305 changes: 141 additions & 164 deletions .github/workflows/pr_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,185 +14,162 @@ jobs:
matrix: ${{ steps.get-matrix.outputs.matrix }}

steps:
- name: "Honeycomb: Start recording"
uses: kvrhdn/gha-buildevents@v1.0.2
with:
apikey: ${{ env.HONEYCOMB_WRITEKEY }}
dataset: ${{ env.HONEYCOMB_DATASET }}
job-status: ${{ job.status }}

- name: "Honeycomb: Start first step"
run: |
echo STEP_ID=0 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Checkout Source
uses: actions/checkout@v2
if: ${{ github.repository_owner == 'puppetlabs' }}

- name: Activate Ruby 2.7
uses: actions/setup-ruby@v1
if: ${{ github.repository_owner == 'puppetlabs' }}
with:
ruby-version: "2.7"

- name: Cache gems
uses: actions/cache@v2
if: ${{ github.repository_owner == 'puppetlabs' }}
with:
path: vendor/gems
key: ${{ runner.os }}-${{ github.event_name }}-${{ hashFiles('**/Gemfile') }}
restore-keys: |
${{ runner.os }}-${{ github.event_name }}-
${{ runner.os }}-
- name: Install gems
if: ${{ github.repository_owner == 'puppetlabs' }}
run: |
buildevents cmd $TRACE_ID $STEP_ID 'bundle config path vendor/gems' -- bundle config path vendor/gems
buildevents cmd $TRACE_ID $STEP_ID 'bundle config jobs 8' -- bundle config jobs 8
buildevents cmd $TRACE_ID $STEP_ID 'bundle config retry 3' -- bundle config retry 3
buildevents cmd $TRACE_ID $STEP_ID 'bundle install' -- bundle install
buildevents cmd $TRACE_ID $STEP_ID 'bundle clean' -- bundle clean
- name: Setup Acceptance Test Matrix
id: get-matrix
if: ${{ github.repository_owner == 'puppetlabs' }}
run: |
if [ '${{ github.repository_owner }}' == 'puppetlabs' ]; then
buildevents cmd $TRACE_ID $STEP_ID matrix_from_metadata -- bundle exec matrix_from_metadata
else
echo "::set-output name=matrix::{}"
fi
- name: "Honeycomb: Record setup time"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Test Matrix'
- name: "Honeycomb: Start recording"
uses: puppetlabs/kvrhdn-gha-buildevents@pdk-templates-v1
with:
apikey: ${{ env.HONEYCOMB_WRITEKEY }}
dataset: ${{ env.HONEYCOMB_DATASET }}
job-status: ${{ job.status }}

- name: "Honeycomb: Start first step"
run: |
echo STEP_ID=setup-environment >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Checkout Source
uses: actions/checkout@v2
if: ${{ github.repository_owner == 'puppetlabs' }}

- name: Activate Ruby 2.7
uses: ruby/setup-ruby@v1
if: ${{ github.repository_owner == 'puppetlabs' }}
with:
ruby-version: "2.7"
bundler-cache: true

- name: Print bundle environment
if: ${{ github.repository_owner == 'puppetlabs' }}
run: |
echo ::group::bundler environment
buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
echo ::endgroup::
- name: "Honeycomb: Record Setup Environment time"
if: ${{ github.repository_owner == 'puppetlabs' }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Environment'
echo STEP_ID=Setup-Acceptance-Test-Matrix >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Setup Acceptance Test Matrix
id: get-matrix
run: |
if [ '${{ github.repository_owner }}' == 'puppetlabs' ]; then
buildevents cmd $TRACE_ID $STEP_ID matrix_from_metadata -- bundle exec matrix_from_metadata
else
echo "::set-output name=matrix::{}"
fi
- name: "Honeycomb: Record Setup Test Matrix time"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Test Matrix'
Acceptance:
needs:
- setup_matrix
if: ${{ needs.setup_matrix.outputs.matrix != '{}' }}

runs-on: ubuntu-20.04
strategy:
fail-fast: false
matrix: ${{fromJson(needs.setup_matrix.outputs.matrix)}}

env:
BUILDEVENT_FILE: "../buildevents.txt"
BUILDEVENT_FILE: '../buildevents.txt'

steps:
- run: |
echo 'platform=${{ matrix.platform }}' >> $BUILDEVENT_FILE
echo 'collection=${{ matrix.collection }}' >> $BUILDEVENT_FILE
- name: "Honeycomb: Start recording"
uses: kvrhdn/gha-buildevents@v1.0.2
with:
apikey: ${{ env.HONEYCOMB_WRITEKEY }}
dataset: ${{ env.HONEYCOMB_DATASET }}
job-status: ${{ job.status }}
matrix-key: ${{ matrix.platform }}-${{ matrix.collection }}

- name: "Honeycomb: start first step"
run: |
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-1 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Checkout Source
uses: actions/checkout@v2

- name: Activate Ruby 2.7
uses: actions/setup-ruby@v1
with:
ruby-version: "2.7"

- name: Cache gems
uses: actions/cache@v2
with:
path: vendor/gems
key: ${{ runner.os }}-${{ github.event_name }}-${{ hashFiles('**/Gemfile') }}
restore-keys: |
${{ runner.os }}-${{ github.event_name }}-
${{ runner.os }}-
- name: "Honeycomb: Record cache setup time"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Cache retrieval'
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-2 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Bundler Setup
run: |
buildevents cmd $TRACE_ID $STEP_ID 'bundle config path vendor/gems' -- bundle config path vendor/gems
buildevents cmd $TRACE_ID $STEP_ID 'bundle config jobs 8' -- bundle config jobs 8
buildevents cmd $TRACE_ID $STEP_ID 'bundle config retry 3' -- bundle config retry 3
buildevents cmd $TRACE_ID $STEP_ID 'bundle install' -- bundle install
buildevents cmd $TRACE_ID $STEP_ID 'bundle clean' -- bundle clean
echo ::group::bundler environment
buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
echo ::endgroup::
- name: "Honeycomb: Record Bundler Setup time"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Bundler Setup'
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-3 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Provision test environment
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:provision ${{ matrix.platform }}' -- bundle exec rake 'litmus:provision[provision::provision_service,${{ matrix.platform }}]'
- run: |
echo 'platform=${{ matrix.platform }}' >> $BUILDEVENT_FILE
echo 'collection=${{ matrix.collection }}' >> $BUILDEVENT_FILE
- name: "Honeycomb: Start recording"
uses: puppetlabs/kvrhdn-gha-buildevents@pdk-templates-v1
with:
apikey: ${{ env.HONEYCOMB_WRITEKEY }}
dataset: ${{ env.HONEYCOMB_DATASET }}
job-status: ${{ job.status }}
matrix-key: ${{ matrix.platform }}-${{ matrix.collection }}

- name: "Honeycomb: start first step"
run: |
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-1 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Checkout Source
uses: actions/checkout@v2

- name: Activate Ruby 2.7
uses: ruby/setup-ruby@v1
with:
ruby-version: "2.7"
bundler-cache: true

- name: Print bundle environment
run: |
echo ::group::bundler environment
buildevents cmd $TRACE_ID $STEP_ID 'bundle env' -- bundle env
echo ::endgroup::
- name: "Honeycomb: Record Setup Environment time"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Setup Environment'
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-2 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Provision test environment
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:provision ${{ matrix.platform }}' -- bundle exec rake 'litmus:provision[provision::provision_service,${{ matrix.platform }}]'
echo ::group::=== REQUEST ===
cat request.json || true
echo
echo ::endgroup::
echo ::group::=== INVENTORY ===
sed -e 's/password: .*/password: "[redacted]"/' < inventory.yaml || true
echo ::endgroup::
- name: Install agent
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_agent ${{ matrix.collection }}' -- bundle exec rake 'litmus:install_agent[${{ matrix.collection }}]'
- name: Install module
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_module' -- bundle exec rake 'litmus:install_module'
- name: "Honeycomb: Record deployment times"
if: ${{ always() }}
run: |
echo ::group::honeycomb step
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Deploy test system'
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-3 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
echo ::endgroup::
- name: Run acceptance tests
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:acceptance:parallel' -- bundle exec rake 'litmus:acceptance:parallel'
- name: "Honeycomb: Record acceptance testing times"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Run acceptance tests'
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-4 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Remove test environment
if: ${{ always() }}
continue-on-error: true
run: |
if [ -f inventory.yaml ]; then
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:tear_down' -- bundle exec rake 'litmus:tear_down'
echo ::group::=== REQUEST ===
cat request.json || true
echo
echo ::endgroup::
echo ::group::=== INVENTORY ===
sed -e 's/password: .*/password: "[redacted]"/' < inventory.yaml || true
echo ::endgroup::
- name: Install agent
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_agent ${{ matrix.collection }}' -- bundle exec rake 'litmus:install_agent[${{ matrix.collection }}]'
- name: Install module
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:install_module' -- bundle exec rake 'litmus:install_module'
- name: "Honeycomb: Record deployment times"
if: ${{ always() }}
run: |
echo ::group::honeycomb step
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Deploy test system'
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-4 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
echo ::endgroup::
fi
- name: Run acceptance tests
run: |
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:acceptance:parallel' -- bundle exec rake 'litmus:acceptance:parallel'
- name: "Honeycomb: Record acceptance testing times"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Run acceptance tests'
echo STEP_ID=${{ matrix.platform }}-${{ matrix.collection }}-5 >> $GITHUB_ENV
echo STEP_START=$(date +%s) >> $GITHUB_ENV
- name: Remove test environment
if: ${{ always() }}
run: |
if [ -f inventory.yaml ]; then
buildevents cmd $TRACE_ID $STEP_ID 'rake litmus:tear_down' -- bundle exec rake 'litmus:tear_down'
echo ::group::=== REQUEST ===
cat request.json || true
echo
echo ::endgroup::
fi
- name: "Honeycomb: Record removal times"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Remove test environment'
- name: "Honeycomb: Record removal times"
if: ${{ always() }}
run: |
buildevents step $TRACE_ID $STEP_ID $STEP_START 'Remove test environment'
65 changes: 0 additions & 65 deletions .github/workflows/release.yml

This file was deleted.

64 changes: 0 additions & 64 deletions .github/workflows/weekly.yml

This file was deleted.

419 changes: 398 additions & 21 deletions .rubocop.yml

Large diffs are not rendered by default.

