164 changes: 112 additions & 52 deletions Gemfile
View file
Original file line number Diff line number Diff line change
@@ -1,76 +1,136 @@
#This file is generated by ModuleSync, do not edit.
source ENV['GEM_SOURCE'] || 'https://rubygems.org'

source ENV['GEM_SOURCE'] || "https://rubygems.org"
def location_for(place_or_version, fake_version = nil)
if place_or_version =~ %r{\A(git[:@][^#]*)#(.*)}
[fake_version, { git: Regexp.last_match(1), branch: Regexp.last_match(2), require: false }].compact
elsif place_or_version =~ %r{\Afile:\/\/(.*)}
['>= 0', { path: File.expand_path(Regexp.last_match(1)), require: false }]
else
[place_or_version, { require: false }]
end
end

# Determines what type of gem is requested based on place_or_version.
def gem_type(place_or_version)
if place_or_version =~ /^git:/
if place_or_version =~ %r{\Agit[:@]}
:git
elsif place_or_version =~ /^file:/
elsif !place_or_version.nil? && place_or_version.start_with?('file:')
:file
else
:gem
end
end

# Find a location or specific version for a gem. place_or_version can be a
# version, which is most often used. It can also be git, which is specified as
# `git://somewhere.git#branch`. You can also use a file source location, which
# is specified as `file://some/location/on/disk`.
def location_for(place_or_version, fake_version = nil)
if place_or_version =~ /^(git[:@][^#]*)#(.*)/
[fake_version, { :git => $1, :branch => $2, :require => false }].compact
elsif place_or_version =~ /^file:\/\/(.*)/
['>= 0', { :path => File.expand_path($1), :require => false }]
else
[place_or_version, { :require => false }]
end
end

# Used for gem conditionals
supports_windows = false
ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
minor_version = "#{ruby_version_segments[0]}.#{ruby_version_segments[1]}"
minor_version = ruby_version_segments[0..1].join('.')

group :development do
gem "puppet-module-posix-default-r#{minor_version}", :require => false, :platforms => "ruby"
gem "puppet-module-win-default-r#{minor_version}", :require => false, :platforms => ["mswin", "mingw", "x64_mingw"]
gem "puppet-module-posix-dev-r#{minor_version}", :require => false, :platforms => "ruby"
gem "puppet-module-win-dev-r#{minor_version}", '0.0.7', :require => false, :platforms => ["mswin", "mingw", "x64_mingw"]
gem "json_pure", '<= 2.0.1', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem "fast_gettext", '1.1.0', :require => false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
gem "fast_gettext", :require => false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
gem "fast_gettext", '1.1.0', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
gem "fast_gettext", require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
gem "json_pure", '<= 2.0.1', require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
gem "json", '= 1.8.1', require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9')
gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby]
gem "puppet-module-posix-dev-r#{minor_version}", require: false, platforms: [:ruby]
gem "puppet-module-win-default-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-module-win-dev-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "puppet-blacksmith", '~> 3.4', require: false
end

group :system_tests do
gem "puppet-module-posix-system-r#{minor_version}", :require => false, :platforms => "ruby"
gem "puppet-module-win-system-r#{minor_version}", :require => false, :platforms => ["mswin", "mingw", "x64_mingw"]
gem "beaker", *location_for(ENV['BEAKER_VERSION'] || '>= 3')
gem "beaker-pe", :require => false
gem "beaker-rspec", *location_for(ENV['BEAKER_RSPEC_VERSION'])
gem "beaker-hostgenerator", *location_for(ENV['BEAKER_HOSTGENERATOR_VERSION'])
gem "beaker-abs", *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1')
gem "puppet-blacksmith", '~> 3.4', :require => false
gem "puppet-module-posix-system-r#{minor_version}", require: false, platforms: [:ruby]
gem "puppet-module-win-system-r#{minor_version}", require: false, platforms: [:mswin, :mingw, :x64_mingw]
gem "beaker", *location_for(ENV['BEAKER_VERSION'] || '~> 3.13')
gem "beaker-abs", *location_for(ENV['BEAKER_ABS_VERSION'] || '~> 0.1')
gem "beaker-pe", require: false
gem "beaker-hostgenerator"
gem "beaker-rspec"
end

gem 'puppet', *location_for(ENV['PUPPET_GEM_VERSION'])
puppet_version = ENV['PUPPET_GEM_VERSION']
puppet_type = gem_type(puppet_version)
facter_version = ENV['FACTER_GEM_VERSION']
hiera_version = ENV['HIERA_GEM_VERSION']

# Only explicitly specify Facter/Hiera if a version has been specified.
# Otherwise it can lead to strange bundler behavior. If you are seeing weird
# gem resolution behavior, try setting `DEBUG_RESOLVER` environment variable
# to `1` and then run bundle install.
gem 'facter', *location_for(ENV['FACTER_GEM_VERSION']) if ENV['FACTER_GEM_VERSION']
gem 'hiera', *location_for(ENV['HIERA_GEM_VERSION']) if ENV['HIERA_GEM_VERSION']
def puppet_older_than?(version)
puppet_version = ENV['PUPPET_GEM_VERSION']
!puppet_version.nil? &&
Gem::Version.correct?(puppet_version) &&
Gem::Requirement.new("< #{version}").satisfied_by?(Gem::Version.new(puppet_version.dup))
end

gems = {}

gems['puppet'] = location_for(puppet_version)

# Evaluate Gemfile.local if it exists
if File.exists? "#{__FILE__}.local"
eval(File.read("#{__FILE__}.local"), binding)
# If facter or hiera versions have been specified via the environment
# variables, use those versions. If not, and if the puppet version is < 3.5.0,
# use known good versions of both for puppet < 3.5.0.
if facter_version
gems['facter'] = location_for(facter_version)
elsif puppet_type == :gem && puppet_older_than?('3.5.0')
gems['facter'] = ['>= 1.6.11', '<= 1.7.5', require: false]
end

# Evaluate ~/.gemfile if it exists
if File.exists?(File.join(Dir.home, '.gemfile'))
eval(File.read(File.join(Dir.home, '.gemfile')), binding)
if hiera_version
gems['hiera'] = location_for(ENV['HIERA_GEM_VERSION'])
elsif puppet_type == :gem && puppet_older_than?('3.5.0')
gems['hiera'] = ['>= 1.0.0', '<= 1.3.0', require: false]
end

# vim:ft=ruby
if Gem.win_platform? && (puppet_type != :gem || puppet_older_than?('3.5.0'))
# For Puppet gems < 3.5.0 (tested as far back as 3.0.0) on Windows
if puppet_type == :gem
gems['ffi'] = ['1.9.0', require: false]
gems['minitar'] = ['0.5.4', require: false]
gems['win32-eventlog'] = ['0.5.3', '<= 0.6.5', require: false]
gems['win32-process'] = ['0.6.5', '<= 0.7.5', require: false]
gems['win32-security'] = ['~> 0.1.2', '<= 0.2.5', require: false]
gems['win32-service'] = ['0.7.2', '<= 0.8.8', require: false]
else
gems['ffi'] = ['~> 1.9.0', require: false]
gems['minitar'] = ['~> 0.5.4', require: false]
gems['win32-eventlog'] = ['~> 0.5', '<= 0.6.5', require: false]
gems['win32-process'] = ['~> 0.6', '<= 0.7.5', require: false]
gems['win32-security'] = ['~> 0.1', '<= 0.2.5', require: false]
gems['win32-service'] = ['~> 0.7', '<= 0.8.8', require: false]
end

gems['win32-dir'] = ['~> 0.3', '<= 0.4.9', require: false]

if RUBY_VERSION.start_with?('1.')
gems['win32console'] = ['1.3.2', require: false]
# sys-admin was removed in Puppet 3.7.0 and doesn't compile under Ruby 2.x
gems['sys-admin'] = ['1.5.6', require: false]
end

# Puppet < 3.7.0 requires these.
# Puppet >= 3.5.0 gem includes these as requirements.
# The following versions are tested to work with 3.0.0 <= puppet < 3.7.0.
gems['win32-api'] = ['1.4.8', require: false]
gems['win32-taskscheduler'] = ['0.2.2', require: false]
gems['windows-api'] = ['0.4.3', require: false]
gems['windows-pr'] = ['1.2.3', require: false]
elsif Gem.win_platform?
# If we're using a Puppet gem on Windows which handles its own win32-xxx gem
# dependencies (>= 3.5.0), set the maximum versions (see PUP-6445).
gems['win32-dir'] = ['<= 0.4.9', require: false]
gems['win32-eventlog'] = ['<= 0.6.5', require: false]
gems['win32-process'] = ['<= 0.7.5', require: false]
gems['win32-security'] = ['<= 0.2.5', require: false]
gems['win32-service'] = ['<= 0.8.8', require: false]
end

gems.each do |gem_name, gem_params|
gem gem_name, *gem_params
end

# Evaluate Gemfile.local and ~/.gemfile if they exist
extra_gemfiles = [
"#{__FILE__}.local",
File.join(Dir.home, '.gemfile'),
]

extra_gemfiles.each do |gemfile|
if File.file?(gemfile) && File.readable?(gemfile)
eval(File.read(gemfile), binding)
end
end
# vim: syntax=ruby
2 changes: 1 addition & 1 deletion NOTICE
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Puppet Module - puppetlabs-firewall

Copyright 2017 Puppet, Inc.
Copyright 2018 Puppet, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
38 changes: 2 additions & 36 deletions Rakefile
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,3 @@
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
require 'puppet_blacksmith/rake_tasks' if Bundler.rubygems.find_name('puppet-blacksmith').any?

