aboutsummaryrefslogtreecommitdiff
path: root/spec/acceptance
diff options
context:
space:
mode:
authorTim Meusel <tim@bastelfreak.de>2020-05-18 11:29:03 +0200
committerGitHub <noreply@github.com>2020-05-18 11:29:03 +0200
commitdac79dba12b034af8de2a31906a932f2932871a0 (patch)
tree77bc411088472f3e6db4e5095857d7cc550e0cb8 /spec/acceptance
parent6362585d53490ff9e837af1359d8e80f8053d0fc (diff)
parent6be13799d8a2ee49c3af88ffd7a474c39f1475e3 (diff)
downloadpuppet-ferm-dac79dba12b034af8de2a31906a932f2932871a0.tar.gz
puppet-ferm-dac79dba12b034af8de2a31906a932f2932871a0.tar.bz2
Merge pull request #105 from rehanone/allow-custom-chain-rules-using-ferm-dsl
Allow adding custom ferm dsl for subchains. This is important for usiā€¦
Diffstat (limited to 'spec/acceptance')
-rw-r--r--spec/acceptance/ferm_spec.rb63
1 files changed, 62 insertions, 1 deletions
diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb
index 0dd2399..8c5c454 100644
--- a/spec/acceptance/ferm_spec.rb
+++ b/spec/acceptance/ferm_spec.rb
@@ -26,6 +26,10 @@ iptables_output = case sut_os
'-A HTTP -s 127.0.0.1/32 -p tcp -m comment --comment ["]*allow_http_localhost["]* -m tcp --dport 80 -j ACCEPT'
]
end
+
+iptables_output_custom = ['-A FORWARD -s 10.8.0.0/24 -p udp -m comment --comment "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES" -j OPENVPN_FORWORD_RULES',
+ '-A OPENVPN_FORWORD_RULES -s 10.8.0.0/24 -i tun0 -o enp4s0 -p udp -m conntrack --ctstate NEW -j ACCEPT']
+
basic_manifest = %(
class { 'ferm':
manage_service => true,
@@ -124,7 +128,7 @@ describe 'ferm' do
end
end
- context 'with dropping INVALID pakets' do
+ context 'with dropping INVALID packets' do
pp2 = %(
class { 'ferm':
manage_service => true,
@@ -162,4 +166,61 @@ describe 'ferm' do
end
end
end
+
+ context 'with custom chain using ferm DSL as content' do
+ advanced_manifest = %(
+ $my_rules = @(EOT)
+ chain OPENVPN_FORWORD_RULES {
+ proto udp {
+ interface tun0 {
+ outerface enp4s0 {
+ mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+ }
+ }
+ }
+ }
+ | EOT
+
+ ferm::chain{'OPENVPN_FORWORD_RULES':
+ chain => 'OPENVPN_FORWORD_RULES',
+ content => $my_rules,
+ }
+
+ ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+ chain => 'FORWARD',
+ action => 'OPENVPN_FORWORD_RULES',
+ saddr => '10.8.0.0/24',
+ proto => 'udp',
+ }
+ )
+ pp = [basic_manifest, advanced_manifest].join("\n")
+
+ it 'works with no error' do
+ apply_manifest(pp, catch_failures: true)
+ end
+ it 'works idempotently' do
+ apply_manifest(pp, catch_changes: true)
+ end
+
+ describe iptables do
+ it do
+ is_expected.to have_rule(iptables_output_custom[0]). \
+ with_table('filter'). \
+ with_chain('FORWARD')
+ end
+ it do
+ is_expected.to have_rule(iptables_output_custom[1]). \
+ with_table('filter'). \
+ with_chain('OPENVPN_FORWORD_RULES')
+ end
+ end
+
+ describe service('ferm') do
+ it { is_expected.to be_running }
+ end
+
+ describe command('iptables-save') do
+ its(:stdout) { is_expected.to match %r{FORWARD.*-j OPENVPN_FORWORD_RULES} }
+ end
+ end
end