Empty file removed .rubocop_todo.yml
Empty file.
3 changes: 0 additions & 3 deletions .sync.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,6 @@ Gemfile:
optional:
":development":
- gem: github_changelog_generator
git: https://github.com/skywinder/github-changelog-generator
ref: 20ee04ba1234e9e83eb2ffb5056e23d641c7a018
condition: Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')
spec/spec_helper.rb:
mock_with: ":rspec"
coverage_report: true
Expand Down
64 changes: 32 additions & 32 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,92 +27,92 @@ stages:
jobs:
fast_finish: true
include:
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_ub_6]'"
- "bundle exec rake 'litmus:install_agent[puppet6]'"
- "bundle exec rake litmus:install_module"
bundler_args:
env: PLATFORMS=travis_ub_6_puppet6
env:
PLATFORMS: travis_ub_6_puppet6
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
stage: acceptance
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_ub_5]'"
- "bundle exec rake 'litmus:install_agent[puppet5]'"
- "bundle exec rake litmus:install_module"
bundler_args:
env: PLATFORMS=travis_ub_5_puppet5
env:
PLATFORMS: travis_ub_5_puppet5
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
stage: acceptance
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_el8]'"
- "bundle exec rake 'litmus:install_agent[puppet5]'"
- "bundle exec rake litmus:install_module"
bundler_args:
dist: xenial
env: PLATFORMS=travis_el8_puppet5
env:
PLATFORMS: travis_el8_puppet5
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
stage: acceptance
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_el8]'"
- "bundle exec rake 'litmus:install_agent[puppet6]'"
- "bundle exec rake litmus:install_module"
bundler_args:
dist: xenial
env: PLATFORMS=travis_el8_puppet6
env:
PLATFORMS: travis_el8_puppet6
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
stage: acceptance
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_deb]'"
- "bundle exec rake 'litmus:install_agent[puppet5]'"
- "bundle exec rake litmus:install_module"
bundler_args:
env: PLATFORMS=travis_deb_puppet5
env:
PLATFORMS: travis_deb_puppet5
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
stage: acceptance
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_el7]'"
- "bundle exec rake 'litmus:install_agent[puppet5]'"
- "bundle exec rake litmus:install_module"
bundler_args:
env: PLATFORMS=travis_el7_puppet5
env:
PLATFORMS: travis_el7_puppet5
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
stage: acceptance
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_deb]'"
- "bundle exec rake 'litmus:install_agent[puppet6]'"
- "bundle exec rake litmus:install_module"
bundler_args:
env: PLATFORMS=travis_deb_puppet6
env:
PLATFORMS: travis_deb_puppet6
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
stage: acceptance
-
before_script:
- before_script:
- "bundle exec rake 'litmus:provision_list[travis_el7]'"
- "bundle exec rake 'litmus:install_agent[puppet6]'"
- "bundle exec rake litmus:install_module"
bundler_args:
env: PLATFORMS=travis_el7_puppet6
env:
PLATFORMS: travis_el7_puppet6
BUNDLE_WITH: system_tests
rvm: 2.5.7
script: ["travis_wait 45 bundle exec rake litmus:acceptance:parallel"]
services: docker
Expand Down
13 changes: 11 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,14 @@

All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).

## [v2.8.1](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.1) (2021-02-08)

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.8.0...v2.8.1)

### Fixed

- \[MODULES-10907\] Do not remove spaces from hex string with ! [\#967](https://github.com/puppetlabs/puppetlabs-firewall/pull/967) ([adrianiurca](https://github.com/adrianiurca))

## [v2.8.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.8.0) (2020-12-14)

[Full Changelog](https://github.com/puppetlabs/puppetlabs-firewall/compare/v2.7.0...v2.8.0)
Expand Down Expand Up @@ -74,7 +82,6 @@ All notable changes to this project will be documented in this file. The format
### Fixed

- \(maint\) Use fact.flush only when available [\#906](https://github.com/puppetlabs/puppetlabs-firewall/pull/906) ([Filipovici-Andrei](https://github.com/Filipovici-Andrei))
- \(MODULES-10358\) - Clarification added to Boolean validation checks [\#886](https://github.com/puppetlabs/puppetlabs-firewall/pull/886) ([david22swan](https://github.com/david22swan))
- Merge and remove duplicate README file, lint code snippets [\#878](https://github.com/puppetlabs/puppetlabs-firewall/pull/878) ([runejuhl](https://github.com/runejuhl))

## [v2.2.0](https://github.com/puppetlabs/puppetlabs-firewall/tree/v2.2.0) (2019-12-09)
Expand All @@ -90,6 +97,7 @@ All notable changes to this project will be documented in this file. The format

### Fixed

- \(MODULES-10358\) - Clarification added to Boolean validation checks [\#886](https://github.com/puppetlabs/puppetlabs-firewall/pull/886) ([david22swan](https://github.com/david22swan))
- Change - Avoid puppet failures on windows nodes [\#874](https://github.com/puppetlabs/puppetlabs-firewall/pull/874) ([blackknight36](https://github.com/blackknight36))
- Fix parsing iptables rules with hyphen in comments [\#861](https://github.com/puppetlabs/puppetlabs-firewall/pull/861) ([Hexta](https://github.com/Hexta))

Expand Down Expand Up @@ -165,6 +173,7 @@ All notable changes to this project will be documented in this file. The format
- Changed regex for iniface and outiface to allow '@' in interface names [\#791](https://github.com/puppetlabs/puppetlabs-firewall/pull/791) ([GeorgeCox](https://github.com/GeorgeCox))
- \(MODULES-8214\) Handle src\_type and dst\_type as array [\#790](https://github.com/puppetlabs/puppetlabs-firewall/pull/790) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic))
- \(MODULES-7990\) Merge multiple comments into one while parsing rules [\#789](https://github.com/puppetlabs/puppetlabs-firewall/pull/789) ([mateusz-gozdek-sociomantic](https://github.com/mateusz-gozdek-sociomantic))
- add -g flag handling in ip6tables.rb provider [\#788](https://github.com/puppetlabs/puppetlabs-firewall/pull/788) ([cestith](https://github.com/cestith))
- \(MODULES-7681\) Add support for bytecode property [\#771](https://github.com/puppetlabs/puppetlabs-firewall/pull/771) ([baurmatt](https://github.com/baurmatt))

### Fixed
Expand Down Expand Up @@ -890,4 +899,4 @@ Initial release.
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*


\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
19 changes: 9 additions & 10 deletions Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,18 @@ ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
minor_version = ruby_version_segments[0..1].join('.')

group :development do
gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9')
gem "json", '= 2.0.4', require: false if Gem::Requirement.create('~> 2.4.2').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.1.0', require: false if Gem::Requirement.create(['>= 2.5.0', '< 2.7.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "json", '= 2.3.0', require: false if Gem::Requirement.create(['>= 2.7.0', '< 2.8.0']).satisfied_by?(Gem::Version.new(RUBY_VERSION.dup))
gem "rb-readline", '= 0.5.5', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-module-posix-default-r#{minor_version}", '~> 0.4', require: false, platforms: [:ruby]
gem "puppet-module-posix-dev-r#{minor_version}", '~> 0.4', require: false, platforms: [:ruby]
gem "puppet-module-win-default-r#{minor_version}", '~> 0.4', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-module-win-dev-r#{minor_version}", '~> 0.4', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "github_changelog_generator", require: false, git: 'https://github.com/skywinder/github-changelog-generator', ref: '20ee04ba1234e9e83eb2ffb5056e23d641c7a018' if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.2.2')
gem "puppet-module-posix-default-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
gem "puppet-module-posix-dev-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
gem "puppet-module-win-default-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-module-win-dev-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "github_changelog_generator", require: false
end
group :system_tests do
gem "puppet-module-posix-system-r#{minor_version}", '~> 1.0', require: false, platforms: [:ruby]
gem "puppet-module-win-system-r#{minor_version}", '~> 1.0', require: false, platforms: [:mswin, :mingw, :x64_mingw]
end

puppet_version = ENV['PUPPET_GEM_VERSION']
Expand Down
56 changes: 37 additions & 19 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

## Classes

### `firewall`
### <a name="firewall"></a>`firewall`

Performs the basic setup tasks required for using the firewall resources.

Expand All @@ -45,57 +45,65 @@ class { 'firewall': }

#### Parameters

The following parameters are available in the `firewall` class.
The following parameters are available in the `firewall` class:

##### `ensure`
* [`ensure`](#ensure)
* [`ensure_v6`](#ensure_v6)
* [`pkg_ensure`](#pkg_ensure)
* [`service_name`](#service_name)
* [`service_name_v6`](#service_name_v6)
* [`package_name`](#package_name)
* [`ebtables_manage`](#ebtables_manage)

##### <a name="ensure"></a>`ensure`

Data type: `Any`

Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.

Default value: `running`

##### `ensure_v6`
##### <a name="ensure_v6"></a>`ensure_v6`

Data type: `Any`

Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.

Default value: ``undef``

##### `pkg_ensure`
##### <a name="pkg_ensure"></a>`pkg_ensure`

Data type: `Any`

Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.

Default value: `present`

##### `service_name`
##### <a name="service_name"></a>`service_name`

Data type: `Any`

Specify the name of the IPv4 iptables service.

Default value: `$firewall::params::service_name`

##### `service_name_v6`
##### <a name="service_name_v6"></a>`service_name_v6`

Data type: `Any`

Specify the name of the IPv6 iptables service.

Default value: `$firewall::params::service_name_v6`

##### `package_name`
##### <a name="package_name"></a>`package_name`

Data type: `Any`

Specify the platform-specific package(s) to install.

Default value: `$firewall::params::package_name`

##### `ebtables_manage`
##### <a name="ebtables_manage"></a>`ebtables_manage`

Data type: `Any`

Expand All @@ -105,7 +113,7 @@ Default value: ``false``

## Resource types

### `firewall`
### <a name="firewall"></a>`firewall`

**Autorequires:**

Expand Down Expand Up @@ -1367,11 +1375,15 @@ Assign this packet to zone id and only have lookups done in that zone.

The following parameters are available in the `firewall` type.

##### `line`
* [`line`](#line)
* [`name`](#name)
* [`provider`](#provider)

##### <a name="line"></a>`line`

Read-only property for caching the rule line.

##### `name`
##### <a name="name"></a>`name`

Valid values: `%r{^\d+[[:graph:][:space:]]+$}`

Expand All @@ -1386,12 +1398,12 @@ so make sure you prefix the rule with a number:
Depending on the provider, the name of the rule can be stored using
the comment feature of the underlying firewall subsystem.

