diff options
| author | Tim Meusel <tim@bastelfreak.de> | 2019-09-11 13:29:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-11 13:29:12 +0200 |
| commit | 6d96e030be0db4a916dd6a9bd0b25570d359e634 (patch) | |
| tree | 523f7a96c5b2640dbf2dd45cd89d931e12ceff9d /spec/acceptance/ferm_spec.rb | |
| parent | 81748ba786c6a55c4575a400c08de99716da8fbb (diff) | |
| parent | 882a45498ddefdfc83ff5b19da723fd0be3acdec (diff) | |
| download | puppet-ferm-6d96e030be0db4a916dd6a9bd0b25570d359e634.tar.gz puppet-ferm-6d96e030be0db4a916dd6a9bd0b25570d359e634.tar.bz2 | |
Merge pull request #58 from voxpupuli/multi-table-support
add ability to configure rules in tables other than the default "filter" table
Diffstat (limited to 'spec/acceptance/ferm_spec.rb')
| -rw-r--r-- | spec/acceptance/ferm_spec.rb | 92 |
1 files changed, 72 insertions, 20 deletions
diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb index 1b0f794..b0c41a5 100644 --- a/spec/acceptance/ferm_spec.rb +++ b/spec/acceptance/ferm_spec.rb @@ -12,27 +12,29 @@ manage_initfile = case sut_os false end +basic_manifest = %( + class { 'ferm': + manage_service => true, + manage_configfile => true, + manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script + forward_policy => 'DROP', + output_policy => 'DROP', + input_policy => 'DROP', + rules => { + 'allow_acceptance_tests' => { + chain => 'INPUT', + action => 'ACCEPT', + proto => tcp, + dport => 22, + }, + }, + ip_versions => ['ip'], #only ipv4 available with CI + } +) + describe 'ferm' do context 'with basics settings' do - pp = %( - class { 'ferm': - manage_service => true, - manage_configfile => true, - manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script - forward_policy => 'DROP', - output_policy => 'DROP', - input_policy => 'DROP', - rules => { - 'allow acceptance_tests' => { - chain => 'INPUT', - policy => 'ACCEPT', - proto => tcp, - dport => 22, - }, - }, - ip_versions => ['ip'], #only ipv4 available with CI - } - ) + pp = basic_manifest it 'works with no error' do apply_manifest(pp, catch_failures: true) @@ -54,7 +56,57 @@ describe 'ferm' do end describe iptables do - it { is_expected.to have_rule('-A INPUT -p tcp -m comment --comment "allow acceptance_tests" -m tcp --dport 22 -j ACCEPT').with_table('filter').with_chain('INPUT') } + it do + is_expected.to have_rule('-A INPUT -p tcp -m comment --comment ["]*allow_acceptance_tests["]* -m tcp --dport 22 -j ACCEPT'). \ + with_table('filter'). \ + with_chain('INPUT') + end + end + + context 'with custom chains' do + advanced_manifest = %( + ferm::chain { 'check-http': + chain => 'HTTP', + disable_conntrack => true, + log_dropped_packets => false, + } + ferm::rule { 'jump_http': + chain => 'INPUT', + action => 'HTTP', + proto => 'tcp', + dport => '80', + require => Ferm::Chain['check-http'], + } + ferm::rule { 'allow_http_localhost': + chain => 'HTTP', + action => 'ACCEPT', + proto => 'tcp', + dport => '80', + saddr => '127.0.0.1', + require => Ferm::Chain['check-http'], + } + ) + pp = [basic_manifest, advanced_manifest].join("\n") + + it 'works with no error' do + apply_manifest(pp, catch_failures: true) + end + it 'works idempotently' do + apply_manifest(pp, catch_changes: true) + end + + describe iptables do + it do + is_expected.to have_rule('-A INPUT -p tcp -m comment --comment ["]*jump_http["]* -m tcp --dport 80 -j HTTP'). \ + with_table('filter'). \ + with_chain('INPUT') + end + it do + is_expected.to have_rule('-A HTTP -s 127.0.0.1/32 -p tcp -m comment --comment ["]*allow_http_localhost["]* -m tcp --dport 80 -j ACCEPT'). \ + with_table('filter'). \ + with_chain('HTTP') + end + end end end end |