aboutsummaryrefslogtreecommitdiff
path: root/spec/defines
diff options
context:
space:
mode:
Diffstat (limited to 'spec/defines')
-rw-r--r--spec/defines/chain_spec.rb30
-rw-r--r--spec/defines/rule_spec.rb119
2 files changed, 137 insertions, 12 deletions
diff --git a/spec/defines/chain_spec.rb b/spec/defines/chain_spec.rb
index 9425821..4a598b3 100644
--- a/spec/defines/chain_spec.rb
+++ b/spec/defines/chain_spec.rb
@@ -15,25 +15,25 @@ describe 'ferm::chain', type: :define do
context 'default params creates INPUT2 chain' do
let :params do
{
- policy: 'DROP',
disable_conntrack: false,
log_dropped_packets: true
}
end
it { is_expected.to compile.with_all_deps }
+ it { is_expected.to contain_concat__fragment('filter-INPUT2-config-include') }
it do
- is_expected.to contain_concat__fragment('INPUT2-policy'). \
+ is_expected.to contain_concat__fragment('filter-INPUT2-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
it do
- is_expected.to contain_concat__fragment('INPUT2-footer'). \
+ is_expected.to contain_concat__fragment('filter-INPUT2-footer'). \
with_content(%r{LOG log-prefix 'INPUT2: ';})
end
if facts[:os]['release']['major'].to_i == 10
- it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/INPUT2.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/filter-INPUT2.conf') }
else
- it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT2.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/filter-INPUT2.conf') }
end
it { is_expected.to contain_ferm__chain('INPUT2') }
end
@@ -41,7 +41,6 @@ describe 'ferm::chain', type: :define do
context 'without conntrack' do
let :params do
{
- policy: 'DROP',
disable_conntrack: true,
log_dropped_packets: false
}
@@ -49,15 +48,28 @@ describe 'ferm::chain', type: :define do
it { is_expected.to compile.with_all_deps }
it do
- is_expected.to contain_concat__fragment('INPUT2-policy')
- is_expected.not_to contain_concat__fragment('INPUT2-policy'). \
+ is_expected.to contain_concat__fragment('filter-INPUT2-policy')
+ is_expected.not_to contain_concat__fragment('filter-INPUT2-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
it do
- is_expected.not_to contain_concat__fragment('INPUT2-footer'). \
+ is_expected.not_to contain_concat__fragment('filter-INPUT2-footer'). \
with_content(%r{LOG log-prefix 'INPUT2: ';})
end
end
+
+ context 'with policy setting for custom chain' do
+ let :params do
+ {
+ chain: 'INPUT2',
+ policy: 'DROP',
+ disable_conntrack: true,
+ log_dropped_packets: false
+ }
+ end
+
+ it { is_expected.to compile.and_raise_error(%r{Can only set a default policy for builtin chains}) }
+ end
end
end
end
diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb
index 1bec758..ef20e17 100644
--- a/spec/defines/rule_spec.rb
+++ b/spec/defines/rule_spec.rb
@@ -11,7 +11,37 @@ describe 'ferm::rule', type: :define do
'include ferm'
end
- context 'without a specific interface' do
+ context 'without policy or action' do
+ let(:title) { 'filter-ssh' }
+ let :params do
+ {
+ chain: 'INPUT',
+ proto: 'tcp',
+ dport: '22',
+ saddr: '127.0.0.1'
+ }
+ end
+
+ it { is_expected.to compile.and_raise_error(%r{Exactly one of "action" or the deprecated "policy" param is required}) }
+ end
+
+ context 'with both policy and action' do
+ let(:title) { 'filter-ssh' }
+ let :params do
+ {
+ chain: 'INPUT',
+ policy: 'ACCEPT',
+ action: 'ACCEPT',
+ proto: 'tcp',
+ dport: '22',
+ saddr: '127.0.0.1'
+ }
+ end
+
+ it { is_expected.to compile.and_raise_error(%r{Cannot specify both policy and action}) }
+ end
+
+ context 'without a specific interface using legacy policy param' do
let(:title) { 'filter-ssh' }
let :params do
{
@@ -26,12 +56,32 @@ describe 'ferm::rule', type: :define do
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
end
+
+ context 'without a specific interface' do
+ let(:title) { 'filter-ssh' }
+ let :params do
+ {
+ chain: 'INPUT',
+ action: 'ACCEPT',
+ proto: 'tcp',
+ dport: '22',
+ saddr: '127.0.0.1'
+ }
+ end
+
+ it { is_expected.to compile.with_all_deps }
+ it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+ it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('filter-FORWARD-config-include') }
+ it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') }
+ end
+
context 'with a specific interface' do
let(:title) { 'filter-ssh' }
let :params do
{
chain: 'INPUT',
- policy: 'ACCEPT',
+ action: 'ACCEPT',
proto: 'tcp',
dport: '22',
saddr: '127.0.0.1',
@@ -44,12 +94,13 @@ describe 'ferm::rule', type: :define do
it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") }
it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") }
end
+
context 'with a specific interface using array for daddr' do
let(:title) { 'filter-ssh' }
let :params do
{
chain: 'INPUT',
- policy: 'ACCEPT',
+ action: 'ACCEPT',
proto: 'tcp',
dport: '22',
daddr: ['127.0.0.1', '123.123.123.123', ['10.0.0.1', '10.0.0.2']],
@@ -62,6 +113,68 @@ describe 'ferm::rule', type: :define do
it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") }
it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") }
end
+
+ context 'with jumping to custom chains' do
+ # create custom chain
+ let(:pre_condition) do
+ 'include ferm ;
+ ferm::chain{"check-ssh":
+ chain => "SSH",
+ disable_conntrack => true,
+ log_dropped_packets => false,
+ }'
+ end
+ let(:title) { 'filter-ssh' }
+ let :params do
+ {
+ chain: 'INPUT',
+ action: 'SSH',
+ proto: 'tcp',
+ dport: '22'
+ }
+ end
+
+ it { is_expected.to compile.with_all_deps }
+ it { is_expected.to contain_concat__fragment('filter-SSH-policy') }
+ it do
+ is_expected.to contain_concat__fragment('INPUT-filter-ssh').\
+ with_content("mod comment comment 'filter-ssh' proto tcp dport 22 jump SSH;\n"). \
+ that_requires('Ferm::Chain[check-ssh]')
+ end
+ it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
+ if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/filter-SSH.conf') }
+ else
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/filter-SSH.conf') }
+ end
+ end
+
+ context 'definining rules in custom chains' do
+ # create custom chain
+ let(:pre_condition) do
+ 'include ferm ;
+ ferm::chain{"check-ssh":
+ chain => "SSH",
+ disable_conntrack => true,
+ log_dropped_packets => false,
+ }'
+ end
+ let(:title) { 'allow-ssh-localhost' }
+ let :params do
+ {
+ chain: 'SSH',
+ action: 'ACCEPT',
+ proto: 'tcp',
+ dport: '22',
+ saddr: '127.0.0.1'
+ }
+ end
+
+ it { is_expected.to compile.with_all_deps }
+ it { is_expected.to contain_concat__fragment('SSH-allow-ssh-localhost').with_content("mod comment comment 'allow-ssh-localhost' proto tcp dport 22 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+ it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('filter-SSH-config-include') }
+ end
end
end
end
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 14:03:46 +0000