##### `provider`
##### <a name="provider"></a>`provider`

The specific backend to use for this `firewall` resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.

### `firewallchain`
### <a name="firewallchain"></a>`firewallchain`

Currently this supports only iptables, ip6tables and ebtables on Linux. And
provides support for setting the default policy on chains and tables that
Expand Down Expand Up @@ -1439,7 +1451,13 @@ PREROUTING, POSTROUTING) and can be one of:

The following parameters are available in the `firewallchain` type.

##### `ignore`
* [`ignore`](#ignore)
* [`ignore_foreign`](#ignore_foreign)
* [`name`](#name)
* [`provider`](#provider)
* [`purge`](#purge)

##### <a name="ignore"></a>`ignore`

Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
This is matched against the output of `iptables-save`.
Expand All @@ -1462,7 +1480,7 @@ firewallchain { 'INPUT:filter:IPv4':
}
```

##### `ignore_foreign`
##### <a name="ignore_foreign"></a>`ignore_foreign`

Valid values: ``false``, ``true``

Expand All @@ -1474,20 +1492,20 @@ rules.

Default value: ``false``

##### `name`
##### <a name="name"></a>`name`

namevar

The canonical name of the chain.

For iptables the format must be {chain}:{table}:{protocol}.

##### `provider`
##### <a name="provider"></a>`provider`

The specific backend to use for this `firewallchain` resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.

##### `purge`
##### <a name="purge"></a>`purge`

Valid values: ``false``, ``true``

Expand Down
1 change: 1 addition & 0 deletions Rakefile
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# frozen_string_literal: true

require 'bundler'
require 'puppet_litmus/rake_tasks' if Bundler.rubygems.find_name('puppet_litmus').any?
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-syntax/tasks/puppet-syntax'
Expand Down
2 changes: 2 additions & 0 deletions lib/facter/ip6tables_version.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

Facter.add(:ip6tables_version) do
confine kernel: :Linux
setcode do
Expand Down
2 changes: 2 additions & 0 deletions lib/facter/iptables_persistent_version.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

Facter.add(:iptables_persistent_version) do
confine operatingsystem: ['Debian', 'Ubuntu']
setcode do
Expand Down
2 changes: 2 additions & 0 deletions lib/facter/iptables_version.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

Facter.add(:iptables_version) do
confine kernel: :Linux
setcode do
Expand Down
2 changes: 2 additions & 0 deletions lib/puppet/provider/firewall.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

#
# firewall.rb
#
Expand Down
4 changes: 3 additions & 1 deletion lib/puppet/provider/firewall/ip6tables.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6tables do
@doc = 'Ip6tables type provider'

Expand Down Expand Up @@ -66,7 +68,7 @@

def initialize(*args)
ip6tables_version = Facter.value('ip6tables_version')
raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d})
raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version&.match(%r{1\.3\.\d})
super
end

Expand Down
51 changes: 26 additions & 25 deletions lib/puppet/provider/firewall/iptables.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'puppet/provider/firewall'
require 'digest'

Expand Down Expand Up @@ -376,14 +378,12 @@ def delete
#
# This tries deleting again with -p all to see if that helps.
#
# rubocop:disable Lint/HandleExceptions
if self.class.instance_variable_get(:@protocol) == 'IPv6' && properties[:proto] == 'all'
begin
iptables delete_args.concat(['-p', 'all'])
rescue Puppet::ExecutionFailure => e
rescue Puppet::ExecutionFailure => e # rubocop:disable Lint/SuppressedException
end
end
# rubocop:enable Lint/HandleExceptions

# Check to see if the iptables rule is already gone. This can sometimes
# happen as a side effect of other resource changes. If it's not gone,
Expand Down Expand Up @@ -424,8 +424,8 @@ def self.instances
# String#lines would be nice, but we need to support Ruby 1.8.5
nf_warning_msg = "# Warning: ip6?tables-legacy tables present, use ip6?tables-legacy-save to see them\n"
iptables_save.gsub(%r{#{nf_warning_msg}}, '').split("\n").each do |line|
unless line =~ %r{^\#\s+|^\:\S+|^COMMIT|^FATAL}
if line =~ %r{^\*}
unless %r{^\#\s+|^\:\S+|^COMMIT|^FATAL}.match?(line)
if %r{^\*}.match?(line)
table = line.sub(%r{\*}, '')
else
hash = rule_to_hash(line, table, counter)
Expand Down Expand Up @@ -458,30 +458,30 @@ def self.rule_to_hash(line, table, counter)
# --condition output is in quotes, need to move ! inside quotes
values.gsub!(%r{(!\s+)?--condition "(\S*?)"}, '--condition "\1\2"')
# --match-set can have multiple values with weird iptables format
if values =~ %r{-m set (!\s+)?--match-set}
if %r{-m set (!\s+)?--match-set}.match?(values)
values = values.gsub(%r{(!\s+)?--match-set (\S*) (\S*)}, '--match-set \1\2 \3')
ind = values.index('-m set --match-set')
sets = values.scan(%r{-m set --match-set ((?:!\s+)?\S* \S*)})
values = values.gsub(%r{-m set --match-set (!\s+)?\S* \S* }, '')
values.insert(ind, "-m set --match-set \"#{sets.join(';')}\" ")
end
# --comment can have multiple values, the same as --match-set
if values =~ %r{-m comment --comment}
if %r{-m comment --comment}.match?(values)
ind = values.index('-m comment --comment')
comments = values.scan(%r{-m comment --comment "((?:\\"|[^"])*)"})
comments += values.scan(%r{-m comment --comment ([^"\s]+)\b})
values = values.gsub(%r{-m comment --comment (".*?[^\\"]")( |$)}, '')
values = values.gsub(%r{-m comment --comment ([^"].*?)[ $]}, '')
values.insert(ind, "-m comment --comment \"#{comments.join(';')}\" ")
end
if values =~ %r{-m addrtype (!\s+)?--src-type}
if %r{-m addrtype (!\s+)?--src-type}.match?(values)
values = values.gsub(%r{(!\s+)?--src-type (\S*)(\s--limit-iface-(in|out))?}, '--src-type \1\2\3')
ind = values.index('-m addrtype --src-type')
types = values.scan(%r{-m addrtype --src-type ((?:!\s+)?\S*(?: --limit-iface-(?:in|out))?)})
values = values.gsub(%r{-m addrtype --src-type ((?:!\s+)?\S*(?: --limit-iface-(?:in|out))?) ?}, '')
values.insert(ind, "-m addrtype --src-type \"#{types.join(';')}\" ")
end
if values =~ %r{-m addrtype (!\s+)?--dst-type}
if %r{-m addrtype (!\s+)?--dst-type}.match?(values)
values = values.gsub(%r{(!\s+)?--dst-type (\S*)(\s--limit-iface-(in|out))?}, '--dst-type \1\2\3')
ind = values.index('-m addrtype --dst-type')
types = values.scan(%r{-m addrtype --dst-type ((?:!\s+)?\S*(?: --limit-iface-(?:in|out))?)})
Expand Down Expand Up @@ -553,7 +553,7 @@ def self.rule_to_hash(line, table, counter)
############

# Here we iterate across our values to generate an array of keys
parser_list.reverse.each do |k|
parser_list.reverse_each do |k|
resource_map_key = resource_map[k]
[resource_map_key].flatten.each do |opt|
if values.slice!(%r{\s#{opt}})
Expand All @@ -564,13 +564,13 @@ def self.rule_to_hash(line, table, counter)
end

# Manually remove chain
if values =~ %r{(\s|^)-A\s}
if %r{(\s|^)-A\s}.match?(values)
values = values.sub(%r{(\s|^)-A\s}, '\1')
keys << :chain
end

# Manually remove table (used in some tests)
if values =~ %r{^-t\s}
if %r{^-t\s}.match?(values)
values = values.sub(%r{^-t\s}, '')
keys << :table
end
Expand All @@ -586,7 +586,7 @@ def self.rule_to_hash(line, table, counter)
# string, handling any quoted characters present in the value, and then
# zipping the values with the array of keys.
keys.zip(valrev) do |f, v|
hash[f] = if v =~ %r{^".*"$}
hash[f] = if %r{^".*"$}.match?(v)
v.sub(%r{^"(.*)"$}, '\1').gsub(%r{\\(\\|'|")}, '\1')
else
v.dup
Expand Down Expand Up @@ -651,9 +651,7 @@ def self.rule_to_hash(line, table, counter)
elem.tr(':', '-')
end
end
if hash[:length]
hash[:length].tr!(':', '-')
end
hash[:length]&.tr!(':', '-')

# Invert any rules that are prefixed with a '!'
[
Expand Down Expand Up @@ -684,7 +682,7 @@ def self.rule_to_hash(line, table, counter)
:src_range,
:state,
].each do |prop|
if hash[prop] && hash[prop].is_a?(Array)
if hash[prop]&.is_a?(Array)
# find if any are negated, then negate all if so
should_negate = hash[prop].index do |value|
value.match(%r{^(!)\s+})
Expand Down Expand Up @@ -813,6 +811,8 @@ def general_args
raise "#{prop} elements must be unique" if resource[prop].map { |type| type.to_s.gsub(%r{--limit-iface-(in|out)}, '') }.uniq.length != resource[prop].length
end

complex_args = [:ipset, :dst_type, :src_type]

resource_list.each do |res|
resource_value = nil
if resource[res]
Expand All @@ -833,32 +833,32 @@ def general_args
args = args.flatten

# On negations, the '!' has to be before the option (eg: "! -d 1.2.3.4")
if resource_value.is_a?(String) && resource_value.sub!(%r{^!\s*}, '')
if resource_value.is_a?(String) && resource_value.start_with?('!')
resource_value = resource_value.sub(%r{^!\s*}, '')
# we do this after adding the 'dash' argument because of ones like "-m multiport --dports", where we want it before the "--dports" but after "-m multiport".
# so we insert before whatever the last argument is
args.insert(-2, '!')
elsif resource_value.is_a?(Symbol) && resource_value.to_s.match(%r{^!})
# ruby 1.8.7 can't .match Symbols ------------------ ^
resource_value = resource_value.to_s.sub!(%r{^!\s*}, '').to_sym
args.insert(-2, '!')
elsif resource_value.is_a?(Array) && ![:ipset, :dst_type, :src_type].include?(res)
elsif resource_value.is_a?(Array) && !complex_args.include?(res)

should_negate = resource_value.index do |value|
# ruby 1.8.7 can't .match symbols
value.to_s.match(%r{^(!)\s+})
end
if should_negate
resource_value, wrong_values = resource_value.map { |value|
if value.is_a?(String)
# rubocop:disable Metrics/BlockNesting
wrong = value unless value =~ %r{^!\s+}
wrong = value unless %r{^!\s+}.match?(value)
[value.sub(%r{^!\s*}, ''), wrong]
else
[value, nil]
end
}.transpose
wrong_values = wrong_values.compact
unless wrong_values.empty?