PuppetLint.configuration.fail_on_warnings = true
PuppetLint.configuration.send('relative')

desc 'Generate pooler nodesets'
task :gen_nodeset do
require 'beaker-hostgenerator'
require 'securerandom'
require 'fileutils'

agent_target = ENV['TEST_TARGET']
if ! agent_target
STDERR.puts 'TEST_TARGET environment variable is not set'
STDERR.puts 'setting to default value of "redhat-64default."'
agent_target = 'redhat-64default.'
end

master_target = ENV['MASTER_TEST_TARGET']
if ! master_target
STDERR.puts 'MASTER_TEST_TARGET environment variable is not set'
STDERR.puts 'setting to default value of "redhat7-64mdcl"'
master_target = 'redhat7-64mdcl'
end

targets = "#{master_target}-#{agent_target}"
cli = BeakerHostGenerator::CLI.new([targets])
nodeset_dir = "tmp/nodesets"
nodeset = "#{nodeset_dir}/#{targets}-#{SecureRandom.uuid}.yaml"
FileUtils.mkdir_p(nodeset_dir)
File.open(nodeset, 'w') do |fh|
fh.print(cli.execute)
end
puts nodeset
end
require 'puppet-syntax/tasks/puppet-syntax'
require 'puppet_blacksmith/rake_tasks'
2 changes: 1 addition & 1 deletion lib/puppet/provider/firewall/iptables.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ def self.rule_to_hash(line, table, counter)
values.insert(ind, "-m set --match-set \"#{sets.join(';')}\" ")
end
# we do a similar thing for negated address masks (source and destination).
values = values.gsub(%r{(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"')
values = values.gsub(%r{(?<=\s)(-\S+) (!)\s?(\S*)}, '\1 "\2 \3"')
# fix negated physdev rules
values = values.gsub(%r{-m physdev ! (--physdev-is-\S+)}, '-m physdev \1 "!"')
# the actual rule will have the ! mark before the option.
Expand Down
500 changes: 250 additions & 250 deletions lib/puppet/type/firewall.rb
View file

Large diffs are not rendered by default.

24 changes: 12 additions & 12 deletions lib/puppet/type/firewallchain.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
Puppet::Type.newtype(:firewallchain) do
include Puppet::Util::Firewall

@doc = <<-EOS
@doc = <<-PUPPETCODE
This type provides the capability to manage rule chains for firewalls.
Currently this supports only iptables, ip6tables and ebtables on Linux. And
Expand All @@ -21,7 +21,7 @@
If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
and the provider is iptables_chain, the firewall resource will autorequire
those packages to ensure that any required binaries are installed.
EOS
PUPPETCODE

feature :iptables_chain, 'The provider provides iptables chain features.'
feature :policy, 'Default policy (inbuilt chains only)'
Expand All @@ -32,11 +32,11 @@
end

newparam(:name) do
desc <<-EOS
desc <<-PUPPETCODE
The canonical name of the chain.
For iptables the format must be {chain}:{table}:{protocol}.
EOS
PUPPETCODE
isnamevar

validate do |value|
Expand Down Expand Up @@ -89,7 +89,7 @@
end

newproperty(:policy) do
desc <<-EOS
desc <<-PUPPETCODE
This is the action to when the end of the chain is reached.
It can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,
PREROUTING, POSTROUTING) and can be one of:
Expand All @@ -99,7 +99,7 @@
* queue - the packet is passed userspace
* return - the packet is returned to calling (jump) queue
or the default of inbuilt chains
EOS
PUPPETCODE
newvalues(:accept, :drop, :queue, :return)
defaultto do
# ethernet chain have an ACCEPT default while other haven't got an
Expand All @@ -113,15 +113,15 @@
end

newparam(:purge, boolean: true) do
desc <<-EOS
desc <<-PUPPETCODE
Purge unmanaged firewall rules in this chain
EOS
newvalues(:false, :true)
defaultto :false
PUPPETCODE
newvalues(false, true)
defaultto false
end

newparam(:ignore) do
desc <<-EOS
desc <<-PUPPETCODE
Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
This is matched against the output of `iptables-save`.
Expand All @@ -140,7 +140,7 @@
'--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
],
}
EOS
PUPPETCODE

validate do |value|
unless value.is_a?(Array) || value.is_a?(String) || value == false
Expand Down
5 changes: 4 additions & 1 deletion manifests/linux/debian.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,10 @@
if $package_name {
#Fixes hang while installing iptables-persistent on debian 8
exec {'iptables-persistent-debconf':
command => "/bin/echo \"${package_name} ${package_name}/autosave_v4 boolean false\" | /usr/bin/debconf-set-selections && /bin/echo \"${package_name} ${package_name}/autosave_v6 boolean false\" | /usr/bin/debconf-set-selections",
command => "/bin/echo \"${package_name} ${package_name}/autosave_v4 boolean false\" |
/usr/bin/debconf-set-selections && /bin/echo \"${package_name} ${package_name}/autosave_v6 boolean false\" |
/usr/bin/debconf-set-selections",

refreshonly => true,
}
package { $package_name:
Expand Down
5 changes: 5 additions & 0 deletions manifests/linux/redhat.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,11 @@
case $::operatingsystem {
'CentOS': {
case $::operatingsystemrelease {
/^5\..*/: {
File["/etc/sysconfig/${service_name}"] { seluser => 'system_u', seltype => 'etc_t' }
File["/etc/sysconfig/${service_name_v6}"] { seluser => 'system_u', seltype => 'etc_t' }
}

/^6\..*/: {
File["/etc/sysconfig/${service_name}"] { seluser => 'unconfined_u', seltype => 'system_conf_t' }
File["/etc/sysconfig/${service_name_v6}"] { seluser => 'unconfined_u', seltype => 'system_conf_t' }
Expand Down
1 change: 1 addition & 0 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# Manifest containing module parameters
class firewall::params {
$package_ensure = 'present'
case $::osfamily {
Expand Down
13 changes: 9 additions & 4 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,18 @@
{
"name": "puppetlabs-firewall",
"version": "1.11.0",
"version": "1.12.0",
"author": "Puppet Labs",
"summary": "Manages Firewalls such as iptables",
"license": "Apache-2.0",
"source": "https://github.com/puppetlabs/puppetlabs-firewall",
"project_page": "http://github.com/puppetlabs/puppetlabs-firewall",
"issues_url": "https://tickets.puppetlabs.com/browse/MODULES",
"dependencies": [
{
"name": "puppetlabs/stdlib",
"version_requirement": ">= 4.0.0 < 5.0.0"
}
],
"operatingsystem_support": [
{
"operatingsystem": "RedHat",
Expand Down Expand Up @@ -74,7 +80,6 @@
"version_requirement": ">= 4.7.0 < 6.0.0"
}
],
"dependencies": [
{"name":"puppetlabs/stdlib","version_requirement":">= 4.0.0 < 5.0.0"}
]
"template-url": "file:///opt/puppetlabs/pdk/share/cache/pdk-templates.git",
"template-ref": "1.3.2-0-g07678c8"
}
8 changes: 4 additions & 4 deletions spec/acceptance/change_source_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
end

describe 'when unmanaged rules exist' do
pp1 = <<-EOS
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
Expand All @@ -21,7 +21,7 @@ class { '::firewall': }
action => accept,
source => '8.0.0.2',
}
EOS
PUPPETCODE
it 'applies with 8.0.0.1 first' do
apply_manifest(pp1, catch_failures: true)
end
Expand All @@ -42,15 +42,15 @@ class { '::firewall': }
end
end

pp2 = <<-EOS
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '101 test source changes':
proto => tcp,
port => '101',
action => accept,
source => '8.0.0.4',
}
EOS
PUPPETCODE
it 'changes to 8.0.0.4 second' do
expect(apply_manifest(pp2, catch_failures: true).stdout)
.to match(%r{Notice: \/Stage\[main\]\/Main\/Firewall\[101 test source changes\]\/source: source changed '8\.0\.0\.1\/32' to '8\.0\.0\.4\/32'})
Expand Down
12 changes: 6 additions & 6 deletions spec/acceptance/connlimit_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,16 @@

if default['platform'] !~ %r{sles-10}
describe 'connlimit_above' do
context '10' do
pp1 = <<-EOS
context 'when 10' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '500 - test':
proto => tcp,
dport => '2222',
connlimit_above => '10',
action => reject,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -33,8 +33,8 @@ class { '::firewall': }
end

describe 'connlimit_mask' do
context '24' do
pp2 = <<-EOS
context 'when 24' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '501 - test':
proto => tcp,
Expand All @@ -43,7 +43,7 @@ class { '::firewall': }
connlimit_mask => '24',
action => reject,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand Down
6 changes: 3 additions & 3 deletions spec/acceptance/connmark_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@

describe 'connmark property' do
describe 'connmark' do
context '50' do
pp = <<-EOS
context 'when 50' do
pp = <<-PUPPETCODE
class { '::firewall': }
firewall { '502 - test':
proto => 'all',
connmark => '0x1',
action => reject,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp, catch_failures: true)
end
Expand Down
96 changes: 48 additions & 48 deletions spec/acceptance/firewall_bridging_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
end

describe 'iptables physdev tests' do
context 'physdev_in eth0' do
pp1 = <<-EOS
context 'when physdev_in eth0' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '701 - test':
chain => 'FORWARD',
Expand All @@ -17,7 +17,7 @@ class { '::firewall': }
action => accept,
physdev_in => 'eth0',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -30,8 +30,8 @@ class { '::firewall': }
end
end

context 'physdev_out eth1' do
pp2 = <<-EOS
context 'when physdev_out eth1' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '702 - test':
chain => 'FORWARD',
Expand All @@ -40,7 +40,7 @@ class { '::firewall': }
action => accept,
physdev_out => 'eth1',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand All @@ -53,8 +53,8 @@ class { '::firewall': }
end
end

context 'physdev_in eth0 and physdev_out eth1' do
pp3 = <<-EOS
context 'when physdev_in eth0 and physdev_out eth1' do
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '703 - test':
chain => 'FORWARD',
Expand All @@ -64,7 +64,7 @@ class { '::firewall': }
physdev_in => 'eth0',
physdev_out => 'eth1',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
Expand All @@ -77,8 +77,8 @@ class { '::firewall': }
end
end

context 'physdev_is_bridged' do
pp4 = <<-EOS
context 'when physdev_is_bridged' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '704 - test':
chain => 'FORWARD',
Expand All @@ -87,7 +87,7 @@ class { '::firewall': }
action => accept,
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
Expand All @@ -100,8 +100,8 @@ class { '::firewall': }
end
end

