From cd38691675da20ff4f38f18b2505955694ea56e4 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 15 Apr 2020 09:57:09 +0200 Subject: make dropping of pakets marked as invalid optional --- spec/acceptance/ferm_spec.rb | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) (limited to 'spec/acceptance') diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb index f827dc2..0dd2399 100644 --- a/spec/acceptance/ferm_spec.rb +++ b/spec/acceptance/ferm_spec.rb @@ -67,6 +67,7 @@ describe 'ferm' do describe command('iptables-save') do its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m } + its(:stdout) { is_expected.not_to match %r{state INVALID -j DROP} } end describe iptables do @@ -122,5 +123,43 @@ describe 'ferm' do end end end + + context 'with dropping INVALID pakets' do + pp2 = %( + class { 'ferm': + manage_service => true, + manage_configfile => true, + manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script + forward_policy => 'DROP', + output_policy => 'ACCEPT', + input_policy => 'DROP', + input_drop_invalid_packets_with_conntrack => true, + rules => { + 'allow_acceptance_tests' => { + chain => 'INPUT', + action => 'ACCEPT', + proto => tcp, + dport => 22, + }, + }, + ip_versions => ['ip'], #only ipv4 available with CI + } + ) + + it 'works with no error' do + apply_manifest(pp2, catch_failures: true) + end + it 'works idempotently' do + apply_manifest(pp2, catch_changes: true) + end + + describe service('ferm') do + it { is_expected.to be_running } + end + + describe command('iptables-save') do + its(:stdout) { is_expected.to match %r{INPUT.*state INVALID -j DROP} } + end + end end end -- cgit v1.2.3