Merge pull request #105 from rehanone/allow-custom-chain-rules-using-ferm-dsl

Allow adding custom ferm dsl for subchains. This is important for usi…
author: Tim Meusel <tim@bastelfreak.de> 2020-05-18 11:29:03 +0200
committer: GitHub <noreply@github.com> 2020-05-18 11:29:03 +0200
commit: dac79dba12b034af8de2a31906a932f2932871a0 (patch)
tree: 77bc411088472f3e6db4e5095857d7cc550e0cb8 /spec
parent: 6362585d53490ff9e837af1359d8e80f8053d0fc (diff)
parent: 6be13799d8a2ee49c3af88ffd7a474c39f1475e3 (diff)
download: puppet-ferm-dac79dba12b034af8de2a31906a932f2932871a0.tar.gz
puppet-ferm-dac79dba12b034af8de2a31906a932f2932871a0.tar.bz2
2 files changed, 90 insertions, 1 deletions
diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb
index 0dd2399..8c5c454 100644
--- a/spec/acceptance/ferm_spec.rb
+++ b/spec/acceptance/ferm_spec.rb
@@ -26,6 +26,10 @@ iptables_output = case sut_os
                       '-A HTTP -s 127.0.0.1/32 -p tcp -m comment --comment ["]*allow_http_localhost["]* -m tcp --dport 80 -j ACCEPT'
                     ]
                   end
+
+iptables_output_custom = ['-A FORWARD -s 10.8.0.0/24 -p udp -m comment --comment "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES" -j OPENVPN_FORWORD_RULES',
+                          '-A OPENVPN_FORWORD_RULES -s 10.8.0.0/24 -i tun0 -o enp4s0 -p udp -m conntrack --ctstate NEW -j ACCEPT']
+
 basic_manifest = %(
   class { 'ferm':
     manage_service    => true,
@@ -124,7 +128,7 @@ describe 'ferm' do
       end
     end
 
-    context 'with dropping INVALID pakets' do
+    context 'with dropping INVALID packets' do
       pp2 = %(
         class { 'ferm':
           manage_service                            => true,
@@ -162,4 +166,61 @@ describe 'ferm' do
       end
     end
   end
+
+  context 'with custom chain using ferm DSL as content' do
+    advanced_manifest = %(
+      $my_rules = @(EOT)
+      chain OPENVPN_FORWORD_RULES {
+        proto udp {
+          interface tun0 {
+            outerface enp4s0 {
+              mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+            }
+          }
+        }
+      }
+      | EOT
+
+      ferm::chain{'OPENVPN_FORWORD_RULES':
+        chain   => 'OPENVPN_FORWORD_RULES',
+        content => $my_rules,
+      }
+
+      ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+        chain     => 'FORWARD',
+        action    => 'OPENVPN_FORWORD_RULES',
+        saddr     => '10.8.0.0/24',
+        proto     => 'udp',
+      }
+    )
+    pp = [basic_manifest, advanced_manifest].join("\n")
+
+    it 'works with no error' do
+      apply_manifest(pp, catch_failures: true)
+    end
+    it 'works idempotently' do
+      apply_manifest(pp, catch_changes: true)
+    end
+
+    describe iptables do
+      it do
+        is_expected.to have_rule(iptables_output_custom[0]). \
+          with_table('filter'). \
+          with_chain('FORWARD')
+      end
+      it do
+        is_expected.to have_rule(iptables_output_custom[1]). \
+          with_table('filter'). \
+          with_chain('OPENVPN_FORWORD_RULES')
+      end
+    end
+
+    describe service('ferm') do
+      it { is_expected.to be_running }
+    end
+
+    describe command('iptables-save') do
+      its(:stdout) { is_expected.to match %r{FORWARD.*-j OPENVPN_FORWORD_RULES} }
+    end
+  end
 end
diff --git a/spec/defines/chain_spec.rb b/spec/defines/chain_spec.rb
index 1a6bb44..52cc88c 100644
--- a/spec/defines/chain_spec.rb
+++ b/spec/defines/chain_spec.rb
@@ -70,6 +70,34 @@ describe 'ferm::chain', type: :define do
 
         it { is_expected.to compile.and_raise_error(%r{Can only set a default policy for builtin chains}) }
       end
+
+      context 'with custom chain FERM-DSL using content parameter' do
+        let(:title) { 'FERM-DSL' }
+        let :params do
+          {
+            content: 'mod rpfilter invert DROP;'
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_concat__fragment('filter-FERM-DSL-config-include') }
+        it do
+          is_expected.to contain_concat__fragment('filter-FERM-DSL-custom-content'). \
+            with_content(%r{mod rpfilter invert DROP;})
+        end
+        it do
+          is_expected.not_to contain_concat__fragment('filter-FERM-DSL-policy')
+        end
+        it do
+          is_expected.not_to contain_concat__fragment('filter-FERM-DSL-footer')
+        end
+        if facts[:os]['name'] == 'Debian'
+          it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/filter-FERM-DSL.conf') }
+        else
+          it { is_expected.to contain_concat('/etc/ferm.d/chains/filter-FERM-DSL.conf') }
+        end
+        it { is_expected.to contain_ferm__chain('FERM-DSL') }
+      end
     end
   end
 end
author	Tim Meusel <tim@bastelfreak.de>	2020-05-18 11:29:03 +0200
committer	GitHub <noreply@github.com>	2020-05-18 11:29:03 +0200
commit	dac79dba12b034af8de2a31906a932f2932871a0 (patch)
tree	77bc411088472f3e6db4e5095857d7cc550e0cb8 /spec
parent	6362585d53490ff9e837af1359d8e80f8053d0fc (diff)
parent	6be13799d8a2ee49c3af88ffd7a474c39f1475e3 (diff)
download	puppet-ferm-dac79dba12b034af8de2a31906a932f2932871a0.tar.gz puppet-ferm-dac79dba12b034af8de2a31906a932f2932871a0.tar.bz2