raise "All values of the '#{res}' property must be prefixed with a '!' when inverting, but '#{wrong_values.join("', '")}' #{(wrong_values.length > 1) ? 'are' : 'is'} not prefixed; aborting" # rubocop:disable Metrics/LineLength : Line length cannot be reduced
raise "All values of the '#{res}' property must be prefixed with a '!' when inverting, but " \
"'#{wrong_values.join("', '")}' #{(wrong_values.length > 1) ? 'are' : 'is'} not prefixed; aborting"
end
args.insert(-2, '!')
# rubocop:enable Metrics/BlockNesting
Expand All @@ -874,7 +874,8 @@ def general_args
end

# ipset can accept multiple values with weird iptables arguments
if [:ipset, :dst_type, :src_type].include?(res)
if complex_args.include?(res)

resource_value.join(" #{[resource_map[res]].flatten.first} ").split(' ').each do |a|
if a.sub!(%r{^!\s*}, '')
# Negate ipset options
Expand Down
16 changes: 9 additions & 7 deletions lib/puppet/provider/firewallchain/iptables_chain.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

Puppet::Type.type(:firewallchain).provide :iptables_chain do
include Puppet::Util::Firewall

Expand Down Expand Up @@ -35,13 +37,13 @@
re: %r{^:(.+)\s(\S+)$},
},
}.freeze
INTERNAL_CHAINS = %r{^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$}
TABLES = 'nat|mangle|filter|raw|rawpost|broute|security'.freeze
NAME_FORMAT = %r{^(.+):(#{TABLES}):(IP(v[46])?|ethernet)$}
INTERNAL_CHAINS = %r{^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$}.freeze
TABLES = 'nat|mangle|filter|raw|rawpost|broute|security'
NAME_FORMAT = %r{^(.+):(#{TABLES}):(IP(v[46])?|ethernet)$}.freeze

def create
allvalidchains do |t, chain, table, protocol|
if chain =~ INTERNAL_CHAINS
if INTERNAL_CHAINS.match?(chain)
# can't create internal chains
warning "Attempting to create internal chain #{@resource[:name]}"
end
Expand All @@ -59,7 +61,7 @@ def create

def destroy
allvalidchains do |t, chain, table|
if chain =~ INTERNAL_CHAINS
if INTERNAL_CHAINS.match?(chain)
# can't delete internal chains
warning "Attempting to destroy internal chain #{@resource[:name]}"
else
Expand All @@ -71,7 +73,7 @@ def destroy

def exists?
allvalidchains do |_t, chain|
if chain =~ INTERNAL_CHAINS
if INTERNAL_CHAINS.match?(chain)
# If the chain isn't present, it's likely because the module isn't loaded.
# If this is true, then we fall into 2 cases
# 1) It'll be loaded on demand
Expand Down Expand Up @@ -158,7 +160,7 @@ def self.instances
next
end
end
rescue Puppet::Error # rubocop:disable Lint/HandleExceptions
rescue Puppet::Error
# ignore command not found for ebtables or anything that doesn't exist
end
end
Expand Down
43 changes: 25 additions & 18 deletions lib/puppet/type/firewall.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

# See: #10295 for more details.
#
# This is a workaround for bug: #4248 whereby ruby files outside of the normal
Expand Down Expand Up @@ -639,7 +641,7 @@ def should_to_s(value)
PUPPETCODE

validate do |value|
unless value =~ %r{^[a-zA-Z0-9\-_]+$}
unless %r{^[a-zA-Z0-9\-_]+$}.match?(value)
raise ArgumentError, <<-PUPPETCODE
Jump destination must consist of alphanumeric characters, an
underscore or a hyphen.
Expand Down Expand Up @@ -672,7 +674,7 @@ def should_to_s(value)
PUPPETCODE

validate do |value|
unless value =~ %r{^[a-zA-Z0-9\-_]+$}
unless %r{^[a-zA-Z0-9\-_]+$}.match?(value)
raise ArgumentError, <<-PUPPETCODE
Goto destination must consist of alphanumeric characters, an
underscore or a hyphen.
Expand Down Expand Up @@ -1755,7 +1757,7 @@ def insync?(is)
PUPPETCODE

validate do |value|
unless value =~ %r{^\d+$}
unless %r{^\d+$}.match?(value)
raise ArgumentError, <<-PUPPETCODE
stat_every value must be a digit
PUPPETCODE
Expand Down Expand Up @@ -1906,11 +1908,11 @@ def should_to_s(value)
PUPPETCODE

munge do |value|
if value =~ %r{^([0-9]):}
if %r{^([0-9]):}.match?(value)
value = "0#{value}"
end

if value =~ %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}
if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(value)
value = "#{value}:00"
end

Expand All @@ -1925,11 +1927,11 @@ def should_to_s(value)
PUPPETCODE

munge do |value|
if value =~ %r{^([0-9]):}
if %r{^([0-9]):}.match?(value)
value = "0#{value}"
end

if value =~ %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}
if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(value)
value = "#{value}:00"
end

Expand Down Expand Up @@ -2073,7 +2075,11 @@ def should_to_s(value)
given as an argument.
PUPPETCODE
munge do |value|
_value = value.delete(' ')
_value = if value.include?('!')
value.split('|').map { |x| x.include?('!') ? x : "|#{x.delete(' ')}|" }.join
else
value.delete(' ')
end
end
end

Expand Down Expand Up @@ -2277,8 +2283,9 @@ def should_to_s(value)

unless protocol.nil?
table = value(:table)
main_chains = ['INPUT', 'OUTPUT', 'FORWARD']
[value(:chain), value(:jump)].each do |chain|
reqs << "#{chain}:#{table}:#{protocol}" unless chain.nil? || (['INPUT', 'OUTPUT', 'FORWARD'].include?(chain) && table == :filter)
reqs << "#{chain}:#{table}:#{protocol}" unless chain.nil? || (main_chains.include?(chain) && table == :filter)
end
end

Expand Down Expand Up @@ -2344,29 +2351,29 @@ def should_to_s(value)
# Now we analyse the individual properties to make sure they apply to
# the correct combinations.
if value(:uid)
unless value(:chain).to_s =~ %r{OUTPUT|POSTROUTING}
unless %r{OUTPUT|POSTROUTING}.match?(value(:chain).to_s)
raise 'Parameter uid only applies to chains ' \
'OUTPUT,POSTROUTING'
end
end

if value(:gid)
unless value(:chain).to_s =~ %r{OUTPUT|POSTROUTING}
unless %r{OUTPUT|POSTROUTING}.match?(value(:chain).to_s)
raise 'Parameter gid only applies to chains ' \
'OUTPUT,POSTROUTING'
end
end

if value(:set_mark)
unless value(:jump).to_s =~ %r{MARK} &&
value(:table).to_s =~ %r{mangle}
unless value(:jump).to_s.include?('MARK') &&
value(:table).to_s.include?('mangle')
raise 'Parameter set_mark only applies to ' \
'the mangle table and when jump => MARK'
end
end

if value(:dport)
unless value(:proto).to_s =~ %r{tcp|udp|sctp}
unless %r{tcp|udp|sctp}.match?(value(:proto).to_s)
raise '[%s] Parameter dport only applies to sctp, tcp and udp ' \
'protocols. Current protocol is [%s] and dport is [%s]' %
[value(:name), should(:proto), should(:dport)]
Expand All @@ -2392,7 +2399,7 @@ def should_to_s(value)
end

if value(:jump).to_s == 'DNAT'
unless value(:table).to_s =~ %r{nat}
unless %r{nat}.match?(value(:table).to_s)
raise 'Parameter jump => DNAT only applies to table => nat'
end

Expand All @@ -2402,7 +2409,7 @@ def should_to_s(value)
end

if value(:jump).to_s == 'SNAT'
unless value(:table).to_s =~ %r{nat}
unless %r{nat}.match?(value(:table).to_s)
raise 'Parameter jump => SNAT only applies to table => nat'
end

Expand All @@ -2412,7 +2419,7 @@ def should_to_s(value)
end

if value(:jump).to_s == 'MASQUERADE'
unless value(:table).to_s =~ %r{nat}
unless %r{nat}.match?(value(:table).to_s)
raise 'Parameter jump => MASQUERADE only applies to table => nat'
end
end
Expand Down Expand Up @@ -2495,7 +2502,7 @@ def should_to_s(value)
end

if value(:jump).to_s == 'CT'
unless value(:table).to_s =~ %r{raw}
unless %r{raw}.match?(value(:table).to_s)
raise 'Parameter jump => CT only applies to table => raw'
end
end
Expand Down
12 changes: 7 additions & 5 deletions lib/puppet/type/firewallchain.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

# This is a workaround for bug: #4248 whereby ruby files outside of the normal
# provider/type path do not load until pluginsync has occured on the puppet server
#
Expand Down Expand Up @@ -59,33 +61,33 @@
protocol = Regexp.last_match(3)
case table
when 'filter'
if chain =~ %r{^(PREROUTING|POSTROUTING|BROUTING)$}
if %r{^(PREROUTING|POSTROUTING|BROUTING)$}.match?(chain)
raise ArgumentError, "INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'filter'"
end
when 'mangle'
if chain =~ INTERNAL_CHAINS && chain == 'BROUTING'
raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, FORWARD and OUTPUT are the only inbuilt chains that can be used in table 'mangle'"
end
when 'nat'
if chain =~ %r{^(BROUTING|FORWARD)$}
if %r{^(BROUTING|FORWARD)$}.match?(chain)
raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table 'nat'"
end
if Gem::Version.new(Facter['kernelmajversion'].value.dup) < Gem::Version.new('3.7') && protocol =~ %r{^(IP(v6)?)?$}
raise ArgumentError, "table nat isn't valid in IPv6. You must specify ':IPv4' as the name suffix"
end
when 'raw'
if chain =~ %r{^(POSTROUTING|BROUTING|INPUT|FORWARD)$}
if %r{^(POSTROUTING|BROUTING|INPUT|FORWARD)$}.match?(chain)
raise ArgumentError, 'PREROUTING and OUTPUT are the only inbuilt chains in the table \'raw\''
end
when 'broute'
if protocol != 'ethernet'
raise ArgumentError, 'BROUTE is only valid with protocol \'ethernet\''
end
if chain =~ %r{^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$}
if %r{^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$}.match?(chain)
raise ArgumentError, 'BROUTING is the only inbuilt chain allowed on on table \'broute\''
end
when 'security'
if chain =~ %r{^(PREROUTING|POSTROUTING|BROUTING)$}
if %r{^(PREROUTING|POSTROUTING|BROUTING)$}.match?(chain)
raise ArgumentError, "INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'security'"
end
end
Expand Down
14 changes: 8 additions & 6 deletions lib/puppet/util/firewall.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'socket'
require 'resolv'
require 'puppet/util/ipcidr'
Expand All @@ -6,7 +8,7 @@
module Puppet::Util::Firewall
# Translate the symbolic names for icmp packet types to integers
def icmp_name_to_number(value_icmp, protocol)
if value_icmp =~ %r{\d{1,2}$}
if %r{\d{1,2}$}.match?(value_icmp)
value_icmp
elsif protocol == 'inet'
case value_icmp
Expand Down Expand Up @@ -47,7 +49,7 @@ def icmp_name_to_number(value_icmp, protocol)

# Convert log_level names to their respective numbers
def log_level_name_to_number(value)
if value =~ %r{\A[0-7]\z}
