"
+    allow(exists).to receive(:which).with("ip6tables").
+      and_return "/sbin/ip6tables"
+    allow(exists).to receive(:which).with("ip6tables-save").
+      and_return "/sbin/ip6tables-save"
 
     # Every other command should return false so we don't pick up any
     # other providers
-    exists.any_instance.stubs(:which).with() { |value|
+    allow(exists).to receive(:which).with() { |value|
       value !~ /(eb|ip|ip6)tables(-save)?$/
-    }.returns false
+    }.and_return false
 
     # Create a resource instance and make sure the provider is iptables
     resource = Puppet::Type.type(:firewallchain).new({
       :name => 'test:filter:IPv4',
     })
-    resource.provider.class.to_s.should == "Puppet::Type::Firewallchain::ProviderIptables_chain"
+    expect(resource.provider.class.to_s).to eq("Puppet::Type::Firewallchain::ProviderIptables_chain")
   end
 end
 
@@ -53,21 +53,21 @@
   }
 
   before :each do
-    Puppet::Type::Firewallchain.stubs(:defaultprovider).returns provider
-    provider.stubs(:command).with(:ebtables_save).returns "/sbin/ebtables-save"
-    provider.stubs(:command).with(:iptables_save).returns "/sbin/iptables-save"
-    provider.stubs(:command).with(:ip6tables_save).returns "/sbin/ip6tables-save"
+    allow(Puppet::Type::Firewallchain).to receive(:defaultprovider).and_return provider
+    allow(provider).to receive(:command).with(:ebtables_save).and_return "/sbin/ebtables-save"
+    allow(provider).to receive(:command).with(:iptables_save).and_return "/sbin/iptables-save"
+    allow(provider).to receive(:command).with(:ip6tables_save).and_return "/sbin/ip6tables-save"
   end
 
   it 'should be able to get a list of existing rules' do
     # Pretend to return nil from iptables
-    provider.stubs(:execute).with(['/sbin/ip6tables-save']).returns("")
-    provider.stubs(:execute).with(['/sbin/ebtables-save']).returns("")
-    provider.stubs(:execute).with(['/sbin/iptables-save']).returns("")
+    allow(provider).to receive(:execute).with(['/sbin/ip6tables-save']).and_return("")
+    allow(provider).to receive(:execute).with(['/sbin/ebtables-save']).and_return("")
+    allow(provider).to receive(:execute).with(['/sbin/iptables-save']).and_return("")
 
     provider.instances.each do |chain|
-      chain.should be_instance_of(provider)
-      chain.properties[:provider].to_s.should == provider.name.to_s
+      expect(chain).to be_instance_of(provider)
+      expect(chain.properties[:provider].to_s).to eq(provider.name.to_s)
     end
   end
 
@@ -89,7 +89,7 @@
                 'NAT:OUTPUT:ethernet',
                 'NAT:POSTROUTING:ethernet',
                ]
-    provider.stubs(:execute).with(['/sbin/ebtables-save']).returns('
+    allow(provider).to receive(:execute).with(['/sbin/ebtables-save']).and_return('
 *broute
 :BROUTING ACCEPT
 :broute ACCEPT
@@ -126,7 +126,7 @@
      'NAT:mangle:IPv4',
      ':$5()*&%\'"^$): :IPv4',
     ]
-    provider.stubs(:execute).with(['/sbin/iptables-save']).returns('
+    allow(provider).to receive(:execute).with(['/sbin/iptables-save']).and_return('
 # Generated by iptables-save v1.4.9 on Mon Jan  2 01:20:06 2012
 *raw
 :PREROUTING ACCEPT [12:1780]
@@ -175,7 +175,7 @@
       ':OUTPUT:IPv6',
       ':test:IPv6',
     ]
-    provider.stubs(:execute).with(['/sbin/ip6tables-save']).returns('
+    allow(provider).to receive(:execute).with(['/sbin/ip6tables-save']).and_return('
 # Generated by ip6tables-save v1.4.9 on Mon Jan  2 01:31:39 2012
 *raw
 :PREROUTING ACCEPT [2173:489241]

diff --git a/spec/unit/puppet/provider/iptables_spec.rb b/spec/unit/puppet/provider/iptables_spec.rb
@@ -15,22 +15,22 @@
 
   it "should default to iptables provider if /sbin/iptables[-save] exists" do
     # Stub lookup for /sbin/iptables & /sbin/iptables-save
-    exists.any_instance.stubs(:which).with("iptables").
-      returns "/sbin/iptables"
-    exists.any_instance.stubs(:which).with("iptables-save").
-      returns "/sbin/iptables-save"
+    allow(exists).to receive(:which).with("iptables").
+      and_return "/sbin/iptables"
+    allow(exists).to receive(:which).with("iptables-save").
+      and_return "/sbin/iptables-save"
 