context 'physdev_in eth0 and physdev_is_bridged' do
pp5 = <<-EOS
context 'when physdev_in eth0 and physdev_is_bridged' do
pp5 = <<-PUPPETCODE
class { '::firewall': }
firewall { '705 - test':
chain => 'FORWARD',
Expand All @@ -111,7 +111,7 @@ class { '::firewall': }
physdev_in => 'eth0',
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp5, catch_failures: true)
apply_manifest(pp5, catch_changes: do_catch_changes)
Expand All @@ -124,8 +124,8 @@ class { '::firewall': }
end
end

context 'physdev_out eth1 and physdev_is_bridged' do
pp6 = <<-EOS
context 'when physdev_out eth1 and physdev_is_bridged' do
pp6 = <<-PUPPETCODE
class { '::firewall': }
firewall { '706 - test':
chain => 'FORWARD',
Expand All @@ -135,7 +135,7 @@ class { '::firewall': }
physdev_out => 'eth1',
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp6, catch_failures: true)
apply_manifest(pp6, catch_changes: do_catch_changes)
Expand All @@ -148,8 +148,8 @@ class { '::firewall': }
end
end

context 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
pp7 = <<-EOS
context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
pp7 = <<-PUPPETCODE
class { '::firewall': }
firewall { '707 - test':
chain => 'FORWARD',
Expand All @@ -160,7 +160,7 @@ class { '::firewall': }
physdev_out => 'eth1',
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp7, catch_failures: true)
apply_manifest(pp7, catch_changes: do_catch_changes)
Expand All @@ -177,8 +177,8 @@ class { '::firewall': }
# iptables version 1.3.5 is not suppored by the ip6tables provider
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'ip6tables physdev tests' do
context 'physdev_in eth0' do
pp8 = <<-EOS
context 'when physdev_in eth0' do
pp8 = <<-PUPPETCODE
class { '::firewall': }
firewall { '701 - test':
provider => 'ip6tables',
Expand All @@ -188,7 +188,7 @@ class { '::firewall': }
action => accept,
physdev_in => 'eth0',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp8, catch_failures: true)
apply_manifest(pp8, catch_changes: do_catch_changes)
Expand All @@ -201,8 +201,8 @@ class { '::firewall': }
end
end

context 'physdev_out eth1' do
pp9 = <<-EOS
context 'when physdev_out eth1' do
pp9 = <<-PUPPETCODE
class { '::firewall': }
firewall { '702 - test':
provider => 'ip6tables',
Expand All @@ -212,7 +212,7 @@ class { '::firewall': }
action => accept,
physdev_out => 'eth1',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp9, catch_failures: true)
apply_manifest(pp9, catch_changes: do_catch_changes)
Expand All @@ -225,8 +225,8 @@ class { '::firewall': }
end
end

context 'physdev_in eth0 and physdev_out eth1' do
pp10 = <<-EOS
context 'when physdev_in eth0 and physdev_out eth1' do
pp10 = <<-PUPPETCODE
class { '::firewall': }
firewall { '703 - test':
provider => 'ip6tables',
Expand All @@ -237,7 +237,7 @@ class { '::firewall': }
physdev_in => 'eth0',
physdev_out => 'eth1',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp10, catch_failures: true)
apply_manifest(pp10, catch_changes: do_catch_changes)
Expand All @@ -250,8 +250,8 @@ class { '::firewall': }
end
end

context 'physdev_is_bridged' do
pp11 = <<-EOS
context 'when physdev_is_bridged' do
pp11 = <<-PUPPETCODE
class { '::firewall': }
firewall { '704 - test':
provider => 'ip6tables',
Expand All @@ -261,7 +261,7 @@ class { '::firewall': }
action => accept,
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp11, catch_failures: true)
apply_manifest(pp11, catch_changes: do_catch_changes)
Expand All @@ -274,8 +274,8 @@ class { '::firewall': }
end
end

context 'physdev_in eth0 and physdev_is_bridged' do
pp12 = <<-EOS
context 'when physdev_in eth0 and physdev_is_bridged' do
pp12 = <<-PUPPETCODE
class { '::firewall': }
firewall { '705 - test':
provider => 'ip6tables',
Expand All @@ -286,7 +286,7 @@ class { '::firewall': }
physdev_in => 'eth0',
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp12, catch_failures: true)
apply_manifest(pp12, catch_changes: do_catch_changes)
Expand All @@ -299,8 +299,8 @@ class { '::firewall': }
end
end

context 'physdev_out eth1 and physdev_is_bridged' do
pp13 = <<-EOS
context 'when physdev_out eth1 and physdev_is_bridged' do
pp13 = <<-PUPPETCODE
class { '::firewall': }
firewall { '706 - test':
provider => 'ip6tables',
Expand All @@ -311,7 +311,7 @@ class { '::firewall': }
physdev_out => 'eth1',
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp13, catch_failures: true)
apply_manifest(pp13, catch_changes: do_catch_changes)
Expand All @@ -324,8 +324,8 @@ class { '::firewall': }
end
end

context 'physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
pp14 = <<-EOS
context 'when physdev_in eth0 and physdev_out eth1 and physdev_is_bridged' do
pp14 = <<-PUPPETCODE
class { '::firewall': }
firewall { '707 - test':
provider => 'ip6tables',
Expand All @@ -337,7 +337,7 @@ class { '::firewall': }
physdev_out => 'eth1',
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp14, catch_failures: true)
apply_manifest(pp14, catch_changes: do_catch_changes)
Expand All @@ -350,8 +350,8 @@ class { '::firewall': }
end
end

context 'physdev_is_in' do
pp15 = <<-EOS
context 'when physdev_is_in' do
pp15 = <<-PUPPETCODE
class { '::firewall': }
firewall { '708 - test':
provider => 'ip6tables',
Expand All @@ -361,7 +361,7 @@ class { '::firewall': }
action => accept,
physdev_is_in => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp15, catch_failures: true)
apply_manifest(pp15, catch_changes: do_catch_changes)
Expand All @@ -374,8 +374,8 @@ class { '::firewall': }
end
end

context 'physdev_is_out' do
pp16 = <<-EOS
context 'when physdev_is_out' do
pp16 = <<-PUPPETCODE
class { '::firewall': }
firewall { '709 - test':
provider => 'ip6tables',
Expand All @@ -385,7 +385,7 @@ class { '::firewall': }
action => accept,
physdev_is_out => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp16, catch_failures: true)
apply_manifest(pp16, catch_changes: do_catch_changes)
Expand Down
24 changes: 12 additions & 12 deletions spec/acceptance/firewall_dscp_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
end

describe 'dscp ipv4 tests' do
context 'set_dscp 0x01' do
pp1 = <<-EOS
context 'when set_dscp 0x01' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1000 - set_dscp':
Expand All @@ -19,7 +19,7 @@ class { '::firewall': }
chain => 'OUTPUT',
table => 'mangle',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
Expand All @@ -31,8 +31,8 @@ class { '::firewall': }
end
end

context 'set_dscp_class EF' do
pp2 = <<-EOS
context 'when set_dscp_class EF' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1001 EF - set_dscp_class':
Expand All @@ -43,7 +43,7 @@ class { '::firewall': }
chain => 'OUTPUT',
table => 'mangle',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
Expand All @@ -58,8 +58,8 @@ class { '::firewall': }

if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'dscp ipv6 tests' do
context 'set_dscp 0x01' do
pp3 = <<-EOS
context 'when set_dscp 0x01' do
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1002 - set_dscp':
Expand All @@ -71,7 +71,7 @@ class { '::firewall': }
table => 'mangle',
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
end
Expand All @@ -83,8 +83,8 @@ class { '::firewall': }
end
end

context 'set_dscp_class EF' do
pp4 = <<-EOS
context 'when set_dscp_class EF' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'1003 EF - set_dscp_class':
Expand All @@ -96,7 +96,7 @@ class { '::firewall': }
table => 'mangle',
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
end
Expand Down
24 changes: 12 additions & 12 deletions spec/acceptance/firewall_gid_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,16 @@
end

describe 'gid tests' do
context 'gid set to root' do
pp1 = <<-EOS
context 'when gid set to root' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - test':
chain => 'OUTPUT',
action => accept,
gid => 'root',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -29,16 +29,16 @@ class { '::firewall': }
end
end

context 'gid set to !root' do
pp2 = <<-EOS
context 'when gid set to !root' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - test':
chain => 'OUTPUT',
action => accept,
gid => '!root',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand All @@ -51,16 +51,16 @@ class { '::firewall': }
end
end

context 'gid set to 0' do
pp3 = <<-EOS
context 'when gid set to 0' do
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '803 - test':
chain => 'OUTPUT',
action => accept,
gid => '0',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
Expand All @@ -73,16 +73,16 @@ class { '::firewall': }
end
end

context 'gid set to !0' do
pp4 = <<-EOS
context 'when gid set to !0' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '804 - test':
chain => 'OUTPUT',
action => accept,
gid => '!0',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
Expand Down
36 changes: 18 additions & 18 deletions spec/acceptance/firewall_iptmodules_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
end

describe 'iptables ipt_modules tests' do
context 'all the modules with multiple args' do
pp1 = <<-EOS
context 'when all the modules with multiple args' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
Expand All @@ -25,7 +25,7 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -38,8 +38,8 @@ class { '::firewall': }
end
end

context 'all the modules with single args' do
pp2 = <<-EOS
context 'when all the modules with single args' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
Expand All @@ -52,7 +52,7 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand All @@ -69,8 +69,8 @@ class { '::firewall': }
# iptables version 1.3.5 is not suppored by the ip6tables provider
if default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{ubuntu-14\.04}
describe 'ip6tables ipt_modules tests' do
context 'all the modules with multiple args' do
pp3 = <<-EOS
context 'when all the modules with multiple args' do
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
Expand All @@ -88,7 +88,7 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
Expand All @@ -101,8 +101,8 @@ class { '::firewall': }
end
end

context 'all the modules with single args' do
pp4 = <<-EOS
context 'when all the modules with single args' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
Expand All @@ -116,7 +116,7 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
Expand All @@ -133,8 +133,8 @@ class { '::firewall': }
# el-5 doesn't support ipv6 by default
elsif default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'ip6tables ipt_modules tests' do
context 'all the modules with multiple args' do
pp5 = <<-EOS
context 'when all the modules with multiple args' do
pp5 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - ipt_modules tests':
proto => tcp,
Expand All @@ -150,7 +150,7 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp5, catch_failures: true)
apply_manifest(pp5, catch_changes: do_catch_changes)
Expand All @@ -163,8 +163,8 @@ class { '::firewall': }
end
end