if %r{\A[0-7]\z}.match?(value)
value
else
case value
Expand Down Expand Up @@ -75,12 +77,12 @@ def log_level_name_to_number(value)
# nothing.
def string_to_port(value, proto)
proto = proto.to_s
unless proto =~ %r{^(tcp|udp)$}
unless %r{^(tcp|udp)$}.match?(proto)
proto = 'tcp'
end

m = value.to_s.match(%r{^(!\s+)?(\S+)})
return "#{m[1]}#{m[2]}" if m[2] =~ %r{^\d+(-\d+)?$}
return "#{m[1]}#{m[2]}" if %r{^\d+(-\d+)?$}.match?(m[2])
"#{m[1]}#{Socket.getservbyname(m[2], proto)}"
end

Expand Down Expand Up @@ -123,7 +125,7 @@ def host_to_ip(value, proto = nil)
begin
new_value = Puppet::Util::IPCidr.new(addr, family)
break
rescue # rubocop:disable Lint/HandleExceptions
rescue # looking for the one that works # rubocop:disable Lint/SuppressedException
end
end

Expand Down Expand Up @@ -158,7 +160,7 @@ def to_hex32(value)
if value.between?(0, 0xffffffff)
return '0x' + value.to_s(16)
end
rescue ArgumentError # rubocop:disable Lint/HandleExceptions
rescue ArgumentError
# pass
end
nil
Expand Down
6 changes: 3 additions & 3 deletions lib/puppet/util/ipcidr.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# frozen_string_literal: true

require 'ipaddr'

Expand All @@ -7,7 +8,7 @@ class IPCidr < IPAddr
def initialize(ipaddr, family = Socket::AF_UNSPEC)
super(ipaddr, family)
rescue ArgumentError => e
raise ArgumentError, "Invalid address from IPAddr.new: #{ipaddr}" if e.message =~ %r{invalid address}
raise ArgumentError, "Invalid address from IPAddr.new: #{ipaddr}" if %r{invalid address}.match?(e.message)
raise e
end

Expand All @@ -29,8 +30,7 @@ def prefixlen
end

def cidr
cidr = '%s/%s' % [to_s, prefixlen]
cidr
"#{self}/#{prefixlen}"
end
end
end
8 changes: 4 additions & 4 deletions metadata.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "puppetlabs-firewall",
"version": "2.8.0",
"version": "2.8.1",
"author": "puppetlabs",
"summary": "Manages Firewalls such as iptables",
"license": "Apache-2.0",
Expand Down Expand Up @@ -78,7 +78,7 @@
"version_requirement": ">= 5.5.10 < 8.0.0"
}
],
"template-url": "https://github.com/puppetlabs/pdk-templates#main",
"template-ref": "heads/main-0-g62126e1",
"pdk-version": "1.18.1"
"template-url": "https://github.com/puppetlabs/pdk-templates.git#main",
"template-ref": "heads/main-0-g1862b96",
"pdk-version": "1.19.0.pre (47)"
}
4 changes: 0 additions & 4 deletions provision.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,9 @@ travis_el8:
release_checks_5:
provisioner: abs
images:
- redhat-5-x86_64
- redhat-6-x86_64
- redhat-7-x86_64
- redhat-8-x86_64
- centos-5-x86_64
- centos-6-x86_64
- centos-7-x86_64
- centos-8-x86_64
Expand All @@ -59,11 +57,9 @@ release_checks_5:
release_checks_6:
provisioner: abs
images:
- redhat-5-x86_64
- redhat-6-x86_64
- redhat-7-x86_64
- redhat-8-x86_64
- centos-5-x86_64
- centos-6-x86_64
- centos-7-x86_64
- centos-8-x86_64
Expand Down
2 changes: 2 additions & 0 deletions spec/acceptance/class_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

describe 'firewall class' do
Expand Down
6 changes: 4 additions & 2 deletions spec/acceptance/firewall_attributes_exceptions_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

describe 'firewall basics', docker: true do
Expand Down Expand Up @@ -1039,7 +1041,7 @@ class { '::firewall': }
it 'contains the rule' do
run_shell('iptables-save') do |r|
expect(r.stdout).to match(
%r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}, # rubocop:disable Metrics/LineLength
%r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - test" -j ACCEPT}, # rubocop:disable Layout/LineLength
)
end
end
Expand Down Expand Up @@ -1335,7 +1337,7 @@ class { '::firewall': }
end
end
it 'hashlimit_upto is set' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length
expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "806 - hashlimit_upto test" -j ACCEPT}) # rubocop:disable Layout/LineLength : Cannot reduce line to required length
end
end

Expand Down
23 changes: 14 additions & 9 deletions spec/acceptance/firewall_attributes_happy_path_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

describe 'firewall attribute testing, happy path' do
Expand Down Expand Up @@ -368,7 +370,7 @@ class { '::firewall': }
end
# it 'contains the connlimit and connlimit_mask rule' do
# expect(result.stdout).to match(
# %r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - connlimit" -j REJECT --reject-with icmp-port-unreachable}, # rubocop:disable Metrics/LineLength
# %r{-A INPUT -p tcp -m multiport --dports 2222 -m connlimit --connlimit-above 10 --connlimit-mask 24 (--connlimit-saddr )?-m comment --comment "501 - connlimit" -j REJECT --reject-with icmp-port-unreachable}, # rubocop:disable Layout/LineLength
# )
# end
it 'contains connmark' do
Expand Down Expand Up @@ -432,10 +434,10 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A INPUT -p tcp -f -m multiport --dports 583 -m comment --comment "583 - isfragment" -j ACCEPT})
end
it 'ipsec_policy ipsec and dir out' do
expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A OUTPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir out --pol ipsec -m comment --comment "595 - ipsec_policy ipsec and out" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Layout/LineLength
end
it 'ipsec_policy none and dir in' do
expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A INPUT -d 20.0.0.0\/(8|255\.0\.0\.0) -m policy --dir in --pol none -m comment --comment "596 - ipsec_policy none and in" -j REJECT --reject-with icmp-net-unreachable}) # rubocop:disable Layout/LineLength
end
it 'set_mss is set' do
expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "604 - set_mss" -j TCPMSS --set-mss 1360})
Expand All @@ -456,7 +458,7 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-out eth1 -m multiport --dports 712 -m comment --comment "712 - physdev_out" -j ACCEPT})
end
it 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m multiport --dports 713 -m comment --comment "713 - physdev_in physdev_out physdev_is_bridged" -j ACCEPT}) # rubocop:disable Layout/LineLength
end
it 'gid set to root' do
expect(result.stdout).to match(%r{-A OUTPUT -m owner --gid-owner (0|root) -m comment --comment "801 - gid root" -j ACCEPT})
Expand All @@ -477,16 +479,16 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m multiport --dports 997 -m comment --comment "1001 EF - set_dscp_class" -j DSCP --set-dscp 0x2e})
end
it 'all the modules with multiple args is set' do
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "807 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 90.0.0.1-90.0.0.2\s+--dst-range 100.0.0.1-100.0.0.2 -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "807 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Layout/LineLength
end
it 'all the modules with single args is set' do
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "808 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 100.0.0.1-100.0.0.2 -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "808 - ipt_modules tests" -j REJECT --reject-with icmp-port-unreachable}) # rubocop:disable Layout/LineLength
end
it 'recent set to set' do
expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --set --name list1 (--mask 255.255.255.255 )?--rdest -m comment --comment "597 - recent set"})
end
it 'recent set to rcheck' do
expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 (--mask 255.255.255.255 )?--rsource -m comment --comment "598 - recent rcheck"}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --rcheck --seconds 60 --hitcount 5 --rttl --name list1 (--mask 255.255.255.255 )?--rsource -m comment --comment "598 - recent rcheck"}) # rubocop:disable Layout/LineLength
end
it 'recent set to update' do
expect(result.stdout).to match(%r{-A INPUT -d 30.0.0.0\/(8|255\.0\.0\.0) -m recent --update --name DEFAULT (--mask 255.255.255.255 )?--rsource -m comment --comment "599 - recent update"})
Expand All @@ -498,8 +500,11 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST})
end
it 'notrack is set' do
notrack_rule = '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j CT --notrack'
notrack_rule = '-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j NOTRACK' if os[:family] == 'redhat' && [5, 6].include?(os[:release].to_i)
notrack_rule = if os[:family] == 'redhat' && [5, 6].include?(os[:release].to_i)
'-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j NOTRACK'
else
'-A PREROUTING -p udp -m multiport --dports 53 -m comment --comment "004 do not track UDP connections to port 53" -j CT --notrack'
end
expect(result.stdout).to match(%r{#{notrack_rule}})
end
end
Expand Down
6 changes: 4 additions & 2 deletions spec/acceptance/firewall_attributes_ipv6_exceptions_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

describe 'firewall ipv6 attribute testing, exceptions' do
Expand Down Expand Up @@ -245,7 +247,7 @@ class { '::firewall': }
it 'contains the rule' do
run_shell('ip6tables-save') do |r|
expect(r.stdout).to match(
%r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Metrics/LineLength
%r{-A OUTPUT -p tcp -m multiport --dports 8080 -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -m comment --comment "805 - time" -j ACCEPT}, # rubocop:disable Layout/LineLength
)
end
end
Expand Down Expand Up @@ -434,7 +436,7 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
end
it 'hashlimit_name set to "upto-ip6"' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Metrics/LineLength : Cannot reduce line to required length
expect(result.stdout).to match(%r{-A INPUT -p tcp -m hashlimit --hashlimit-upto 16\/sec --hashlimit-burst 640 --hashlimit-name upto-ip6 --hashlimit-htable-size 1000000 --hashlimit-htable-max 320000 --hashlimit-htable-expire 36000000 -m comment --comment "803 - hashlimit_upto test ip6" -j ACCEPT}) # rubocop:disable Layout/LineLength : Cannot reduce line to required length
end
it 'match_mark is set' do
