aboutsummaryrefslogtreecommitdiff
path: root/spec/classes
diff options
context:
space:
mode:
authorThore Bödecker <me@foxxx0.de>2019-09-03 11:56:58 +0200
committerThore Bödecker <me@foxxx0.de>2019-09-11 13:20:35 +0200
commit882a45498ddefdfc83ff5b19da723fd0be3acdec (patch)
tree523f7a96c5b2640dbf2dd45cd89d931e12ceff9d /spec/classes
parent81748ba786c6a55c4575a400c08de99716da8fbb (diff)
downloadpuppet-ferm-882a45498ddefdfc83ff5b19da723fd0be3acdec.tar.gz
puppet-ferm-882a45498ddefdfc83ff5b19da723fd0be3acdec.tar.bz2
add ability to define rules in tables != filter
Previously it was neither possible to properly define custom chains nor to define rules in tables other than the default filter table. For various legitimate reasons it can be required to define rules in the raw, nat or mangle tables, e.g. to use NOTRACK or to configure DNAT/SNAT/MASQUERADE. Additionally it might come in handy to define custom chains to group certain rules and allow a more efficient evaluation for incoming packets by not cramming all rules into the filter/INPUT chain so that (worst-case) all packets need to traverse and evaluate all rules. I have tried to maintain backwards compatibility and to not change default filenames/paths so that it won't result in leftover obsolete unmaged files from previous versions of this module. In order to improve the naming schema the rule $policy has been renamed to $action, however both parameters are available and optional now, with some sanity checks that require at most one of them and issueing a warning() for users of the now deprecated $policy parameter. All previous tests have been adapted to the changes, a long with an additional set of tests for the new feature. Fixes #61
Diffstat (limited to 'spec/classes')
-rw-r--r--spec/classes/ferm_spec.rb61
1 files changed, 58 insertions, 3 deletions
diff --git a/spec/classes/ferm_spec.rb b/spec/classes/ferm_spec.rb
index e5669b8..225577b 100644
--- a/spec/classes/ferm_spec.rb
+++ b/spec/classes/ferm_spec.rb
@@ -64,6 +64,17 @@ describe 'ferm' do
is_expected.to contain_concat__fragment('ferm.conf'). \
without_content(%r{@preserve;})
end
+ it { is_expected.to contain_concat__fragment('raw-PREROUTING-config-include') }
+ it { is_expected.to contain_concat__fragment('raw-OUTPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('nat-PREROUTING-config-include') }
+ it { is_expected.to contain_concat__fragment('nat-INPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('nat-OUTPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('nat-POSTROUTING-config-include') }
+ it { is_expected.to contain_concat__fragment('mangle-PREROUTING-config-include') }
+ it { is_expected.to contain_concat__fragment('mangle-INPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('mangle-FORWARD-config-include') }
+ it { is_expected.to contain_concat__fragment('mangle-OUTPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('mangle-POSTROUTING-config-include') }
end
context 'with managed initfile' do
let :params do
@@ -77,18 +88,62 @@ describe 'ferm' do
end
end
context 'it creates chains' do
- it { is_expected.to contain_concat__fragment('FORWARD-policy') }
- it { is_expected.to contain_concat__fragment('INPUT-policy') }
- it { is_expected.to contain_concat__fragment('OUTPUT-policy') }
+ it { is_expected.to contain_concat__fragment('raw-PREROUTING-policy') }
+ it { is_expected.to contain_concat__fragment('raw-OUTPUT-policy') }
+ it { is_expected.to contain_concat__fragment('nat-PREROUTING-policy') }
+ it { is_expected.to contain_concat__fragment('nat-INPUT-policy') }
+ it { is_expected.to contain_concat__fragment('nat-OUTPUT-policy') }
+ it { is_expected.to contain_concat__fragment('nat-POSTROUTING-policy') }
+ it { is_expected.to contain_concat__fragment('mangle-PREROUTING-policy') }
+ it { is_expected.to contain_concat__fragment('mangle-INPUT-policy') }
+ it { is_expected.to contain_concat__fragment('mangle-FORWARD-policy') }
+ it { is_expected.to contain_concat__fragment('mangle-OUTPUT-policy') }
+ it { is_expected.to contain_concat__fragment('mangle-POSTROUTING-policy') }
+ it { is_expected.to contain_concat__fragment('filter-INPUT-policy') }
+ it { is_expected.to contain_concat__fragment('filter-FORWARD-policy') }
+ it { is_expected.to contain_concat__fragment('filter-OUTPUT-policy') }
if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/raw-PREROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/raw-OUTPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-PREROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-OUTPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-POSTROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/mangle-PREROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/mangle-INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/mangle-FORWARD.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/mangle-OUTPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/mangle-POSTROUTING.conf') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/FORWARD.conf') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/INPUT.conf') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/OUTPUT.conf') }
else
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/raw-PREROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/raw-OUTPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-PREROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-OUTPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-POSTROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/mangle-PREROUTING.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/mangle-INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/mangle-FORWARD.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/mangle-OUTPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/mangle-POSTROUTING.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/FORWARD.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/OUTPUT.conf') }
end
+ it { is_expected.to contain_ferm__chain('raw-PREROUTING') }
+ it { is_expected.to contain_ferm__chain('raw-OUTPUT') }
+ it { is_expected.to contain_ferm__chain('nat-PREROUTING') }
+ it { is_expected.to contain_ferm__chain('nat-INPUT') }
+ it { is_expected.to contain_ferm__chain('nat-OUTPUT') }
+ it { is_expected.to contain_ferm__chain('nat-POSTROUTING') }
+ it { is_expected.to contain_ferm__chain('mangle-PREROUTING') }
+ it { is_expected.to contain_ferm__chain('mangle-INPUT') }
+ it { is_expected.to contain_ferm__chain('mangle-FORWARD') }
+ it { is_expected.to contain_ferm__chain('mangle-OUTPUT') }
+ it { is_expected.to contain_ferm__chain('mangle-POSTROUTING') }
it { is_expected.to contain_ferm__chain('FORWARD') }
it { is_expected.to contain_ferm__chain('OUTPUT') }
it { is_expected.to contain_ferm__chain('INPUT') }