     # Every other command should return false so we don't pick up any
     # other providers
-    exists.any_instance.stubs(:which).with() { |value|
+    allow(exists).to receive(:which).with() { |value|
       ! ["iptables","iptables-save"].include?(value)
-    }.returns false
+    }.and_return false
 
     # Create a resource instance and make sure the provider is iptables
     resource = Puppet::Type.type(:firewall).new({
       :name => '000 test foo',
     })
-    resource.provider.class.to_s.should == "Puppet::Type::Firewall::ProviderIptables"
+    expect(resource.provider.class.to_s).to eq("Puppet::Type::Firewall::ProviderIptables")
   end
 end
 
@@ -45,28 +45,28 @@
 
   before :each do
     Puppet::Type::Firewall.stubs(:defaultprovider).returns provider
-    provider.stubs(:command).with(:iptables_save).returns "/sbin/iptables-save"
+    allow(provider).to receive(:command).with(:iptables_save).and_return "/sbin/iptables-save"
 
     # Stub iptables version
-    Facter.fact(:iptables_version).stubs(:value).returns("1.4.2")
+    allow(Facter.fact(:iptables_version)).to receive(:value).and_return("1.4.2")
 
-    Puppet::Util::Execution.stubs(:execute).returns ""
-    Puppet::Util.stubs(:which).with("iptables-save").
-      returns "/sbin/iptables-save"
+    allow(Puppet::Util::Execution).to receive(:execute).and_return ""
+    allow(Puppet::Util).to receive(:which).with("iptables-save").
+      and_return "/sbin/iptables-save"
   end
 
   it 'should be able to get a list of existing rules' do
     provider.instances.each do |rule|
-      rule.should be_instance_of(provider)
-      rule.properties[:provider].to_s.should == provider.name.to_s
+      expect(rule).to be_instance_of(provider)
+      expect(rule.properties[:provider].to_s).to eq(provider.name.to_s)
     end
   end
 
   it 'should ignore lines with fatal errors' do
-    Puppet::Util::Execution.stubs(:execute).with(['/sbin/iptables-save']).
-      returns("FATAL: Could not load /lib/modules/2.6.18-028stab095.1/modules.dep: No such file or directory")
+    allow(Puppet::Util::Execution).to receive(:execute).with(['/sbin/iptables-save']).
+      and_return("FATAL: Could not load /lib/modules/2.6.18-028stab095.1/modules.dep: No such file or directory")
 
-    provider.instances.length.should == 0
+    expect(provider.instances.length).to be_zero
   end
 
   # Load in ruby hash for test fixtures.
@@ -80,7 +80,7 @@
         # If this option is enabled, make sure the parameters exactly match
         if data[:compare_all] then
           it "the parameter hash keys should be the same as returned by rules_to_hash" do
-            resource.keys.should =~ data[:params].keys
+            expect(resource.keys).to match_array(data[:params].keys)
           end
         end
 
@@ -89,9 +89,9 @@
           it "the parameter '#{param_name.to_s}' should match #{param_value.inspect}" do
             # booleans get cludged to string "true"
             if param_value == true then
-              resource[param_name].should == "true"
+              expect(resource[param_name]).to be_true
             else
-              resource[param_name].should == data[:params][param_name]
+              expect(resource[param_name]).to eq(data[:params][param_name])
             end
           end
         end
@@ -107,7 +107,7 @@
         let(:instance) { provider.new(resource) }
 
         it 'general_args should be valid' do
-          instance.general_args.flatten.should == data[:args]
+          expect(instance.general_args.flatten).to eq(data[:args])
         end
       end
     end
@@ -121,23 +121,23 @@
     let(:instance) { provider.new(resource) }
 
     it 'rule name contains a MD5 sum of the line' do
-      resource[:name].should == "9000 #{Digest::MD5.hexdigest(resource[:line])}"
+      expect(resource[:name]).to eq("9000 #{Digest::MD5.hexdigest(resource[:line])}")
     end
   end
 
   describe 'when creating resources' do
     let(:instance) { provider.new(resource) }
 
     it 'insert_args should be an array' do
-      instance.insert_args.class.should == Array
+      expect(instance.insert_args.class).to eq(Array)
     end
   end
 
   describe 'when modifying resources' do
     let(:instance) { provider.new(resource) }
 
     it 'update_args should be an array' do
-      instance.update_args.class.should == Array
+      expect(instance.update_args.class).to eq(Array)
     end
   end
 