expect(result.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark ip6tables - test" -j REJECT --reject-with icmp6-port-unreachable})
Expand Down
26 changes: 21 additions & 5 deletions spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redhat' && os[:release].start_with?('5', '6')) || (os[:family] == 'sles') do
Expand Down Expand Up @@ -270,6 +272,16 @@ class { '::firewall': }
action => accept,
provider => 'ip6tables',
}
firewall { '500 allow v6 non-any queries':
chain => 'OUTPUT',
proto => 'udp',
dport => '53',
string_hex => '! |0000ff0001|',
string_algo => 'bm',
to => '65535',
action => 'accept',
provider => 'ip6tables',
}
PUPPETCODE
idempotent_apply(pp)
end
Expand Down Expand Up @@ -319,17 +331,17 @@ class { '::firewall': }
end
it 'ipsec_policy when ipsec' do
expect(result.stdout).to match(
%r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "607 - ipsec_policy ipsec" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Metrics/LineLength
%r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "607 - ipsec_policy ipsec" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength
)
end
it 'ipsec_policy when none' do
expect(result.stdout).to match(
%r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol none -m comment --comment "608 - ipsec_policy none" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Metrics/LineLength
%r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol none -m comment --comment "608 - ipsec_policy none" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength
)
end
it 'ipsec_dir when out' do
expect(result.stdout).to match(
%r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "609 - ipsec_dir out" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Metrics/LineLength
%r{-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m policy --dir out --pol ipsec -m comment --comment "609 - ipsec_dir out" -j REJECT --reject-with icmp6-adm-prohibited}, # rubocop:disable Layout/LineLength
)
end
it 'ipsec_dir when in' do
Expand Down Expand Up @@ -359,10 +371,10 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A INPUT -p tcp -m addrtype --src-type LOCAL -m addrtype ! --src-type LOCAL -m comment --comment "620 - src_type multiple values" -j ACCEPT})
end
it 'all the modules with multiple args is set' do
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m multiport --dports 8080 -m addrtype --src-type LOCAL --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength
end
it 'all the modules with single args is set' do
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Metrics/LineLength
expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m physdev\s+--physdev-out eth1 --physdev-is-bridged -m iprange --dst-range 2003::-2004:: -m owner --gid-owner 404 -m multiport --dports 8080 -m addrtype --dst-type UNICAST -m comment --comment "802 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength
end
it 'tee_gateway is set' do
expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1})
Expand All @@ -377,5 +389,9 @@ class { '::firewall': }
it 'checks hex_string value' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m string --hex-string "|f46d0425b202000a|" --algo kmp --to 65535 -m comment --comment "812 - hex_string" -j ACCEPT})
end
it 'checks hex_string value which include negation operator' do
regex_string = %r{-A OUTPUT -p udp -m multiport --dports 53 -m string ! --hex-string "|0000ff0001|" --algo bm --to 65535 -m comment --comment "500 allow v6 non-any queries" -j ACCEPT}
expect(result.stdout).to match(regex_string)
end
end
end
2 changes: 2 additions & 0 deletions spec/acceptance/firewallchain_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

describe 'puppet resource firewallchain command' do
Expand Down
2 changes: 2 additions & 0 deletions spec/acceptance/resource_cmd_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

# Here we want to test the the resource commands ability to work with different
Expand Down
4 changes: 3 additions & 1 deletion spec/acceptance/rules_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'
require 'spec_helper_acceptance_local'

Expand Down Expand Up @@ -103,7 +105,7 @@
%r{INPUT ACCEPT}, %r{FORWARD ACCEPT}, %r{OUTPUT ACCEPT},
%r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT},
%r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT},
%r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --sports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Metrics/LineLength
%r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --sports 80,443,21,20,22,53,123,43,873,25,465 -m conntrack --ctstate NEW -m comment --comment \"100 forward standard allow tcp\" -j ACCEPT}, # rubocop:disable Layout/LineLength
%r{-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --sports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT}
]
it 'contains appropriate rules' do
Expand Down
2 changes: 2 additions & 0 deletions spec/acceptance/standard_usage_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper_acceptance'

# Some tests for the standard recommended usage
Expand Down
22 changes: 11 additions & 11 deletions spec/fixtures/iptables/conversion_hash.rb
Original file line number Diff line number Diff line change
Expand Up @@ -595,7 +595,7 @@
},
},
'connlimit_above' => {
line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10"', # rubocop:disable Metrics/LineLength
line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10"', # rubocop:disable Layout/LineLength
table: 'filter',
params: {
proto: 'tcp',
Expand All @@ -605,7 +605,7 @@
},
},
'connlimit_above_with_connlimit_mask' => {
line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10 with mask 24"', # rubocop:disable Metrics/LineLength,
line: '-A INPUT -p tcp -m multiport --dports 22 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "061 REJECT connlimit_above 10 with mask 24"', # rubocop:disable Layout/LineLength,
table: 'filter',
params: {
proto: 'tcp',
Expand Down Expand Up @@ -634,7 +634,7 @@
},
},
'drop_new_packets_without_syn' => {
line: '-t filter ! -s 10.0.0.0/8 ! -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -m comment --comment "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset"', # rubocop:disable Metrics/LineLength
line: '-t filter ! -s 10.0.0.0/8 ! -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -m comment --comment "064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset"', # rubocop:disable Layout/LineLength
table: 'filter',
params: {
name: '064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset',
Expand All @@ -659,7 +659,7 @@
},
},
'match_mark' => {
line: '-A INPUT -p tcp -m mark --mark 0x1 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "066 REJECT connlimit_above 10 with mask 32 and mark matches"', # rubocop:disable Metrics/LineLength
line: '-A INPUT -p tcp -m mark --mark 0x1 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable -m comment --comment "066 REJECT connlimit_above 10 with mask 32 and mark matches"', # rubocop:disable Layout/LineLength
table: 'filter',
params: {
proto: 'tcp',
Expand Down Expand Up @@ -811,7 +811,7 @@
sport: ['7061', '7062'],
table: 'filter',
},
args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '1.1.1.1/32', '-p', :tcp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061,7062', '-j', 'ACCEPT', '-m', 'comment', '--comment', '000 allow foo'], # rubocop:disable Metrics/LineLength
args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '1.1.1.1/32', '-p', :tcp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061,7062', '-j', 'ACCEPT', '-m', 'comment', '--comment', '000 allow foo'], # rubocop:disable Layout/LineLength
},
'long_rule_2' => {
params: {
Expand All @@ -826,7 +826,7 @@
sport: ['7061', '7062'],
table: 'filter',
},
args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.10.13.0/24', '-p', :udp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061', '-j', 'my_custom_chain', '-m', 'comment', '--comment', '700 allow bar'], # rubocop:disable Metrics/LineLength
args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.10.13.0/24', '-p', :udp, '-m', 'multiport', '--sports', '7061,7062', '-m', 'multiport', '--dports', '7061', '-j', 'my_custom_chain', '-m', 'comment', '--comment', '700 allow bar'], # rubocop:disable Layout/LineLength
},
'no_action' => {
params: {
Expand Down Expand Up @@ -1286,7 +1286,7 @@
connlimit_mask: '24',
action: 'reject',
},
args: ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '22', '-j', 'REJECT', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '24', '-m', 'comment', '--comment', '061 REJECT connlimit_above 10 with mask 24'], # rubocop:disable Metrics/LineLength
args: ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '22', '-j', 'REJECT', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '24', '-m', 'comment', '--comment', '061 REJECT connlimit_above 10 with mask 24'], # rubocop:disable Layout/LineLength
},
'connmark' => {
params: {
Expand Down Expand Up @@ -1318,7 +1318,7 @@
source: '! 10.0.0.0/8',
tcp_flags: '! FIN,SYN,RST,ACK SYN',
},
args: ['-t', :filter, '!', '-s', '10.0.0.0/8', '!', '-p', :tcp, '-m', 'tcp', '!', '--tcp-flags', 'FIN,SYN,RST,ACK', 'SYN', '-m', 'state', '--state', 'NEW', '-j', 'DROP', '-m', 'comment', '--comment', '064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset'], # rubocop:disable Metrics/LineLength
args: ['-t', :filter, '!', '-s', '10.0.0.0/8', '!', '-p', :tcp, '-m', 'tcp', '!', '--tcp-flags', 'FIN,SYN,RST,ACK', 'SYN', '-m', 'state', '--state', 'NEW', '-j', 'DROP', '-m', 'comment', '--comment', '064 drop NEW non-tcp external packets with FIN/RST/ACK set and SYN unset'], # rubocop:disable Layout/LineLength
},
'negate_dport_and_sport' => {
params: {
Expand All @@ -1332,7 +1332,7 @@
dport: ['! 67', '! 66'],
proto: 'udp',
},