context 'all the modules with single args' do
pp6 = <<-EOS
context 'when all the modules with single args' do
pp6 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - ipt_modules tests':
proto => tcp,
Expand All @@ -177,7 +177,7 @@ class { '::firewall': }
physdev_out => "eth1",
physdev_is_bridged => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp6, catch_failures: true)
apply_manifest(pp6, catch_changes: do_catch_changes)
Expand Down
24 changes: 12 additions & 12 deletions spec/acceptance/firewall_mss_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
end

describe 'mss ipv4 tests' do
context '1360' do
pp1 = <<-EOS
context 'when 1360' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'502 - set_mss':
Expand All @@ -20,7 +20,7 @@ class { '::firewall': }
chain => 'FORWARD',
table => 'mangle',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
Expand All @@ -32,8 +32,8 @@ class { '::firewall': }
end
end

context 'clamp_mss_to_pmtu' do
pp2 = <<-EOS
context 'when clamp_mss_to_pmtu' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
Expand All @@ -43,7 +43,7 @@ class { '::firewall': }
jump => 'TCPMSS',
clamp_mss_to_pmtu => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
Expand All @@ -58,8 +58,8 @@ class { '::firewall': }

if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'mss ipv6 tests' do
context '1360' do
pp3 = <<-EOS
context 'when 1360' do
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'502 - set_mss':
Expand All @@ -72,7 +72,7 @@ class { '::firewall': }
table => 'mangle',
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
end
Expand All @@ -84,8 +84,8 @@ class { '::firewall': }
end
end

context 'clamp_mss_to_pmtu' do
pp4 = <<-EOS
context 'when clamp_mss_to_pmtu' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
Expand All @@ -96,7 +96,7 @@ class { '::firewall': }
clamp_mss_to_pmtu => true,
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
end
Expand Down
563 changes: 281 additions & 282 deletions spec/acceptance/firewall_spec.rb
View file

Large diffs are not rendered by default.

12 changes: 6 additions & 6 deletions spec/acceptance/firewall_tee_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@

if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{ubuntu-1204} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7}
describe 'tee_gateway' do
context '10.0.0.2' do
pp1 = <<-EOS
context 'when 10.0.0.2' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'810 - tee_gateway':
Expand All @@ -19,7 +19,7 @@ class { '::firewall': }
gateway => '10.0.0.2',
proto => all,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
Expand All @@ -33,8 +33,8 @@ class { '::firewall': }
end

describe 'tee_gateway6' do
context '2001:db8::1' do
pp2 = <<-EOS
context 'when 2001:db8::1' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall {
'811 - tee_gateway6':
Expand All @@ -45,7 +45,7 @@ class { '::firewall': }
proto => all,
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
Expand Down
12 changes: 6 additions & 6 deletions spec/acceptance/firewall_time_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@

if default['platform'] =~ %r{ubuntu-1404} || default['platform'] =~ %r{debian-7} || default['platform'] =~ %r{debian-8} || default['platform'] =~ %r{el-7}
describe 'time tests ipv4' do
context 'set all time parameters' do
pp1 = <<-EOS
context 'when set all time parameters' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
Expand All @@ -24,7 +24,7 @@ class { '::firewall': }
week_days => 'Tue',
kernel_timezone => true,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -39,8 +39,8 @@ class { '::firewall': }
end

describe 'time tests ipv6' do
context 'set all time parameters' do
pp2 = <<-EOS
context 'when when set all time parameters' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
Expand All @@ -56,7 +56,7 @@ class { '::firewall': }
kernel_timezone => true,
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand Down
24 changes: 12 additions & 12 deletions spec/acceptance/firewall_uid_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,16 @@
end

describe 'uid tests' do
context 'uid set to root' do
pp1 = <<-EOS
context 'when uid set to root' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - test':
chain => 'OUTPUT',
action => accept,
uid => 'root',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -29,16 +29,16 @@ class { '::firewall': }
end
end

context 'uid set to !root' do
pp2 = <<-EOS
context 'when uid set to !root' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - test':
chain => 'OUTPUT',
action => accept,
uid => '!root',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand All @@ -51,16 +51,16 @@ class { '::firewall': }
end
end

context 'uid set to 0' do
pp3 = <<-EOS
context 'when uid set to 0' do
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '803 - test':
chain => 'OUTPUT',
action => accept,
uid => '0',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
Expand All @@ -73,16 +73,16 @@ class { '::firewall': }
end
end

context 'uid set to !0' do
pp4 = <<-EOS
context 'when uid set to !0' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '804 - test':
chain => 'OUTPUT',
action => accept,
uid => '!0',
proto => 'all',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
Expand Down
34 changes: 17 additions & 17 deletions spec/acceptance/firewallchain_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@
end

describe 'ensure' do
context 'present' do
pp1 = <<-EOS
context 'when present' do
pp1 = <<-PUPPETCODE
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => present,
}
EOS
PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp1, catch_failures: true)
Expand All @@ -26,12 +26,12 @@
end
end

context 'absent' do
pp2 = <<-EOS
context 'when absent' do
pp2 = <<-PUPPETCODE
firewallchain { 'MY_CHAIN:filter:IPv4':
ensure => absent,
}
EOS
PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp2, catch_failures: true)
Expand All @@ -47,8 +47,8 @@
end

# XXX purge => false is not yet implemented
# context 'adding a firewall rule to a chain:' do
# pp3 = <<-EOS
# context 'when adding a firewall rule to a chain:' do
# pp3 = <<-PUPPETCODE
# firewallchain { 'MY_CHAIN:filter:IPv4':
# ensure => present,
# }
Expand All @@ -58,16 +58,16 @@
# proto => 'tcp',
# dport => 5000,
# }
# EOS
# PUPPETCODE
# it 'applies cleanly' do
# # Run it twice and test for idempotency
# apply_manifest(pp3, :catch_failures => true)
# apply_manifest(pp3, :catch_changes => do_catch_changes)
# end
# end

# context 'not purge firewallchain chains:' do
# pp4 = <<-EOS
# context 'when not purge firewallchain chains:' do
# pp4 = <<-PUPPETCODE
# firewallchain { 'MY_CHAIN:filter:IPv4':
# ensure => present,
# purge => false,
Expand All @@ -76,7 +76,7 @@
# resources { 'firewall':
# purge => true,
# }
# EOS
# PUPPETCODE
# it 'does not purge the rule' do
# # Run it twice and test for idempotency
# apply_manifest(pp4, :catch_failures => true) do |r|
Expand All @@ -86,14 +86,14 @@
# apply_manifest(pp4, :catch_changes => do_catch_changes)
# end

# pp5 = <<-EOS
# pp5 = <<-PUPPETCODE
# firewall { '100 my rule':
# chain => 'MY_CHAIN',
# action => 'accept',
# proto => 'tcp',
# dport => 5000,
# }
# EOS
# PUPPETCODE
# it 'still has the rule' do
# # Run it twice and test for idempotency
# apply_manifest(pp5, :catch_changes => do_catch_changes)
Expand All @@ -105,12 +105,12 @@
shell('iptables -t filter -P FORWARD ACCEPT')
end

context 'DROP' do
pp6 = <<-EOS
context 'when DROP' do
pp6 = <<-PUPPETCODE
firewallchain { 'FORWARD:filter:IPv4':
policy => 'drop',
}
EOS
PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp6, catch_failures: true)
Expand Down
24 changes: 12 additions & 12 deletions spec/acceptance/hashlimit_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
end

describe 'hashlimit_tests' do
context 'hashlimit_above' do
pp1 = <<-EOS
context 'when hashlimit_above' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '800 - hashlimit_above test':
chain => 'INPUT',
Expand All @@ -20,7 +20,7 @@ class { '::firewall': }
hashlimit_mode => 'srcip,dstip',
action => accept,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -37,8 +37,8 @@ class { '::firewall': }
end
end

context 'hashlimit_above_ip6' do
pp2 = <<-EOS
context 'when hashlimit_above_ip6' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '801 - hashlimit_above test ipv6':
chain => 'INPUT',
Expand All @@ -50,7 +50,7 @@ class { '::firewall': }
hashlimit_mode => 'srcip,dstip',
action => accept,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand All @@ -67,8 +67,8 @@ class { '::firewall': }
end
end

context 'hashlimit_upto' do
pp3 = <<-EOS
context 'when hashlimit_upto' do
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '802 - hashlimit_upto test':
chain => 'INPUT',
Expand All @@ -80,7 +80,7 @@ class { '::firewall': }
hashlimit_htable_expire => '36000000',
action => accept,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp3, catch_failures: true)
apply_manifest(pp3, catch_changes: do_catch_changes)
Expand All @@ -93,8 +93,8 @@ class { '::firewall': }
end
end

context 'hashlimit_upto_ip6' do
pp4 = <<-EOS
context 'when hashlimit_upto_ip6' do
pp4 = <<-PUPPETCODE
class { '::firewall': }
firewall { '803 - hashlimit_upto test ip6':
chain => 'INPUT',
Expand All @@ -107,7 +107,7 @@ class { '::firewall': }
hashlimit_htable_expire => '36000000',
action => accept,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp4, catch_failures: true)
apply_manifest(pp4, catch_changes: do_catch_changes)
Expand Down
12 changes: 6 additions & 6 deletions spec/acceptance/invert_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
ip6tables_flush_all_tables
end

context 'inverting rules' do
pp1 = <<-EOS
context 'when inverting rules' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '601 disallow esp protocol':
action => 'accept',
Expand All @@ -22,7 +22,7 @@ class { '::firewall': }
source => '! 10.0.0.0/8',
tcp_flags => '! FIN,SYN,RST,ACK SYN',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -39,16 +39,16 @@ class { '::firewall': }
end
end
end
context 'inverting partial array rules' do
pp2 = <<-EOS
context 'when inverting partial array rules' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '603 drop 80,443 traffic':
chain => 'INPUT',
action => 'drop',
proto => 'tcp',
sport => ['! http', '443'],
}
EOS
PUPPETCODE
it 'raises a failure' do
apply_manifest(pp2, expect_failures: true) do |r|
expect(r.stderr).to match(%r{is not prefixed})
Expand Down
20 changes: 10 additions & 10 deletions spec/acceptance/ip6_fragment_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@
ip6tables_flush_all_tables
end