@@ -153,12 +153,12 @@
     end
 
     it 'delete_args is an array' do
-      instance.delete_args.class.should == Array
+      expect(instance.delete_args.class).to eq(Array)
     end
 
     it 'delete_args is the same as the rule string when joined' do
-      instance.delete_args.join(' ').should == sample_rule.gsub(/\-A/,
-        '-t filter -D')
+      expect(instance.delete_args.join(' ')).to eq(sample_rule.gsub(/\-A/,
+        '-t filter -D'))
     end
   end
 end
diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
@@ -7,14 +7,19 @@
 describe firewall do
   before :each do
     @class = firewall
-    @provider = stub 'provider'
+    @provider = double 'provider'
     @provider.stubs(:name).returns(:iptables)
     Puppet::Type::Firewall.stubs(:defaultprovider).returns @provider
 
     @resource = @class.new({:name  => '000 test foo'})
 
     # Stub iptables version
     Facter.fact(:iptables_version).stubs(:value).returns("1.4.2")
+    Facter.fact(:ip6tables_version).stubs(:value).returns("1.4.2")
+
+    # Stub confine facts
+    Facter.fact(:kernel).stubs(:value).returns("Linux")
+    Facter.fact(:operatingsystem).stubs(:value).returns("Debian")
   end
 
   it 'should have :name be its namevar' do
@@ -172,6 +177,27 @@
     end
   end
 
+  [:dst_type, :src_type].each do |addrtype|
+    describe addrtype do
+      it "should have no default" do
+        res = @class.new(:name => "000 test")
+        res.parameters[addrtype].should == nil
+      end
+    end
+
+    [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE,
+     :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].each do |type|
+      it "should accept #{addrtype} value #{type}" do
+        @resource[addrtype] = type
+        @resource[addrtype].should == type
+      end
+    end
+
+    it "should fail when #{addrtype} value is not recognized" do
+      lambda { @resource[addrtype] = 'foo' }.should raise_error(Puppet::Error)
+    end
+  end
+
   [:iniface, :outiface].each do |iface|
     describe iface do
       it "should accept #{iface} value as a string" do
@@ -309,7 +335,7 @@
           :action => "accept",
           :jump => "custom_chain"
         )
-      }.to raise_error(Puppet::Error, /^Only one of the parameters 'action' and 'jump' can be set$/)
+      }.to raise_error(Puppet::Error, /Only one of the parameters 'action' and 'jump' can be set$/)
     end
   end
   describe ':gid and :uid' do

diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb
@@ -5,9 +5,14 @@
 firewallchain = Puppet::Type.type(:firewallchain)
 
 describe firewallchain do
+  before do
+    # Stub confine facts
+    Facter.fact(:kernel).stubs(:value).returns("Linux")
+    Facter.fact(:operatingsystem).stubs(:value).returns("Debian")
+  end
   let(:klass) { firewallchain }
   let(:provider) {
-    prov = stub 'provider'
+    prov = double 'provider'
     prov.stubs(:name).returns(:iptables_chain)
     prov
   }

diff --git a/spec/unit/puppet/util/firewall_spec.rb b/spec/unit/puppet/util/firewall_spec.rb
@@ -3,9 +3,9 @@
 describe 'Puppet::Util::Firewall' do
   let(:resource) {
     type = Puppet::Type.type(:firewall)
-    provider = stub 'provider'
-    provider.stubs(:name).returns(:iptables)
-    Puppet::Type::Firewall.stubs(:defaultprovider).returns(provider)
+    provider = double 'provider'
+    allow(provider).to receive(:name).and_return(:iptables)
+    allow(Puppet::Type::Firewall).to receive(:defaultprovider).and_return(provider)
     type.new({:name => '000 test foo'})
   }
 
@@ -14,7 +14,7 @@
   describe '#host_to_ip' do
     subject { resource }
     specify {
-      Resolv.expects(:getaddress).with('puppetlabs.com').returns('96.126.112.51')
+      expect(Resolv).to receive(:getaddress).with('puppetlabs.com').and_return('96.126.112.51')
       subject.host_to_ip('puppetlabs.com').should == '96.126.112.51/32'
     }
     specify { subject.host_to_ip('96.126.112.51').should == '96.126.112.51/32' }
@@ -96,42 +96,42 @@
       let(:proto) { 'IPv4' }
 
       it 'should exec for RedHat identified from osfamily' do
-        Facter.fact(:osfamily).stubs(:value).returns('RedHat')
-        Facter.fact(:operatingsystem).stubs(:value).returns('RedHat')
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat')
 
