aboutsummaryrefslogtreecommitdiff
path: root/spec/acceptance
diff options
context:
space:
mode:
authorTim Meusel <tim@bastelfreak.de>2019-09-11 13:29:12 +0200
committerGitHub <noreply@github.com>2019-09-11 13:29:12 +0200
commit6d96e030be0db4a916dd6a9bd0b25570d359e634 (patch)
tree523f7a96c5b2640dbf2dd45cd89d931e12ceff9d /spec/acceptance
parent81748ba786c6a55c4575a400c08de99716da8fbb (diff)
parent882a45498ddefdfc83ff5b19da723fd0be3acdec (diff)
downloadpuppet-ferm-6d96e030be0db4a916dd6a9bd0b25570d359e634.tar.gz
puppet-ferm-6d96e030be0db4a916dd6a9bd0b25570d359e634.tar.bz2
Merge pull request #58 from voxpupuli/multi-table-support
add ability to configure rules in tables other than the default "filter" table
Diffstat (limited to 'spec/acceptance')
-rw-r--r--spec/acceptance/ferm_spec.rb92
1 files changed, 72 insertions, 20 deletions
diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb
index 1b0f794..b0c41a5 100644
--- a/spec/acceptance/ferm_spec.rb
+++ b/spec/acceptance/ferm_spec.rb
@@ -12,27 +12,29 @@ manage_initfile = case sut_os
false
end
+basic_manifest = %(
+ class { 'ferm':
+ manage_service => true,
+ manage_configfile => true,
+ manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script
+ forward_policy => 'DROP',
+ output_policy => 'DROP',
+ input_policy => 'DROP',
+ rules => {
+ 'allow_acceptance_tests' => {
+ chain => 'INPUT',
+ action => 'ACCEPT',
+ proto => tcp,
+ dport => 22,
+ },
+ },
+ ip_versions => ['ip'], #only ipv4 available with CI
+ }
+)
+
describe 'ferm' do
context 'with basics settings' do
- pp = %(
- class { 'ferm':
- manage_service => true,
- manage_configfile => true,
- manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script
- forward_policy => 'DROP',
- output_policy => 'DROP',
- input_policy => 'DROP',
- rules => {
- 'allow acceptance_tests' => {
- chain => 'INPUT',
- policy => 'ACCEPT',
- proto => tcp,
- dport => 22,
- },
- },
- ip_versions => ['ip'], #only ipv4 available with CI
- }
- )
+ pp = basic_manifest
it 'works with no error' do
apply_manifest(pp, catch_failures: true)
@@ -54,7 +56,57 @@ describe 'ferm' do
end
describe iptables do
- it { is_expected.to have_rule('-A INPUT -p tcp -m comment --comment "allow acceptance_tests" -m tcp --dport 22 -j ACCEPT').with_table('filter').with_chain('INPUT') }
+ it do
+ is_expected.to have_rule('-A INPUT -p tcp -m comment --comment ["]*allow_acceptance_tests["]* -m tcp --dport 22 -j ACCEPT'). \
+ with_table('filter'). \
+ with_chain('INPUT')
+ end
+ end
+
+ context 'with custom chains' do
+ advanced_manifest = %(
+ ferm::chain { 'check-http':
+ chain => 'HTTP',
+ disable_conntrack => true,
+ log_dropped_packets => false,
+ }
+ ferm::rule { 'jump_http':
+ chain => 'INPUT',
+ action => 'HTTP',
+ proto => 'tcp',
+ dport => '80',
+ require => Ferm::Chain['check-http'],
+ }
+ ferm::rule { 'allow_http_localhost':
+ chain => 'HTTP',
+ action => 'ACCEPT',
+ proto => 'tcp',
+ dport => '80',
+ saddr => '127.0.0.1',
+ require => Ferm::Chain['check-http'],
+ }
+ )
+ pp = [basic_manifest, advanced_manifest].join("\n")
+
+ it 'works with no error' do
+ apply_manifest(pp, catch_failures: true)
+ end
+ it 'works idempotently' do
+ apply_manifest(pp, catch_changes: true)
+ end
+
+ describe iptables do
+ it do
+ is_expected.to have_rule('-A INPUT -p tcp -m comment --comment ["]*jump_http["]* -m tcp --dport 80 -j HTTP'). \
+ with_table('filter'). \
+ with_chain('INPUT')
+ end
+ it do
+ is_expected.to have_rule('-A HTTP -s 127.0.0.1/32 -p tcp -m comment --comment ["]*allow_http_localhost["]* -m tcp --dport 80 -j ACCEPT'). \
+ with_table('filter'). \
+ with_chain('HTTP')
+ end
+ end
end
end
end