pp1 = <<-EOS
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '599 - test':
ensure => present,
proto => 'tcp',
provider => 'ip6tables',
}
EOS
PUPPETCODE
it "can't use ip6tables" do
expect(apply_manifest(pp1, expect_failures: true).stderr).to match(%r{ip6tables provider is not supported})
end
Expand All @@ -27,15 +27,15 @@ class { '::firewall': }
end

shared_examples 'is idempotent' do |values, line_match|
pp2 = <<-EOS
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '599 - test':
ensure => present,
proto => 'tcp',
provider => 'ip6tables',
#{values}
}
EOS
PUPPETCODE
it "changes the values to #{values}" do
apply_manifest(pp2, catch_failures: true)
apply_manifest(pp2, catch_changes: do_catch_changes)
Expand All @@ -46,15 +46,15 @@ class { '::firewall': }
end
end
shared_examples "doesn't change" do |values, line_match|
pp3 = <<-EOS
pp3 = <<-PUPPETCODE
class { '::firewall': }
firewall { '599 - test':
ensure => present,
proto => 'tcp',
provider => 'ip6tables',
#{values}
}
EOS
PUPPETCODE
it "doesn't change the values to #{values}" do
apply_manifest(pp3, catch_changes: do_catch_changes)

Expand Down Expand Up @@ -91,10 +91,10 @@ class { '::firewall': }
ip6tables_flush_all_tables
shell('ip6tables -A INPUT -p tcp -m comment --comment "599 - test"')
end
context 'and current value is false' do
context 'when current value is false' do
it_behaves_like "doesn't change", 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"}
end
context 'and current value is true' do
context 'when current value is true' do
it_behaves_like 'is idempotent', 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true',
%r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"}
end
Expand All @@ -104,10 +104,10 @@ class { '::firewall': }
ip6tables_flush_all_tables
shell('ip6tables -A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"')
end
context 'and current value is false' do
context 'when current value is false' do
it_behaves_like 'is idempotent', 'ishasmorefrags => false, islastfrag => false, isfirstfrag => false', %r{-A INPUT -p tcp -m comment --comment "599 - test"}
end
context 'and current value is true' do
context 'when current value is true' do
it_behaves_like "doesn't change", 'ishasmorefrags => true, islastfrag => true, isfirstfrag => true',
%r{-A INPUT -p tcp -m frag --fragid 0 --fragmore -m frag --fragid 0 --fraglast -m frag --fragid 0 --fragfirst -m comment --comment "599 - test"}
end
Expand Down
8 changes: 4 additions & 4 deletions spec/acceptance/isfragment_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@
end

shared_examples 'is idempotent' do |value, line_match|
pp1 = <<-EOS
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '597 - test':
ensure => present,
proto => 'tcp',
#{value}
}
EOS
PUPPETCODE
it "changes the value to #{value}" do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: do_catch_changes)
Expand All @@ -26,14 +26,14 @@ class { '::firewall': }
end

shared_examples "doesn't change" do |value, line_match|
pp2 = <<-EOS
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '597 - test':
ensure => present,
proto => 'tcp',
#{value}
}
EOS
PUPPETCODE
it "doesn't change the value to #{value}" do
apply_manifest(pp2, catch_changes: do_catch_changes)

Expand Down
12 changes: 6 additions & 6 deletions spec/acceptance/match_mark_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@

if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
describe 'match_mark' do
context '0x1' do
pp1 = <<-EOS
context 'when 0x1' do
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '503 match_mark - test':
proto => 'all',
match_mark => '0x1',
action => reject,
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp1, catch_failures: true)
end
Expand All @@ -30,16 +30,16 @@ class { '::firewall': }
end

describe 'match_mark_ip6' do
context '0x1' do
pp2 = <<-EOS
context 'when 0x1' do
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '503 match_mark ip6tables - test':
proto => 'all',
match_mark => '0x1',
action => reject,
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'applies' do
apply_manifest(pp2, catch_failures: true)
end
Expand Down
24 changes: 12 additions & 12 deletions spec/acceptance/nflog_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
require 'spec_helper_acceptance'

describe 'nflog on older OSes', if: fact('iptables_version') < '1.3.7' do # rubocop:disable RSpec/MultipleDescribes : Describes are clearly seperate
pp1 = <<-EOS
pp1 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test':
jump => 'NFLOG',
proto => 'all',
nflog_group => 3,
}
EOS
PUPPETCODE
it 'throws an error' do
apply_manifest(pp1, acceptable_error_codes: [0])
end
Expand All @@ -19,10 +19,10 @@ class {'::firewall': }
let(:group) { 3 }

it 'applies' do
pp2 = <<-EOS
pp2 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_group => #{group}}
EOS
PUPPETCODE
apply_manifest(pp2, catch_failures: true)
end

Expand All @@ -37,10 +37,10 @@ class {'::firewall': }
let(:prefix) { 'TEST PREFIX' }

it 'applies' do
pp3 = <<-EOS
pp3 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_prefix => '#{prefix}'}
EOS
PUPPETCODE
apply_manifest(pp3, catch_failures: true)
end

Expand All @@ -55,10 +55,10 @@ class {'::firewall': }
let(:range) { 16 }

it 'applies' do
pp4 = <<-EOS
pp4 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_range => #{range}}
EOS
PUPPETCODE
apply_manifest(pp4, catch_failures: true)
end

Expand All @@ -73,10 +73,10 @@ class {'::firewall': }
let(:threshold) { 2 }

it 'applies' do
pp5 = <<-EOS
pp5 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => #{threshold}}
EOS
PUPPETCODE
apply_manifest(pp5, catch_failures: true)
end

Expand All @@ -92,10 +92,10 @@ class {'::firewall': }
let(:group) { 3 }

it 'applies' do
pp6 = <<-EOS
pp6 = <<-PUPPETCODE
class {'::firewall': }
firewall { '503 - test': jump => 'NFLOG', proto => 'all', nflog_threshold => #{threshold}, nflog_group => #{group}}
EOS
PUPPETCODE
apply_manifest(pp6, catch_failures: true)
end

Expand Down
46 changes: 23 additions & 23 deletions spec/acceptance/params_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,15 @@
ip6tables_flush_all_tables
end

ppm1 = <<-EOS
ppm1 = <<-PUPPETCODE
firewall { '100 test':
table => 'raw',
socket => 'true',
chain => 'PREROUTING',
jump => 'LOG',
log_level => 'debug',
}
EOS
PUPPETCODE
values = [2, 0]
it 'test various params', unless: (default['platform'].match(%r{el-5}) || fact('operatingsystem') == 'SLES') do
iptables_flush_all_tables
Expand All @@ -24,13 +24,13 @@
end
end

ppm2 = <<-EOS
ppm2 = <<-PUPPETCODE
firewall { '998 log all':
proto => 'all',
jump => 'LOG',
log_level => 'debug',
}
EOS
PUPPETCODE
values = [2, 0]
it 'test log rule' do
iptables_flush_all_tables
Expand All @@ -40,7 +40,7 @@
end
end

ppm3 = <<-EOS
ppm3 = <<-PUPPETCODE
firewall { '004 log all INVALID packets':
chain => 'INPUT',
proto => 'all',
Expand All @@ -49,8 +49,8 @@
log_level => '3',
log_prefix => 'IPTABLES dropped invalid: ',
}
EOS
ppm4 = <<-EOS
PUPPETCODE
ppm4 = <<-PUPPETCODE
firewall { '003 log all INVALID packets':
chain => 'INPUT',
proto => 'all',
Expand All @@ -59,44 +59,44 @@
log_level => '3',
log_prefix => 'IPTABLES dropped invalid: ',
}
EOS
ppm5 = <<-EOS + "\n" + ppm4
PUPPETCODE
ppm5 = <<-PUPPETCODE + "\n" + ppm4
resources { 'firewall':
purge => true,
}
EOS
it 'test log rule - changing names' do # rubocop:disable RSpec/MultipleExpectations
PUPPETCODE
it 'test log rule - changing names' do
iptables_flush_all_tables

expect(apply_manifest(ppm3, catch_failures: true).exit_code).to eq(2)
expect(apply_manifest(ppm5, catch_failures: true).exit_code).to eq(2)
end

ppm6 = <<-EOS
ppm6 = <<-PUPPETCODE
firewall { '004 with a chain':
chain => 'INPUT',
proto => 'all',
}
EOS
ppm7 = <<-EOS
PUPPETCODE
ppm7 = <<-PUPPETCODE
firewall { '004 with a chain':
chain => 'OUTPUT',
proto => 'all',
}
EOS
_ppm8 = <<-EOS + "\n" + ppm7
PUPPETCODE
_ppm8 = <<-PUPPETCODE + "\n" + ppm7
resources { 'firewall':
purge => true,
}
EOS
PUPPETCODE
it 'test chain - changing names' do
iptables_flush_all_tables

apply_manifest(ppm6, expect_changes: true)
expect(apply_manifest(ppm7, expect_failures: true).stderr).to match(%r{is not supported})
end

ppm9 = <<-EOS
ppm9 = <<-PUPPETCODE
firewall { '004 log all INVALID packets':
chain => 'INPUT',
proto => 'all',
Expand All @@ -105,7 +105,7 @@
log_level => '3',
log_prefix => 'IPTABLES dropped invalid: ',
}
EOS
PUPPETCODE
values = [2, 0]
it 'test log rule - idempotent' do
iptables_flush_all_tables
Expand All @@ -115,14 +115,14 @@
end
end

ppm10 = <<-EOS
ppm10 = <<-PUPPETCODE
firewall { '997 block src ip range':
chain => 'INPUT',
proto => 'all',
action => 'drop',
src_range => '10.0.0.1-10.0.0.10',
}
EOS
PUPPETCODE
values = [2, 0]
it 'test src_range rule' do
iptables_flush_all_tables
Expand All @@ -132,14 +132,14 @@
end
end