args: ['-t', :filter, '-s', '0.0.0.0/32', '-d', '255.255.255.255/32', '-p', :udp, '-m', 'multiport', '!', '--sports', '68,69', '-m', 'multiport', '!', '--dports', '67,66', '-j', 'ACCEPT', '-m', 'comment', '--comment', '065 negate dport and sport'], # rubocop:disable Metrics/LineLength
args: ['-t', :filter, '-s', '0.0.0.0/32', '-d', '255.255.255.255/32', '-p', :udp, '-m', 'multiport', '!', '--sports', '68,69', '-m', 'multiport', '!', '--dports', '67,66', '-j', 'ACCEPT', '-m', 'comment', '--comment', '065 negate dport and sport'], # rubocop:disable Layout/LineLength
},
'match_mark' => {
params: {
Expand All @@ -1344,7 +1344,7 @@
match_mark: '0x1',
action: 'reject',
},
args: ['-t', :filter, '-p', :tcp, '-j', 'REJECT', '-m', 'mark', '--mark', '0x1', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '32', '-m', 'comment', '--comment', '066 REJECT connlimit_above 10 with mask 32 and mark matches'], # rubocop:disable Metrics/LineLength
args: ['-t', :filter, '-p', :tcp, '-j', 'REJECT', '-m', 'mark', '--mark', '0x1', '-m', 'connlimit', '--connlimit-above', '10', '--connlimit-mask', '32', '-m', 'comment', '--comment', '066 REJECT connlimit_above 10 with mask 32 and mark matches'], # rubocop:disable Layout/LineLength
},
'clamp_mss_to_pmtu' => {
params: {
Expand Down Expand Up @@ -1432,7 +1432,7 @@
queue_num: '50',
queue_bypass: true,
},
args: ['-t', :filter, '-s', '1.2.3.4/32', '-d', '4.3.2.1/32', '-p', :tcp, '-j', 'NFQUEUE', '--queue-num', '50', '--queue-bypass', '-m', 'comment', '--comment', '002 nfqueue specify queue_num and queue_bypass'], # rubocop:disable Metrics/LineLength
args: ['-t', :filter, '-s', '1.2.3.4/32', '-d', '4.3.2.1/32', '-p', :tcp, '-j', 'NFQUEUE', '--queue-num', '50', '--queue-bypass', '-m', 'comment', '--comment', '002 nfqueue specify queue_num and queue_bypass'], # rubocop:disable Layout/LineLength
},
'nfqueue_jump3' => {
params: {
Expand Down
2 changes: 2 additions & 0 deletions spec/spec_helper_acceptance_local.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'singleton'

class LitmusHelper
Expand Down
2 changes: 2 additions & 0 deletions spec/spec_helper_local.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

if ENV['COVERAGE'] == 'yes'
require 'simplecov'
require 'simplecov-console'
Expand Down
2 changes: 2 additions & 0 deletions spec/unit/classes/firewall_linux_archlinux_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'firewall::linux::archlinux', type: :class do
Expand Down
2 changes: 2 additions & 0 deletions spec/unit/classes/firewall_linux_debian_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'firewall::linux::debian', type: :class do
Expand Down
2 changes: 2 additions & 0 deletions spec/unit/classes/firewall_linux_redhat_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

RSpec.shared_examples 'ensures iptables service' do
Expand Down
2 changes: 2 additions & 0 deletions spec/unit/classes/firewall_linux_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'firewall::linux', type: :class do
Expand Down
2 changes: 2 additions & 0 deletions spec/unit/classes/firewall_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'firewall', type: :class do
Expand Down
3 changes: 2 additions & 1 deletion spec/unit/facter/iptables_persistent_version_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'Facter::Util::Fact iptables_persistent_version' do
Expand Down Expand Up @@ -50,7 +52,6 @@
'Debian' => '0.0.20090701',
'Ubuntu' => '0.5.3ubuntu2',
}.each do |os, ver|

if os == 'Debian'
os_release = '8.0'
elsif os == 'Ubuntu'
Expand Down
2 changes: 2 additions & 0 deletions spec/unit/facter/iptables_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'Facter::Util::Fact' do
Expand Down
1 change: 1 addition & 0 deletions spec/unit/puppet/provider/ip6tables_spec.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env rspec # rubocop:disable Lint/ScriptPermission : Puppet error?
# frozen_string_literal: true

require 'spec_helper'
if Puppet::Util::Package.versioncmp(Puppet.version, '3.4.0') < 0
Expand Down
1 change: 1 addition & 0 deletions spec/unit/puppet/provider/iptables_chain_spec.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env rspec
# frozen_string_literal: true

require 'spec_helper'
if Puppet::Util::Package.versioncmp(Puppet.version, '3.4.0') < 0
Expand Down
1 change: 1 addition & 0 deletions spec/unit/puppet/provider/iptables_spec.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env rspec # rubocop:disable Lint/ScriptPermission : Puppet error?
# frozen_string_literal: true

require 'spec_helper'
if Puppet::Util::Package.versioncmp(Puppet.version, '3.4.0') < 0
Expand Down
88 changes: 44 additions & 44 deletions spec/unit/puppet/type/firewall_spec.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env rspec
# frozen_string_literal: true

require 'spec_helper'

Expand Down Expand Up @@ -44,7 +45,7 @@
end

[:accept, :drop, :reject].each do |action|
it "should accept value #{action}" do
it "accepts value #{action}" do
resource[:action] = action
expect(resource[:action]).to eql action
end
Expand All @@ -57,7 +58,7 @@

describe ':chain' do
[:INPUT, :FORWARD, :OUTPUT, :PREROUTING, :POSTROUTING].each do |chain|
it "should accept chain value #{chain}" do
it "accepts chain value #{chain}" do
resource[:chain] = chain
expect(resource[:chain]).to eql chain
end
Expand All @@ -70,7 +71,7 @@

describe ':table' do
[:nat, :mangle, :filter, :raw].each do |table|
it "should accept table value #{table}" do
it "accepts table value #{table}" do
resource[:table] = table
expect(resource[:table]).to eql table
end
Expand All @@ -83,7 +84,7 @@

describe ':proto' do
[:ip, :tcp, :udp, :icmp, :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :pim, :all].each do |proto|
it "should accept proto value #{proto}" do
it "accepts proto value #{proto}" do
resource[:proto] = proto
expect(resource[:proto]).to eql proto
end
Expand All @@ -101,14 +102,14 @@
end

['QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'NFLOG', 'MASQUERADE', 'REDIRECT', 'MARK'].each do |jump|
it "should accept jump value #{jump}" do
it "accepts jump value #{jump}" do
resource[:jump] = jump
expect(resource[:jump]).to eql jump
end
end

['ACCEPT', 'DROP', 'REJECT'].each do |jump|
it "should now fail when value #{jump}" do
it "nows fail when value #{jump}" do
expect(-> { resource[:jump] = jump }).to raise_error(Puppet::Error)
end
end
Expand All @@ -120,17 +121,17 @@

[:source, :destination].each do |addr|
describe addr do
it "should accept a #{addr} as a string" do
it "accepts a #{addr} as a string" do
resource[addr] = '127.0.0.1'
expect(resource[addr]).to eql '127.0.0.1/32'
end
['0.0.0.0/0', '::/0'].each do |prefix|
it "should be nil for zero prefix length address #{prefix}" do
it "is nil for zero prefix length address #{prefix}" do
resource[addr] = prefix
expect(resource[addr]).to be nil
end
end
it "should accept a negated #{addr} as a string" do
it "accepts a negated #{addr} as a string" do
resource[addr] = '! 127.0.0.1'
expect(resource[addr]).to eql '! 127.0.0.1/32'
end
Expand All @@ -139,75 +140,74 @@

describe 'source error checking' do
it 'Invalid address when 256.168.2.0/24' do
expect(-> { resource[:source] = '256.168.2.0/24' }).to raise_error(
expect { resource[:source] = '256.168.2.0/24' }.to raise_error(
Puppet::Error, %r{host_to_ip failed}
)
end
end

describe 'destination error checking' do
it 'Invalid address when 256.168.2.0/24' do
expect(-> { resource[:destination] = '256.168.2.0/24' }).to raise_error(
expect { resource[:destination] = '256.168.2.0/24' }.to raise_error(
Puppet::Error, %r{host_to_ip failed}
)
end
end

describe 'src_range error checking' do
it 'Invalid IP when 392.168.1.1-192.168.1.10' do
expect(-> { resource[:src_range] = '392.168.1.1-192.168.1.10' }).to raise_error(
expect { resource[:src_range] = '392.168.1.1-192.168.1.10' }.to raise_error(
Puppet::Error, %r{Invalid IP address}
)
end
end

describe 'dst_range error checking' do
it 'Invalid IP when 392.168.1.1-192.168.1.10' do
expect(-> { resource[:dst_range] = '392.168.1.1-192.168.1.10' }).to raise_error(
expect { resource[:dst_range] = '392.168.1.1-192.168.1.10' }.to raise_error(
Puppet::Error, %r{Invalid IP address}
)
end
end

[:dport, :sport].each do |port|
describe port do
it "should accept a #{port} as string" do
it "accepts a #{port} as string" do
resource[port] = '22'
expect(resource[port]).to eql ['22']
end

it "should accept a #{port} as an array" do
it "accepts a #{port} as an array" do
resource[port] = ['22', '23']
expect(resource[port]).to eql ['22', '23']
end

it "should accept a #{port} as a number" do
it "accepts a #{port} as a number" do
resource[port] = 22
expect(resource[port]).to eql ['22']
end

it "should accept a #{port} as a hyphen separated range" do
it "accepts a #{port} as a hyphen separated range" do
resource[port] = ['22-1000']
expect(resource[port]).to eql ['22-1000']
end

it "should accept a #{port} as a combination of arrays of single and " \
'hyphen separated ranges' do

resource[port] = ['22-1000', '33', '3000-4000']
expect(resource[port]).to eql ['22-1000', '33', '3000-4000']
end

it "should convert a port name for #{port} to its number" do
it "converts a port name for #{port} to its number" do
resource[port] = 'ssh'
expect(resource[port]).to eql ['22']
end

it "should not accept something invalid for #{port}" do
it "does not accept something invalid for #{port}" do
expect { resource[port] = 'something odd' }.to raise_error(Puppet::Error, %r{^Parameter .+ failed.+Munging failed for value ".+" in class .+: no such service})
end

it "should not accept something invalid in an array for #{port}" do
it "does not accept something invalid in an array for #{port}" do
expect { resource[port] = ['something odd', 'something even odder'] }.to raise_error(Puppet::Error, %r{^Parameter .+ failed.+Munging failed for value ".+" in class .+: no such service})
end
end
Expand All @@ -232,30 +232,30 @@
:UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].each do |type|
