diff options
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/acceptance/ferm_spec.rb | 105 | ||||
| -rw-r--r-- | spec/defines/chain_spec.rb | 28 |
2 files changed, 128 insertions, 5 deletions
diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb index 0dd2399..f8f0ef4 100644 --- a/spec/acceptance/ferm_spec.rb +++ b/spec/acceptance/ferm_spec.rb @@ -26,6 +26,19 @@ iptables_output = case sut_os '-A HTTP -s 127.0.0.1/32 -p tcp -m comment --comment ["]*allow_http_localhost["]* -m tcp --dport 80 -j ACCEPT' ] end + +iptables_output_custom = ['-A FORWARD -s 10.8.0.0/24 -p udp -m comment --comment "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES" -j OPENVPN_FORWORD_RULES', + '-A OPENVPN_FORWORD_RULES -s 10.8.0.0/24 -i tun0 -o enp4s0 -p udp -m conntrack --ctstate NEW -j ACCEPT'] + +# When `install_method` is `vcsrepo` with `vcstag` >= `v2.5` ferm call "legacy" +# xtables tools because nft based tools are incompatible. +iptables_save_cmd = case sut_os + when 'Debian-10' + 'iptables-legacy-save' + else + 'iptables-save' + end + basic_manifest = %( class { 'ferm': manage_service => true, @@ -43,12 +56,36 @@ basic_manifest = %( }, }, ip_versions => ['ip'], #only ipv4 available with CI - } ) describe 'ferm' do - context 'with basics settings' do - pp = basic_manifest + context 'with basics settings and vcsrepo install_method' do + pp = [basic_manifest, "install_method => 'vcsrepo',}"].join("\n") + + it 'works with no error' do + apply_manifest(pp, catch_failures: true) + end + it 'works idempotently' do + apply_manifest(pp, catch_changes: true) + end + + describe package('ferm') do + it { is_expected.not_to be_installed } + end + + describe service('ferm') do + it { is_expected.to be_running } + end + + describe command("#{iptables_save_cmd} -t filter") do + its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m } + its(:stdout) { is_expected.not_to match %r{state INVALID -j DROP} } + its(:stdout) { is_expected.to match %r{allow_acceptance_tests.*-j ACCEPT}m } + end + end + + context 'with basics settings and default install_method' do + pp = [basic_manifest, '}'].join("\n") it 'works with no error' do apply_manifest(pp, catch_failures: true) @@ -101,7 +138,7 @@ describe 'ferm' do require => Ferm::Chain['check-http'], } ) - pp = [basic_manifest, advanced_manifest].join("\n") + pp = [basic_manifest, '}', advanced_manifest].join("\n") it 'works with no error' do apply_manifest(pp, catch_failures: true) @@ -124,7 +161,7 @@ describe 'ferm' do end end - context 'with dropping INVALID pakets' do + context 'with dropping INVALID packets' do pp2 = %( class { 'ferm': manage_service => true, @@ -162,4 +199,62 @@ describe 'ferm' do end end end + + context 'with custom chain using ferm DSL as content' do + advanced_manifest = %( + $my_rules = @(EOT) + chain OPENVPN_FORWORD_RULES { + proto udp { + interface tun0 { + outerface enp4s0 { + mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT; + } + } + } + } + | EOT + + ferm::chain{'OPENVPN_FORWORD_RULES': + chain => 'OPENVPN_FORWORD_RULES', + content => $my_rules, + } + + ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES": + chain => 'FORWARD', + action => 'OPENVPN_FORWORD_RULES', + saddr => '10.8.0.0/24', + proto => 'udp', + } + ) + + pp = [basic_manifest, '}', advanced_manifest].join("\n") + + it 'works with no error' do + apply_manifest(pp, catch_failures: true) + end + it 'works idempotently' do + apply_manifest(pp, catch_changes: true) + end + + describe iptables do + it do + is_expected.to have_rule(iptables_output_custom[0]). \ + with_table('filter'). \ + with_chain('FORWARD') + end + it do + is_expected.to have_rule(iptables_output_custom[1]). \ + with_table('filter'). \ + with_chain('OPENVPN_FORWORD_RULES') + end + end + + describe service('ferm') do + it { is_expected.to be_running } + end + + describe command('iptables-save') do + its(:stdout) { is_expected.to match %r{FORWARD.*-j OPENVPN_FORWORD_RULES} } + end + end end diff --git a/spec/defines/chain_spec.rb b/spec/defines/chain_spec.rb index 1a6bb44..52cc88c 100644 --- a/spec/defines/chain_spec.rb +++ b/spec/defines/chain_spec.rb @@ -70,6 +70,34 @@ describe 'ferm::chain', type: :define do it { is_expected.to compile.and_raise_error(%r{Can only set a default policy for builtin chains}) } end + + context 'with custom chain FERM-DSL using content parameter' do + let(:title) { 'FERM-DSL' } + let :params do + { + content: 'mod rpfilter invert DROP;' + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('filter-FERM-DSL-config-include') } + it do + is_expected.to contain_concat__fragment('filter-FERM-DSL-custom-content'). \ + with_content(%r{mod rpfilter invert DROP;}) + end + it do + is_expected.not_to contain_concat__fragment('filter-FERM-DSL-policy') + end + it do + is_expected.not_to contain_concat__fragment('filter-FERM-DSL-footer') + end + if facts[:os]['name'] == 'Debian' + it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/filter-FERM-DSL.conf') } + else + it { is_expected.to contain_concat('/etc/ferm.d/chains/filter-FERM-DSL.conf') } + end + it { is_expected.to contain_ferm__chain('FERM-DSL') } + end end end end |