From 3117ba0822e5472b9aa2a3e6e6ef4c43ea4c6565 Mon Sep 17 00:00:00 2001
From: Thore Bödecker <me@foxxx0.de>
Date: Fri, 13 Sep 2019 12:15:19 +0200
Subject: fix kernel incompatibilities

Certain kernel modules and thus iptables functionality was introduced at
later releases, so we need to properly reflect that in our default chain
initialization procedure.

`INPUT` chain for `nat` table was introduced with 2.6.36

`ip6table_nat` kernel module for NAT functionality with IPv6 was
introduced with 3.17

This commit implements the required conditional constraints and includes
the rspec tests to validate it.
---
 spec/classes/ferm_spec.rb | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

(limited to 'spec/classes')

diff --git a/spec/classes/ferm_spec.rb b/spec/classes/ferm_spec.rb
index 3257fca..d400a7b 100644
--- a/spec/classes/ferm_spec.rb
+++ b/spec/classes/ferm_spec.rb
@@ -67,7 +67,11 @@ describe 'ferm' do
         it { is_expected.to contain_concat__fragment('raw-PREROUTING-config-include') }
         it { is_expected.to contain_concat__fragment('raw-OUTPUT-config-include') }
         it { is_expected.to contain_concat__fragment('nat-PREROUTING-config-include') }
-        it { is_expected.to contain_concat__fragment('nat-INPUT-config-include') }
+        if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+          it { is_expected.to contain_concat__fragment('nat-INPUT-config-include') }
+        else
+          it { is_expected.not_to contain_concat__fragment('nat-INPUT-config-include') }
+        end
         it { is_expected.to contain_concat__fragment('nat-OUTPUT-config-include') }
         it { is_expected.to contain_concat__fragment('nat-POSTROUTING-config-include') }
         it { is_expected.to contain_concat__fragment('mangle-PREROUTING-config-include') }
@@ -91,7 +95,11 @@ describe 'ferm' do
         it { is_expected.to contain_concat__fragment('raw-PREROUTING-policy') }
         it { is_expected.to contain_concat__fragment('raw-OUTPUT-policy') }
         it { is_expected.to contain_concat__fragment('nat-PREROUTING-policy') }
-        it { is_expected.to contain_concat__fragment('nat-INPUT-policy') }
+        if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+          it { is_expected.to contain_concat__fragment('nat-INPUT-policy') }
+        else
+          it { is_expected.not_to contain_concat__fragment('nat-INPUT-policy') }
+        end
         it { is_expected.to contain_concat__fragment('nat-OUTPUT-policy') }
         it { is_expected.to contain_concat__fragment('nat-POSTROUTING-policy') }
         it { is_expected.to contain_concat__fragment('mangle-PREROUTING-policy') }
@@ -106,7 +114,11 @@ describe 'ferm' do
           it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/raw-PREROUTING.conf') }
           it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/raw-OUTPUT.conf') }
           it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-PREROUTING.conf') }
-          it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-INPUT.conf') }
+          if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+            it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-INPUT.conf') }
+          else
+            it { is_expected.not_to contain_concat('/etc/ferm/ferm.d/chains/nat-INPUT.conf') }
+          end
           it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-OUTPUT.conf') }
           it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-POSTROUTING.conf') }
           it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/mangle-PREROUTING.conf') }
@@ -121,7 +133,11 @@ describe 'ferm' do
           it { is_expected.to contain_concat('/etc/ferm.d/chains/raw-PREROUTING.conf') }
           it { is_expected.to contain_concat('/etc/ferm.d/chains/raw-OUTPUT.conf') }
           it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-PREROUTING.conf') }
-          it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-INPUT.conf') }
+          if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+            it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-INPUT.conf') }
+          else
+            it { is_expected.not_to contain_concat('/etc/ferm.d/chains/nat-INPUT.conf') }
+          end
           it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-OUTPUT.conf') }
           it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-POSTROUTING.conf') }
           it { is_expected.to contain_concat('/etc/ferm.d/chains/mangle-PREROUTING.conf') }
@@ -136,7 +152,11 @@ describe 'ferm' do
         it { is_expected.to contain_ferm__chain('raw-PREROUTING') }
         it { is_expected.to contain_ferm__chain('raw-OUTPUT') }
         it { is_expected.to contain_ferm__chain('nat-PREROUTING') }
-        it { is_expected.to contain_ferm__chain('nat-INPUT') }
+        if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+          it { is_expected.to contain_ferm__chain('nat-INPUT') }
+        else
+          it { is_expected.not_to contain_ferm__chain('nat-INPUT') }
+        end
         it { is_expected.to contain_ferm__chain('nat-OUTPUT') }
         it { is_expected.to contain_ferm__chain('nat-POSTROUTING') }
         it { is_expected.to contain_ferm__chain('mangle-PREROUTING') }
-- 
cgit v1.2.3