ppm11 = <<-EOS
ppm11 = <<-PUPPETCODE
firewall { '998 block dst ip range':
chain => 'INPUT',
proto => 'all',
action => 'drop',
dst_range => '10.0.0.2-10.0.0.20',
}
EOS
PUPPETCODE
values = [2, 0]
it 'test dst_range rule' do
iptables_flush_all_tables
Expand Down
50 changes: 24 additions & 26 deletions spec/acceptance/purge_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,33 @@
ip6tables_flush_all_tables
end

context('resources purge') do
context('when resources purge') do
before(:all) do
iptables_flush_all_tables

shell('iptables -A INPUT -s 1.2.1.2')
shell('iptables -A INPUT -s 1.2.1.2')
end

pp1 = <<-EOS
pp1 = <<-PUPPETCODE
class { 'firewall': }
resources { 'firewall':
purge => true,
}
EOS
PUPPETCODE
it 'make sure duplicate existing rules get purged' do
apply_manifest(pp1, expect_changes: true)
end

it 'saves' do # rubocop:disable RSpec/MultipleExpectations
it 'saves' do
shell('iptables-save') do |r|
expect(r.stdout).not_to match(%r{1\.2\.1\.2})
expect(r.stderr).to eq('')
end
end
end

context('ipv4 chain purge') do
context('when ipv4 chain purge') do
after(:all) do
iptables_flush_all_tables
end
Expand All @@ -44,14 +44,13 @@ class { 'firewall': }
shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
end

pp2 = <<-EOS
pp2 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv4':
purge => true,
}
EOS
# rubocop:disable RSpec/ExampleLength
it 'purges only the specified chain' do # rubocop:disable RSpec/MultipleExpectations
PUPPETCODE
it 'purges only the specified chain' do
apply_manifest(pp2, expect_changes: true)

shell('iptables-save') do |r|
Expand All @@ -62,7 +61,7 @@ class { 'firewall': }
end
# rubocop:enable RSpec/ExampleLength

pp3 = <<-EOS
pp3 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'OUTPUT:filter:IPv4':
purge => true,
Expand All @@ -72,25 +71,25 @@ class { 'firewall': }
proto => 'all',
source => '1.2.1.2',
}
EOS
PUPPETCODE
it 'ignores managed rules' do
apply_manifest(pp3, catch_changes: do_catch_changes)
end

pp4 = <<-EOS
pp4 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => [
'-s 1\.2\.1\.1',
],
}
EOS
PUPPETCODE
it 'ignores specified rules' do
apply_manifest(pp4, catch_changes: do_catch_changes)
end

pp5 = <<-EOS
pp5 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv4':
purge => true,
Expand Down Expand Up @@ -118,7 +117,7 @@ class { 'firewall': }
proto => 'all',
source => '1.2.1.3',
}
EOS
PUPPETCODE
it 'adds managed rules with ignored rules' do
apply_manifest(pp5, catch_failures: true)

Expand All @@ -127,7 +126,7 @@ class { 'firewall': }
end

if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
context 'ipv6 chain purge' do
context 'when ipv6 chain purge' do
after(:all) do
ip6tables_flush_all_tables
end
Expand All @@ -139,14 +138,13 @@ class { 'firewall': }
shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
end

pp6 = <<-EOS
pp6 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
}
EOS
# rubocop:disable RSpec/ExampleLength
it 'purges only the specified chain' do # rubocop:disable RSpec/MultipleExpectations
PUPPETCODE
it 'purges only the specified chain' do
apply_manifest(pp6, expect_changes: true)

shell('ip6tables-save') do |r|
Expand All @@ -157,7 +155,7 @@ class { 'firewall': }
end
# rubocop:enable RSpec/ExampleLength

pp7 = <<-EOS
pp7 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'OUTPUT:filter:IPv6':
purge => true,
Expand All @@ -168,25 +166,25 @@ class { 'firewall': }
source => '1::50',
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'ignores managed rules' do
apply_manifest(pp7, catch_changes: do_catch_changes)
end

pp8 = <<-EOS
pp8 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
ignore => [
'-s 1::42',
],
}
EOS
PUPPETCODE
it 'ignores specified rules' do
apply_manifest(pp8, catch_changes: do_catch_changes)
end

pp9 = <<-EOS
pp9 = <<-PUPPETCODE
class { 'firewall': }
firewallchain { 'INPUT:filter:IPv6':
purge => true,
Expand Down Expand Up @@ -218,7 +216,7 @@ class { 'firewall': }
source => '1::43',
provider => 'ip6tables',
}
EOS
PUPPETCODE
it 'adds managed rules with ignored rules' do
apply_manifest(pp9, catch_failures: true)

Expand Down
22 changes: 11 additions & 11 deletions spec/acceptance/resource_cmd_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
shell("sed -i -e \'s/^templatedir.*$//\' #{config}")
end

context 'make sure it returns no errors when executed on a clean machine' do
context 'when make sure it returns no errors when executed on a clean machine' do
it do
shell('puppet resource firewall') do |r|
r.exit_code.should be_zero
Expand All @@ -20,7 +20,7 @@
end
end

context 'flush iptables and make sure it returns nothing afterwards' do
context 'when flush iptables and make sure it returns nothing afterwards' do
before(:all) do
iptables_flush_all_tables
end
Expand All @@ -34,7 +34,7 @@
end
end

context 'accepts rules without comments' do
context 'when accepts rules without comments' do
before(:all) do
iptables_flush_all_tables
shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80')
Expand All @@ -49,7 +49,7 @@
end
end

context 'accepts rules with invalid comments' do
context 'when accepts rules with invalid comments' do
before(:all) do
iptables_flush_all_tables
shell('iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"')
Expand All @@ -64,7 +64,7 @@
end
end

context 'accepts rules with negation' do
context 'when accepts rules with negation' do
before :all do
iptables_flush_all_tables
shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535')
Expand All @@ -81,7 +81,7 @@
end
end

context 'accepts rules with match extension tcp flag' do
context 'when accepts rules with match extension tcp flag' do
before :all do
iptables_flush_all_tables
shell('iptables -t mangle -A PREROUTING -d 1.2.3.4 -p tcp -m tcp -m multiport --dports 80,443,8140 -j MARK --set-mark 42')
Expand All @@ -97,7 +97,7 @@
end

if default['platform'] !~ %r{sles-10}
context 'accepts rules utilizing the statistic module' do
context 'when accepts rules utilizing the statistic module' do
before :all do
iptables_flush_all_tables
# This command doesn't work with all versions/oses, so let it fail
Expand All @@ -116,7 +116,7 @@
end
end

context 'accepts rules with negation' do
context 'when accepts rules with negation' do
before :all do
iptables_flush_all_tables
shell('iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -m policy --dir out --pol ipsec -j ACCEPT')
Expand All @@ -135,7 +135,7 @@
end
end

context 'accepts rules with -m (tcp|udp) without dport/sport' do
context 'when accepts rules with -m (tcp|udp) without dport/sport' do
before :all do
iptables_flush_all_tables
shell('iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp -j ACCEPT')
Expand All @@ -150,7 +150,7 @@
end
end

context 'accepts rules with -m ttl' do
context 'when accepts rules with -m ttl' do
before :all do
iptables_flush_all_tables
shell('iptables -t nat -A OUTPUT -s 10.0.0.0/8 -p tcp -m ttl ! --ttl-eq 42 -j REDIRECT --to-ports 12299')
Expand All @@ -169,7 +169,7 @@
# ip6tables provider
# TODO: Test below fails if this file is run seperately. i.e. bundle exec rspec spec/acceptance/resource_cmd_spec.rb
if default['platform'] !~ %r{el-5} && default['platform'] !~ %r{sles-10}
context 'dport/sport with ip6tables' do
context 'when dport/sport with ip6tables' do
before :all do
if fact('osfamily') == 'Debian'
shell('echo "iptables-persistent iptables-persistent/autosave_v4 boolean false" | debconf-set-selections')
Expand Down
8 changes: 4 additions & 4 deletions spec/acceptance/rules_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
shell('iptables -t filter --flush')
end

pp1 = <<-EOS
pp1 = <<-PUPPETCODE
firewall { '090 forward allow local':
chain => 'FORWARD',
proto => 'all',
Expand Down Expand Up @@ -91,7 +91,7 @@
toports => '22',
jump => 'REDIRECT',
}
EOS
PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp1, catch_failures: true)
Expand Down Expand Up @@ -121,7 +121,7 @@
shell('iptables -t filter --flush')
end

pp2 = <<-EOS
pp2 = <<-PUPPETCODE
class { '::firewall': }
Firewall {
Expand Down Expand Up @@ -237,7 +237,7 @@ class { '::firewall': }
# and the nat table
firewallchain { ['PREROUTING:nat:IPv4', 'INPUT:nat:IPv4', 'OUTPUT:nat:IPv4', 'POSTROUTING:nat:IPv4']: }
EOS
PUPPETCODE
it 'applies cleanly' do
# Run it twice and test for idempotency
apply_manifest(pp2, catch_failures: true)
Expand Down
8 changes: 4 additions & 4 deletions spec/acceptance/socket_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
end

shared_examples 'is idempotent' do |value, line_match|
pp1 = <<-EOS
pp1 = <<-PUPPETCODE
class { '::firewall': }
firewall { '598 - test':
ensure => present,
Expand All @@ -17,7 +17,7 @@ class { '::firewall': }
table => 'raw',
#{value}
}
EOS
PUPPETCODE
it "changes the value to #{value}" do
apply_manifest(pp1, catch_failures: true)
apply_manifest(pp1, catch_changes: true)
Expand All @@ -29,7 +29,7 @@ class { '::firewall': }
end

shared_examples "doesn't change" do |value, line_match|
pp2 = <<-EOS
pp2 = <<-PUPPETCODE
class { '::firewall': }
firewall { '598 - test':
ensure => present,
Expand All @@ -38,7 +38,7 @@ class { '::firewall': }
table => 'raw',
#{value}
}
EOS
PUPPETCODE
it "doesn't change the value to #{value}" do
apply_manifest(pp2, catch_changes: true)

