-
Notifications
You must be signed in to change notification settings - Fork 33
/
all_rules_spec.rb
151 lines (145 loc) · 5.29 KB
/
all_rules_spec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# frozen_string_literal: true
require 'spec_helper_acceptance'
describe 'nftables class' do
context 'configure all nftables rules' do
it 'works idempotently with no errors' do
pp = <<-EOS
# default mask of firewalld service fails if service is not installed.
# https://tickets.puppetlabs.com/browse/PUP-10814
# Disable all default rules and include below explicitly
class { 'nftables':
firewalld_enable => false,
out_ntp => false,
out_http => false,
out_https => false,
out_icmp => false,
in_ssh => false,
in_icmp => false,
}
include nftables::rules::icmp
include nftables::rules::dns
include nftables::rules::node_exporter
include nftables::rules::nfs3
include nftables::rules::ssh
include nftables::rules::dhcpv6_client
include nftables::rules::afs3_callback
include nftables::rules::ospf
include nftables::rules::http
include nftables::rules::puppet
include nftables::rules::pxp_agent
include nftables::rules::icinga2
include nftables::rules::ldap
include nftables::rules::tor
include nftables::rules::ospf3
include nftables::rules::ceph_mon
include nftables::rules::smtp_submission
include nftables::rules::https
include nftables::rules::nfs
include nftables::rules::smtps
include nftables::rules::smtp
include nftables::rules::ceph
include nftables::rules::samba
include nftables::rules::activemq
include nftables::rules::docker_ce
include nftables::rules::qemu
include nftables::rules::out::postgres
include nftables::rules::out::icmp
include nftables::rules::out::dns
include nftables::rules::out::nfs3
include nftables::rules::out::ssh
include nftables::rules::out::kerberos
include nftables::rules::out::dhcpv6_client
include nftables::rules::out::ospf
include nftables::rules::out::openafs_client
include nftables::rules::out::http
include nftables::rules::out::ssh::remove
include nftables::rules::out::hkp
class{'nftables::rules::out::puppet':
puppetserver => '127.0.0.1',
}
class{'nftables::rules::out::pxp_agent':
broker => '127.0.0.1',
}
class{'nftables::rules::out::ldap':
ldapserver => '127.0.0.1',
}
class{'nftables::rules::out::active_directory':
adserver => '127.0.0.1',
}
include nftables::rules::out::all
include nftables::rules::out::tor
include nftables::rules::out::ospf3
include nftables::rules::out::mysql
include nftables::rules::out::ceph_client
include nftables::rules::out::https
include nftables::rules::out::dhcp
include nftables::rules::out::nfs
include nftables::rules::out::smtp
include nftables::rules::out::smtp_client
include nftables::rules::out::imap
include nftables::rules::out::pop3
include nftables::rules::out::chrony
include nftables::rules::out::wireguard
include nftables::rules::out::whois
include nftables::rules::wireguard
include nftables::rules::multicast
include nftables::rules::spotify
include nftables::rules::llmnr
include nftables::rules::ssdp
include nftables::rules::mdns
include nftables::rules::igmp
include nftables::rules::wsd
include nftables::rules::out::igmp
include nftables::rules::out::mldv2
include nftables::rules::out::mdns
include nftables::rules::out::ssdp
include nftables::services::dhcpv6_client
include nftables::services::openafs_client
nftables::set{'my_test_set':
type => 'ipv4_addr',
elements => ['192.168.0.1', '10.0.0.2'],
table => ['inet-filter', 'ip-nat'],
}
$config_path = $facts['os']['family'] ? {
'Archlinux' => '/etc/nftables.conf',
'Debian' => '/etc/nftables.conf',
default => '/etc/sysconfig/nftables.conf',
}
$nft_path = $facts['os']['family'] ? {
'Archlinux' => '/usr/bin/nft',
default => '/usr/sbin/nft',
}
# nftables cannot be started in docker so replace service with a validation only.
systemd::dropin_file{"zzz_docker_nft.conf":
ensure => present,
unit => "nftables.service",
content => [
"[Service]",
"ExecStart=",
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
"ExecReload=",
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
"",
].join("\n"),
notify => Service["nftables"],
}
EOS
# Run it twice and test for idempotency
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end
describe package('nftables') do
it { is_expected.to be_installed }
end
describe service('nftables') do
it { is_expected.to be_running }
it { is_expected.to be_enabled }
end
describe file('/etc/nftables/puppet.nft', '/etc/systemd/system/nftables.service.d/puppet_nft.conf') do
it { is_expected.to be_file }
end
describe file('/etc/nftables/puppet') do
it { is_expected.to be_directory }
end
end
end