['! ', ''].each do |negation|
['', ' --limit-iface-in', ' --limit-iface-out'].each do |limit|
it "should accept #{addrtype} value #{negation}#{type}#{limit}" do
it "accepts #{addrtype} value #{negation}#{type}#{limit}" do
resource[addrtype] = type
expect(resource[addrtype]).to eql [type]
end
end
end
end

it "should fail when #{addrtype} value is not recognized" do
it "fails when #{addrtype} value is not recognized" do
expect(-> { resource[addrtype] = 'foo' }).to raise_error(Puppet::Error)
end
end

[:iniface, :outiface].each do |iface|
describe iface do
it "should accept #{iface} value as a string" do
it "accepts #{iface} value as a string" do
resource[iface] = 'eth1'
expect(resource[iface]).to eql 'eth1'
end
it "should accept a negated #{iface} value as a string" do
it "accepts a negated #{iface} value as a string" do
resource[iface] = '! eth1'
expect(resource[iface]).to eql '! eth1'
end
it "should accept an interface alias for the #{iface} value as a string" do
it "accepts an interface alias for the #{iface} value as a string" do
resource[iface] = 'eth1:2'
expect(resource[iface]).to eql 'eth1:2'
end
Expand All @@ -264,7 +264,7 @@

[:tosource, :todest, :to].each do |addr|
describe addr do
it "should accept #{addr} value as a string" do
it "accepts #{addr} value as a string" do
resource[addr] = '127.0.0.1'
end
end
Expand Down Expand Up @@ -449,27 +449,27 @@

[:ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst].each do |addr|
describe addr do
it "should accept a #{addr} as a string without /32" do
it "accepts a #{addr} as a string without /32" do
resource[addr] = '127.0.0.1'
expect(resource[addr]).to eql '127.0.0.1'
end
it "should accept a #{addr} as a string with /32" do
it "accepts a #{addr} as a string with /32" do
resource[addr] = '127.0.0.1/32'
expect(resource[addr]).to eql '127.0.0.1'
end
it "should accept a #{addr} as a string with cidr" do
it "accepts a #{addr} as a string with cidr" do
resource[addr] = '10.0.0.0/8'
expect(resource[addr]).to eql '10.0.0.0/8'
end
it "should accept a #{addr} as a string with ipv6 cidr" do
it "accepts a #{addr} as a string with ipv6 cidr" do
resource[addr] = '2001:DB8::/64'
expect(resource[addr]).to eql '2001:DB8::/64'
end
it "should accept a negated #{addr} as a string" do
it "accepts a negated #{addr} as a string" do
resource[addr] = '! 127.0.0.1'
expect(resource[addr]).to eql '! 127.0.0.1'
end
it "should accept a negated #{addr} as a string with cidr" do
it "accepts a negated #{addr} as a string with cidr" do
resource[addr] = '! 10.0.0.0/8'
expect(resource[addr]).to eql '! 10.0.0.0/8'
end
Expand All @@ -478,19 +478,19 @@

[:ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport].each do |port|
describe port do
it "should accept #{port} as numeric value" do
it "accepts #{port} as numeric value" do
resource[port] = 80
expect(resource[port]).to be 80
end
it "should accept #{port} as range value" do
it "accepts #{port} as range value" do
resource[port] = '80:81'
expect(resource[port]).to eql '80:81'
end
it "should accept a negated #{port} as string value" do
it "accepts a negated #{port} as string value" do
resource[port] = '! 80'
expect(resource[port]).to eql '! 80'
end
it "should accept a negated #{port} as range value" do
it "accepts a negated #{port} as range value" do
resource[port] = '! 80:81'
expect(resource[port]).to eql '! 80:81'
end
Expand Down Expand Up @@ -554,7 +554,7 @@

describe ':recent' do
['set', 'update', 'rcheck', 'remove'].each do |recent|
it "should accept recent value #{recent}" do
it "accepts recent value #{recent}" do
resource[:recent] = recent
expect(resource[:recent]).to eql "--#{recent}"
end
Expand Down Expand Up @@ -647,7 +647,7 @@
end

['/', '1000/', 'pwnie'].each do |bad_mark|
it "should fail with malformed mark '#{bad_mark}'" do
it "fails with malformed mark '#{bad_mark}'" do
expect(-> { resource[:set_mark] = bad_mark }).to raise_error(Puppet::Error)
end
end
Expand Down Expand Up @@ -727,7 +727,7 @@

# test where autorequire is still needed (table != filter)
['INPUT', 'OUTPUT', 'FORWARD'].each do |test_chain|
it "should autorequire fwchain #{test_chain} when table is mangle and provider is undefined" do
it "autorequires fwchain #{test_chain} when table is mangle and provider is undefined" do
resource[param] = test_chain
resource[:table] = :mangle
expect(resource[:provider]).to be :iptables
Expand All @@ -741,7 +741,7 @@
expect(rel.target.ref).to eql resource.ref
end

it "should autorequire fwchain #{test_chain} when table is mangle and provider is ip6tables" do
it "autorequires fwchain #{test_chain} when table is mangle and provider is ip6tables" do
resource[param] = test_chain
resource[:table] = :mangle
resource[:provider] = :ip6tables
Expand All @@ -758,7 +758,7 @@

# test of case where autorequire should not happen
['INPUT', 'OUTPUT', 'FORWARD'].each do |test_chain|
it "should not autorequire fwchain #{test_chain} when table and provider are undefined" do
it "does not autorequire fwchain #{test_chain} when table and provider are undefined" do
resource[param] = test_chain
expect(resource[:table]).to be :filter
expect(resource[:provider]).to be :iptables
Expand All @@ -771,7 +771,7 @@
expect(rel).to be nil
end

it "should not autorequire fwchain #{test_chain} when table is undefined and provider is ip6tables" do
it "does not autorequire fwchain #{test_chain} when table is undefined and provider is ip6tables" do
resource[param] = test_chain
expect(resource[:table]).to be :filter
resource[:provider] = :ip6tables
Expand Down Expand Up @@ -812,7 +812,7 @@

describe ':pkttype' do
[:multicast, :broadcast, :unicast].each do |pkttype|
it "should accept pkttype value #{pkttype}" do
it "accepts pkttype value #{pkttype}" do
resource[:pkttype] = pkttype
expect(resource[:pkttype]).to eql pkttype
end
Expand Down
18 changes: 8 additions & 10 deletions spec/unit/puppet/type/firewallchain_spec.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
#!/usr/bin/env rspec
# frozen_string_literal: true

require 'spec_helper'

Expand Down Expand Up @@ -36,21 +37,21 @@
['test', '$5()*&%\'"^$09):'].each do |chainname|
name = "#{chainname}:#{table}:#{protocol}"
if table == 'nat' && protocol == 'IPv6'
it "should accept #{name} for Linux 3.7+" do
it "accepts #{name} for Linux 3.7+" do
allow(Facter.fact(:kernelmajversion)).to receive(:value).and_return('3.7')
resource[:name] = name
expect(resource[:name]).to eql name
end
it "should fail #{name} for Linux 2.6" do
it "fails #{name} for Linux 2.6" do
allow(Facter.fact(:kernelmajversion)).to receive(:value).and_return('2.6')
expect { resource[:name] = name }.to raise_error(Puppet::Error)
end
elsif protocol != 'ethernet' && table == 'broute'
it "should fail #{name}" do # rubocop:disable RSpec/RepeatedExample
it "fails #{name}" do # rubocop:disable RSpec/RepeatedExample,RSpec/RepeatedDescription
expect { resource[:name] = name }.to raise_error(Puppet::Error)
end
else
it "should accept name #{name}" do # rubocop:disable RSpec/RepeatedExample
it "accepts name #{name}" do # rubocop:disable RSpec/RepeatedExample
resource[:name] = name
expect(resource[:name]).to eql name
end
Expand All @@ -68,12 +69,12 @@
'IPv4'
end
if allowedinternalchains.include? internalchain
it "should allow #{name}" do # rubocop:disable RSpec/RepeatedExample
it "allows #{name}" do # rubocop:disable RSpec/RepeatedExample
resource[:name] = name
expect(resource[:name]).to eql name
end
else
it "should fail #{name}" do # rubocop:disable RSpec/RepeatedExample
it "fails #{name}" do # rubocop:disable RSpec/RepeatedExample,RSpec/RepeatedDescription
expect { resource[:name] = name }.to raise_error(Puppet::Error)
end
end
Expand All @@ -91,7 +92,7 @@

describe ':policy' do
[:accept, :drop, :queue, :return].each do |policy|
it "should accept policy #{policy}" do
it "accepts policy #{policy}" do
resource[:policy] = policy
expect(resource[:policy]).to eql policy
end
Expand Down Expand Up @@ -140,8 +141,6 @@
expect(rel.target.ref).to eql resource.ref
end
end
# rubocop:enable RSpec/ExampleLength
# rubocop:enable RSpec/MultipleExpectations
end

describe 'purge iptables rules' do
Expand Down Expand Up @@ -169,7 +168,6 @@
allow(Puppet::Type.type(:firewall).provider(:iptables)).to receive(:iptables_save).and_return(stub_return)
allow(Puppet::Type.type(:firewall).provider(:ip6tables)).to receive(:ip6tables_save).and_return(stub_return)
end
# rubocop:enable Layout/IndentHeredoc

it 'generates iptables resources' do
allow(Facter.fact(:ip6tables_version)).to receive(:value).and_return('1.4.21')
Expand Down
7 changes: 5 additions & 2 deletions spec/unit/puppet/util/firewall_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'Puppet::Util::Firewall' do
Expand Down Expand Up @@ -56,7 +58,7 @@
subject(:host) { resource }

['inet5', 'inet8', 'foo'].each do |proto|
it "should reject invalid proto #{proto}" do
it "rejects invalid proto #{proto}" do
expect { host.icmp_name_to_number('echo-reply', proto) }
.to raise_error(ArgumentError, "unsupported protocol family '#{proto}'")
end
Expand Down Expand Up @@ -121,9 +123,10 @@
end

describe '#persist_iptables' do
before(:each) { Facter.clear }
subject(:host) { resource }

before(:each) { Facter.clear }

# rubocop:disable RSpec/SubjectStub
describe 'when proto is IPv4' do
let(:proto) { 'IPv4' }
Expand Down
8 changes: 8 additions & 0 deletions spec/unit/puppet/util/ipcidr_spec.rb
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# frozen_string_literal: true

require 'spec_helper'
require 'puppet/util/ipcidr'

Expand Down Expand Up @@ -54,6 +56,12 @@
it { expect(host.netmask).to eql '0.0.0.0' }
end

describe 'ipv4 invalid address' do
subject(:host) { Puppet::Util::IPCidr.new('256.168.2.0/24') }

it { expect { host }.to raise_error ArgumentError, %r{256.168.2.0/24} }
end

describe 'ipv6 address' do
subject(:host) { ipaddr }

Expand Down