Expand Down
4 changes: 2 additions & 2 deletions spec/acceptance/standard_usage_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# Some tests for the standard recommended usage
describe 'standard usage tests' do
pp = <<-EOS
pp = <<-PUPPETCODE
class my_fw::pre {
Firewall {
require => undef,
Expand Down Expand Up @@ -50,7 +50,7 @@ class { 'firewall': }
proto => 'tcp',
dport => 22,
}
EOS
PUPPETCODE
it 'applies twice' do
# Run it twice and test for idempotency
apply_manifest(pp, catch_failures: true)
Expand Down
8 changes: 8 additions & 0 deletions spec/default_facts.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Use default_module_facts.yml for module specific facts.
#
# Facts specified here will override the values provided by rspec-puppet-facts.
---
concat_basedir: "/tmp"
ipaddress: "172.16.254.254"
is_pe: false
macaddress: "AA:AA:AA:AA:AA:AA"
152 changes: 76 additions & 76 deletions spec/fixtures/ip6tables/conversion_hash.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,111 +7,111 @@
# which will be used to create a resource.
ARGS_TO_HASH6 = {
'source_destination_ipv6_no_cidr' => {
:line => '-A INPUT -s 2001:db8:85a3::8a2e:370:7334 -d 2001:db8:85a3::8a2e:370:7334 -m comment --comment "000 source destination ipv6 no cidr"',
:table => 'filter',
:provider => 'ip6tables',
:params => {
:source => '2001:db8:85a3::8a2e:370:7334/128',
:destination => '2001:db8:85a3::8a2e:370:7334/128',
line: '-A INPUT -s 2001:db8:85a3::8a2e:370:7334 -d 2001:db8:85a3::8a2e:370:7334 -m comment --comment "000 source destination ipv6 no cidr"',
table: 'filter',
provider: 'ip6tables',
params: {
source: '2001:db8:85a3::8a2e:370:7334/128',
destination: '2001:db8:85a3::8a2e:370:7334/128',
},
},
'source_destination_ipv6_netmask' => {
:line => '-A INPUT -s 2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -d 2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -m comment --comment "000 source destination ipv6 netmask"',
:table => 'filter',
:provider => 'ip6tables',
:params => {
:source => '2001:db8:1234::/48',
:destination => '2001:db8:4321::/48',
line: '-A INPUT -s 2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -d 2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000 -m comment --comment "000 source destination ipv6 netmask"',
table: 'filter',
provider: 'ip6tables',
params: {
source: '2001:db8:1234::/48',
destination: '2001:db8:4321::/48',
},
},
'udp_source_port_and_destination_port' => {
:line => '-A ufw6-before-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT',
:table => 'filter',
:provider => 'ip6tables',
:params => {
:proto => 'udp',
:sport => ['547'],
:dport => ['546'],
line: '-A ufw6-before-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT',
table: 'filter',
provider: 'ip6tables',
params: {
proto: 'udp',
sport: ['547'],
dport: ['546'],
},
}
}
},
}.freeze

# This hash is for testing converting a hash to an argument line.
HASH_TO_ARGS6 = {
'zero_prefixlen_ipv6' => {
:params => {
:name => '100 zero prefix length ipv6',
:table => 'filter',
:provider => 'ip6tables',
:source => '::/0',
:destination => '::/0',
params: {
name: '100 zero prefix length ipv6',
table: 'filter',
provider: 'ip6tables',
source: '::/0',
destination: '::/0',
},
:args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv6'],
args: ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv6'],
},
'source_destination_ipv4_no_cidr' => {
:params => {
:name => '000 source destination ipv4 no cidr',
:table => 'filter',
:provider => 'ip6tables',
:source => '1.1.1.1',
:destination => '2.2.2.2',
params: {
name: '000 source destination ipv4 no cidr',
table: 'filter',
provider: 'ip6tables',
source: '1.1.1.1',
destination: '2.2.2.2',
},
:args => ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.2.2.2/32', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv4 no cidr'],
args: ['-t', :filter, '-s', '1.1.1.1/32', '-d', '2.2.2.2/32', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv4 no cidr'],
},
'source_destination_ipv6_no_cidr' => {
:params => {
:name => '000 source destination ipv6 no cidr',
:table => 'filter',
:provider => 'ip6tables',
:source => '2001:db8:1234::',
:destination => '2001:db8:4321::',
'source_destination_ipv6_no_cidr' => {
params: {
name: '000 source destination ipv6 no cidr',
table: 'filter',
provider: 'ip6tables',
source: '2001:db8:1234::',
destination: '2001:db8:4321::',
},
:args => ['-t', :filter, '-s', '2001:db8:1234::/128', '-d', '2001:db8:4321::/128', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 no cidr'],
args: ['-t', :filter, '-s', '2001:db8:1234::/128', '-d', '2001:db8:4321::/128', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 no cidr'],
},
'source_destination_ipv6_netmask' => {
:params => {
:name => '000 source destination ipv6 netmask',
:table => 'filter',
:provider => 'ip6tables',
:source => '2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
:destination => '2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
'source_destination_ipv6_netmask' => {
params: {
name: '000 source destination ipv6 netmask',
table: 'filter',
provider: 'ip6tables',
source: '2001:db8:1234::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
destination: '2001:db8:4321::/ffff:ffff:ffff:0000:0000:0000:0000:0000',
},
:args => ['-t', :filter, '-s', '2001:db8:1234::/48', '-d', '2001:db8:4321::/48', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 netmask'],
args: ['-t', :filter, '-s', '2001:db8:1234::/48', '-d', '2001:db8:4321::/48', '-p', :tcp, '-m', 'comment', '--comment', '000 source destination ipv6 netmask'],
},
'frag_ishasmorefrags' => {
:params => {
:name => "100 has more fragments",
:ishasmorefrags => true,
:provider => 'ip6tables',
:table => "filter",
params: {
name: '100 has more fragments',
ishasmorefrags: true,
provider: 'ip6tables',
table: 'filter',
},
:args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragmore", "-m", "comment", "--comment", "100 has more fragments"],
args: ['-t', :filter, '-p', :tcp, '-m', 'frag', '--fragid', '0', '--fragmore', '-m', 'comment', '--comment', '100 has more fragments'],
},
'frag_islastfrag' => {
:params => {
:name => "100 last fragment",
:islastfrag => true,
:provider => 'ip6tables',
:table => "filter",
params: {
name: '100 last fragment',
islastfrag: true,
provider: 'ip6tables',
table: 'filter',
},
:args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fraglast", "-m", "comment", "--comment", "100 last fragment"],
args: ['-t', :filter, '-p', :tcp, '-m', 'frag', '--fragid', '0', '--fraglast', '-m', 'comment', '--comment', '100 last fragment'],
},
'frag_isfirstfrags' => {
:params => {
:name => "100 first fragment",
:isfirstfrag => true,
:provider => 'ip6tables',
:table => "filter",
params: {
name: '100 first fragment',
isfirstfrag: true,
provider: 'ip6tables',
table: 'filter',
},
:args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragfirst", "-m", "comment", "--comment", "100 first fragment"],
args: ['-t', :filter, '-p', :tcp, '-m', 'frag', '--fragid', '0', '--fragfirst', '-m', 'comment', '--comment', '100 first fragment'],
},
'hop_limit' => {
:params => {
:name => "100 hop limit",
:hop_limit => 255,
:provider => 'ip6tables',
:table => "filter",
params: {
name: '100 hop limit',
hop_limit: 255,
provider: 'ip6tables',
table: 'filter',
},
:args => ["-t", :filter, "-p", :tcp, "-m", "hl", "--hl-eq", 255, "-m", "comment", "--comment", "100 hop limit"],
args: ['-t', :filter, '-p', :tcp, '-m', 'hl', '--hl-eq', 255, '-m', 'comment', '--comment', '100 hop limit'],
},
}
}.freeze
1,783 changes: 896 additions & 887 deletions spec/fixtures/iptables/conversion_hash.rb
View file

Large diffs are not rendered by default.

31 changes: 19 additions & 12 deletions spec/spec_helper.rb
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,24 @@
# This file is generated by ModuleSync, do not edit.
require 'puppetlabs_spec_helper/module_spec_helper'
require 'rspec-puppet-facts'
include RspecPuppetFacts

if Puppet::Util::Package.versioncmp(Puppet.version, '4.5.0') >= 0
RSpec.configure do |c|
c.before :each do
Puppet.settings[:strict] = :error
end
end
default_facts = {
puppetversion: Puppet.version,
facterversion: Facter.version,
}

default_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml'))
default_module_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml'))

if File.exist?(default_facts_path) && File.readable?(default_facts_path)
default_facts.merge!(YAML.safe_load(File.read(default_facts_path)))
end

if File.exist?(default_module_facts_path) && File.readable?(default_module_facts_path)
default_facts.merge!(YAML.safe_load(File.read(default_module_facts_path)))
end

# put local configuration and setup into spec_helper_local
begin
require 'spec_helper_local'
rescue LoadError => loaderror
puts "Could not require spec_helper_local: #{loaderror.message}"
RSpec.configure do |c|
c.default_facts = default_facts
end
require 'spec_helper_local'
4 changes: 2 additions & 2 deletions spec/unit/classes/firewall_linux_archlinux_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
)
}

context 'ensure => stopped' do
context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }

it {
Expand All @@ -36,7 +36,7 @@
}
end

context 'enable => false' do
context 'with enable => false' do
let(:params) { { enable: 'false' } }

it {
Expand Down
12 changes: 6 additions & 6 deletions spec/unit/classes/firewall_linux_debian_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
require 'spec_helper'

describe 'firewall::linux::debian', type: :class do
context 'Debian 7' do
context 'with Debian 7' do
let(:facts) do
{
osfamily: 'Debian',
Expand All @@ -24,7 +24,7 @@
}
end

context 'deb7 enable => false' do
context 'with deb7 enable => false' do
let(:facts) do
{
osfamily: 'Debian',
Expand All @@ -41,7 +41,7 @@
}
end

context 'Debian 8' do
context 'with Debian 8' do
let(:facts) do
{
osfamily: 'Debian',
Expand All @@ -64,7 +64,7 @@
}
end

context 'deb8 enable => false' do
context 'with deb8 enable => false' do
let(:facts) do
{
osfamily: 'Debian',
Expand All @@ -81,7 +81,7 @@
}
end

context 'Debian 8, alt operatingsystem' do
context 'with Debian 8, alt operatingsystem' do
let(:facts) do
{
osfamily: 'Debian',
Expand All @@ -104,7 +104,7 @@
}
end

context 'deb8, alt operatingsystem, enable => false' do
context 'with deb8, alt operatingsystem, enable => false' do
let(:facts) do
{
osfamily: 'Debian',
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/firewall_linux_gentoo_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
)
}

context 'ensure => stopped' do
context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }

it {
Expand All @@ -41,7 +41,7 @@
}
end

context 'enable => false' do
context 'with enable => false' do
let(:params) { { enable: 'false' } }

it {
Expand Down
14 changes: 7 additions & 7 deletions spec/unit/classes/firewall_linux_redhat_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
require 'spec_helper'