-        subject.expects(:execute).with(%w{/sbin/service iptables save})
+        expect(subject).to receive(:execute).with(%w{/sbin/service iptables save})
         subject.persist_iptables(proto)
       end
 
       it 'should exec for systemd if running Fedora 15 or greater' do
-        Facter.fact(:osfamily).stubs(:value).returns('RedHat')
-        Facter.fact(:operatingsystem).stubs(:value).returns('Fedora')
-        Facter.fact(:operatingsystemrelease).stubs(:value).returns('15')
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Fedora')
+        allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('15')
 
-        subject.expects(:execute).with(%w{/usr/libexec/iptables.init save})
+        expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables.init save})
         subject.persist_iptables(proto)
       end
 
       it 'should exec for CentOS identified from operatingsystem' do
-        Facter.fact(:osfamily).stubs(:value).returns(nil)
-        Facter.fact(:operatingsystem).stubs(:value).returns('CentOS')
-        subject.expects(:execute).with(%w{/sbin/service iptables save})
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return(nil)
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('CentOS')
+        expect(subject).to receive(:execute).with(%w{/sbin/service iptables save})
         subject.persist_iptables(proto)
       end
 
       it 'should exec for Archlinux identified from osfamily' do
-        Facter.fact(:osfamily).stubs(:value).returns('Archlinux')
-        subject.expects(:execute).with(['/bin/sh', '-c', '/usr/sbin/iptables-save > /etc/iptables/iptables.rules'])
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return('Archlinux')
+        expect(subject).to receive(:execute).with(['/bin/sh', '-c', '/usr/sbin/iptables-save > /etc/iptables/iptables.rules'])
         subject.persist_iptables(proto)
       end
 
       it 'should raise a warning when exec fails' do
-        Facter.fact(:osfamily).stubs(:value).returns('RedHat')
-        Facter.fact(:operatingsystem).stubs(:value).returns('RedHat')
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat')
 
-        subject.expects(:execute).with(%w{/sbin/service iptables save}).
-          raises(Puppet::ExecutionFailure, 'some error')
-        subject.expects(:warning).with('Unable to persist firewall rules: some error')
+        expect(subject).to receive(:execute).with(%w{/sbin/service iptables save}).
+          and_raise(Puppet::ExecutionFailure, 'some error')
+        expect(subject).to receive(:warning).with('Unable to persist firewall rules: some error')
         subject.persist_iptables(proto)
       end
     end
@@ -140,24 +140,24 @@
       let(:proto) { 'IPv6' }
 
       it 'should exec for newer Ubuntu' do
-        Facter.fact(:osfamily).stubs(:value).returns(nil)
-        Facter.fact(:operatingsystem).stubs(:value).returns('Ubuntu')
-        Facter.fact(:iptables_persistent_version).stubs(:value).returns('0.5.3ubuntu2')
-        subject.expects(:execute).with(%w{/usr/sbin/service iptables-persistent save})
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return(nil)
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Ubuntu')
+        allow(Facter.fact(:iptables_persistent_version)).to receive(:value).and_return('0.5.3ubuntu2')
+        expect(subject).to receive(:execute).with(%w{/usr/sbin/service iptables-persistent save})
         subject.persist_iptables(proto)
       end
 
       it 'should not exec for older Ubuntu which does not support IPv6' do
-        Facter.fact(:osfamily).stubs(:value).returns(nil)
-        Facter.fact(:operatingsystem).stubs(:value).returns('Ubuntu')
-        Facter.fact(:iptables_persistent_version).stubs(:value).returns('0.0.20090701')
-        subject.expects(:execute).never
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return(nil)
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Ubuntu')
+        allow(Facter.fact(:iptables_persistent_version)).to receive(:value).and_return('0.0.20090701')
+        expect(subject).to receive(:execute).never
         subject.persist_iptables(proto)
       end
 
       it 'should not exec for Suse which is not supported' do
-        Facter.fact(:osfamily).stubs(:value).returns('Suse')
-        subject.expects(:execute).never
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return('Suse')
+        expect(subject).to receive(:execute).never
         subject.persist_iptables(proto)
       end
     end