From 19c71d9abd269d88450f54ddb95e036c804a8fe8 Mon Sep 17 00:00:00 2001
From: Thore Bödecker <me@foxxx0.de>
Date: Tue, 24 Sep 2019 16:35:19 +0200
Subject: disable conntrack filtering in FORWARD/OUTPUT

conntrack filtering basically doesn't work in those chains, so we need
to disable it.
---
 spec/acceptance/ferm_spec.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'spec/acceptance/ferm_spec.rb')

diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb
index c5018da..f827dc2 100644
--- a/spec/acceptance/ferm_spec.rb
+++ b/spec/acceptance/ferm_spec.rb
@@ -32,7 +32,7 @@ basic_manifest = %(
     manage_configfile => true,
     manage_initfile   => #{manage_initfile}, # CentOS-6 does not provide init script
     forward_policy    => 'DROP',
-    output_policy     => 'DROP',
+    output_policy     => 'ACCEPT',
     input_policy      => 'DROP',
     rules             => {
       'allow_acceptance_tests' => {
@@ -66,7 +66,7 @@ describe 'ferm' do
     end
 
     describe command('iptables-save') do
-      its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT DROP.*}m }
+      its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m }
     end
 
     describe iptables do
-- 
cgit v1.2.3