RSpec.shared_examples 'ensures iptables service' do
context 'default' do
context 'with default' do
it {
is_expected.to contain_service('iptables').with(
ensure: 'running',
Expand All @@ -10,7 +10,7 @@
}
end

context 'ensure => stopped' do
context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }

it {
Expand All @@ -20,7 +20,7 @@
}
end

context 'enable => false' do
context 'with enable => false' do
let(:params) { { enable: 'false' } }

it {
Expand Down Expand Up @@ -80,7 +80,7 @@
)
}

context 'ensure => stopped' do
context 'with ensure => stopped' do
let(:params) { { ensure: 'stopped' } }

it {
Expand All @@ -90,7 +90,7 @@
}
end

context 'ensure_v6 => stopped' do
context 'with ensure_v6 => stopped' do
let(:params) { { ensure_v6: 'stopped' } }

it {
Expand All @@ -100,7 +100,7 @@
}
end

context 'enable => false' do
context 'with enable => false' do
let(:params) { { enable: 'false' } }

it {
Expand All @@ -110,7 +110,7 @@
}
end

context 'enable_v6 => false' do
context 'with enable_v6 => false' do
let(:params) { { enable_v6: 'false' } }

it {
Expand Down
16 changes: 7 additions & 9 deletions spec/unit/classes/firewall_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,45 +1,43 @@
require 'spec_helper'

describe 'firewall', type: :class do
context 'kernel => Linux' do
context 'with kernel => Linux' do
with_debian_facts
it { is_expected.to contain_class('firewall::linux').with_ensure('running') }
end

# rubocop:disable RSpec/MultipleExpectations
context 'kernel => Windows' do
context 'with kernel => Windows' do
let(:facts) { { kernel: 'Windows' } }

it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end

context 'kernel => SunOS' do
context 'with kernel => SunOS' do
let(:facts) { { kernel: 'SunOS' } }

it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end

context 'kernel => Darwin' do
context 'with kernel => Darwin' do
let(:facts) { { kernel: 'Darwin' } }

it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end

context 'ensure => stopped' do
context 'with ensure => stopped' do
with_debian_facts
let(:params) { { ensure: 'stopped' } }

it { is_expected.to contain_class('firewall::linux').with_ensure('stopped') }
end

context 'ensure => test' do
context 'with ensure => test' do
let(:facts) { { kernel: 'Linux' } }
let(:params) { { ensure: 'test' } }

it { expect { is_expected.to contain_class('firewall::linux') }.to raise_error(Puppet::Error) }
end

context 'ebtables_manage => true' do
context 'with ebtables_manage => true' do
let(:facts) { { kernel: 'Linux' } }
let(:params) { { ebtables_manage: true } }

Expand Down
4 changes: 2 additions & 2 deletions spec/unit/facter/iptables_persistent_version_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
require 'spec_helper'

describe 'Facter::Util::Fact iptables_persistent_version' do
context 'iptables-persistent applicable' do
context 'when iptables-persistent applicable' do
before(:each) { Facter.clear }

let(:dpkg_cmd) { "dpkg-query -Wf '${Version}' iptables-persistent 2>/dev/null" }
Expand Down Expand Up @@ -47,7 +47,7 @@
end
end

context 'netfilter-persistent applicable' do
context 'when netfilter-persistent applicable' do
before(:each) { Facter.clear }

let(:dpkg_cmd) { "dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null" }
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/puppet/provider/ip6tables_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,14 @@ def stub_iptables
provider.new(resource.new(params))
}
end
context 'iptables 1.3' do
context 'when iptables 1.3' do
let(:params) { { name: '000 test foo', action: 'accept' } }
let(:error_message) { %r{The ip6tables provider is not supported on version 1\.3 of iptables} }
let(:ip6tables_version) { '1.3.10' }

it_behaves_like 'raise error'
end
context 'ip6tables nil' do
context 'when ip6tables nil' do
let(:params) { { name: '000 test foo', action: 'accept' } }
let(:error_message) { %r{The ip6tables provider is not supported on version 1\.3 of iptables} }
let(:ip6tables_version) { nil }
Expand Down
2 changes: 1 addition & 1 deletion spec/unit/puppet/provider/iptables_chain_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
allow(provider).to receive(:execute).with(['/sbin/iptables-save']).and_return('')
end

it 'is able to get a list of existing rules' do # rubocop:disable RSpec/MultipleExpectations
it 'is able to get a list of existing rules' do
provider.instances.each do |chain|
expect(chain).to be_instance_of(provider)
expect(chain.properties[:provider].to_s).to eq(provider.name.to_s)
Expand Down
6 changes: 3 additions & 3 deletions spec/unit/puppet/provider/iptables_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
.and_return '/sbin/iptables-save'
end

it 'is expected to be able to get a list of existing rules' do # rubocop:disable RSpec/MultipleExpectations
it 'is expected to be able to get a list of existing rules' do
provider.instances.each do |rule|
expect(rule).to be_instance_of(provider)
expect(rule.properties[:provider].to_s).to eq(provider.name.to_s)
Expand Down Expand Up @@ -234,7 +234,7 @@

# Iterate across each parameter, creating an example for comparison
data[:params].each do |param_name, param_value|
it "the parameter '#{param_name}' should match #{param_value.inspect}" do # rubocop:disable RSpec/MultipleExpectations
it "the parameter '#{param_name}' should match #{param_value.inspect}" do
# booleans get cludged to string "true"
if param_value == true
expect(resource[param_name]).to be_truthy
Expand Down Expand Up @@ -383,7 +383,7 @@
.and_return '/sbin/ip6tables-save'
end

it 'is expected to be able to get a list of existing rules' do # rubocop:disable RSpec/MultipleExpectations
it 'is expected to be able to get a list of existing rules' do
provider6.instances.each do |rule|
expect(rule).to be_instance_of(provider6)
expect(rule.properties[:provider6].to_s).to eql provider6.name.to_s
Expand Down
6 changes: 1 addition & 5 deletions spec/unit/puppet/type/firewall_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -520,8 +520,6 @@

[:chain, :jump].each do |param|
describe param do
# rubocop:disable RSpec/ExampleLength
# rubocop:disable RSpec/MultipleExpectations
it 'autorequires fwchain when table and provider are undefined' do
resource[param] = 'FOO'
expect(resource[:table]).to be :filter
Expand Down Expand Up @@ -677,8 +675,6 @@
end

describe 'autorequire packages' do
# rubocop:disable RSpec/ExampleLength
# rubocop:disable RSpec/MultipleExpectations
[:iptables, :ip6tables].each do |provider|
it "provider #{provider} should autorequire package iptables" do
resource[:provider] = provider
Expand Down Expand Up @@ -720,7 +716,7 @@
end

describe 'firewall on unsupported platforms' do
it 'is not suitable' do # rubocop:disable RSpec/ExampleLength
it 'is not suitable' do
# Stub iptables version
allow(Facter.fact(:iptables_version)).to receive(:value).and_return(nil)
allow(Facter.fact(:ip6tables_version)).to receive(:value).and_return(nil)
Expand Down
16 changes: 7 additions & 9 deletions spec/unit/puppet/type/firewallchain_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@
expect(resource[:name]).to eql name
end
end
end # chainname
end # protocol
end
end

%w[PREROUTING POSTROUTING BROUTING INPUT FORWARD OUTPUT].each do |internalchain|
name = internalchain + ':' + table + ':'
Expand All @@ -77,8 +77,8 @@
expect { resource[:name] = name }.to raise_error(Puppet::Error)
end
end
end # internalchain
end # table, allowedinternalchainnames
end
end

it 'fails with invalid table names' do
expect { resource[:name] = 'wrongtablename:test:IPv4' }.to raise_error(Puppet::Error)
Expand Down Expand Up @@ -112,8 +112,6 @@
end

describe 'autorequire packages' do
# rubocop:disable RSpec/ExampleLength
# rubocop:disable RSpec/MultipleExpectations
it 'provider iptables_chain should autorequire package iptables' do
expect(resource[:provider]).to be :iptables_chain
package = Puppet::Type.type(:package).new(name: 'iptables')
Expand Down Expand Up @@ -149,7 +147,7 @@
describe 'purge iptables rules' do
# rubocop:disable Layout/IndentHeredoc
before(:each) do
stub_return = <<EOS
stub_return = <<PUPPETCODE
# Completed on Sun Jan 5 19:30:21 2014
# Generated by iptables-save v1.4.12 on Sun Jan 5 19:30:21 2014
*filter
Expand All @@ -168,7 +166,7 @@
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Sun Jan 5 19:30:21 2014
EOS
PUPPETCODE
allow(Puppet::Type.type(:firewall).provider(:iptables)).to receive(:iptables_save).and_return(stub_return)
allow(Puppet::Type.type(:firewall).provider(:ip6tables)).to receive(:ip6tables_save).and_return(stub_return)
end
Expand Down Expand Up @@ -200,7 +198,7 @@
end

describe 'firewall on unsupported platforms' do
it 'is not suitable' do # rubocop:disable RSpec/ExampleLength
it 'is not suitable' do
# Stub iptables version
allow(Facter.fact(:iptables_version)).to receive(:value).and_return(nil)
allow(Facter.fact(:ip6tables_version)).to receive(:value).and_return(nil)
Expand Down
Loading