|
39
|
1 require 'spec_helper_acceptance'
|
|
|
2
|
|
|
3 describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
|
|
|
4 context('resources purge') do
|
|
|
5 before(:all) do
|
|
|
6 iptables_flush_all_tables
|
|
|
7
|
|
|
8 shell('iptables -A INPUT -s 1.2.1.2')
|
|
|
9 shell('iptables -A INPUT -s 1.2.1.2')
|
|
|
10 end
|
|
|
11
|
|
|
12 it 'make sure duplicate existing rules get purged' do
|
|
|
13
|
|
|
14 pp = <<-EOS
|
|
|
15 class { 'firewall': }
|
|
|
16 resources { 'firewall':
|
|
|
17 purge => true,
|
|
|
18 }
|
|
|
19 EOS
|
|
|
20
|
|
|
21 apply_manifest(pp, :expect_changes => true)
|
|
|
22 end
|
|
|
23
|
|
|
24 it 'saves' do
|
|
|
25 shell('iptables-save') do |r|
|
|
|
26 expect(r.stdout).to_not match(/1\.2\.1\.2/)
|
|
|
27 expect(r.stderr).to eq("")
|
|
|
28 end
|
|
|
29 end
|
|
|
30 end
|
|
|
31
|
|
|
32 context('ipv4 chain purge') do
|
|
|
33 after(:all) do
|
|
|
34 iptables_flush_all_tables
|
|
|
35 end
|
|
|
36 before(:each) do
|
|
|
37 iptables_flush_all_tables
|
|
|
38
|
|
|
39 shell('iptables -A INPUT -p tcp -s 1.2.1.1')
|
|
|
40 shell('iptables -A INPUT -p udp -s 1.2.1.1')
|
|
|
41 shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
|
|
|
42 end
|
|
|
43
|
|
|
44 it 'purges only the specified chain' do
|
|
|
45 pp = <<-EOS
|
|
|
46 class { 'firewall': }
|
|
|
47 firewallchain { 'INPUT:filter:IPv4':
|
|
|
48 purge => true,
|
|
|
49 }
|
|
|
50 EOS
|
|
|
51
|
|
|
52 apply_manifest(pp, :expect_changes => true)
|
|
|
53
|
|
|
54 shell('iptables-save') do |r|
|
|
|
55 expect(r.stdout).to match(/010 output-1\.2\.1\.2/)
|
|
|
56 expect(r.stdout).to_not match(/1\.2\.1\.1/)
|
|
|
57 expect(r.stderr).to eq("")
|
|
|
58 end
|
|
|
59 end
|
|
|
60
|
|
|
61 it 'ignores managed rules' do
|
|
|
62 pp = <<-EOS
|
|
|
63 class { 'firewall': }
|
|
|
64 firewallchain { 'OUTPUT:filter:IPv4':
|
|
|
65 purge => true,
|
|
|
66 }
|
|
|
67 firewall { '010 output-1.2.1.2':
|
|
|
68 chain => 'OUTPUT',
|
|
|
69 proto => 'all',
|
|
|
70 source => '1.2.1.2',
|
|
|
71 }
|
|
|
72 EOS
|
|
|
73
|
|
|
74 unless fact('selinux') == 'true'
|
|
|
75 apply_manifest(pp, :catch_changes => true)
|
|
|
76 end
|
|
|
77 end
|
|
|
78
|
|
|
79 it 'ignores specified rules' do
|
|
|
80 pp = <<-EOS
|
|
|
81 class { 'firewall': }
|
|
|
82 firewallchain { 'INPUT:filter:IPv4':
|
|
|
83 purge => true,
|
|
|
84 ignore => [
|
|
|
85 '-s 1\.2\.1\.1',
|
|
|
86 ],
|
|
|
87 }
|
|
|
88 EOS
|
|
|
89
|
|
|
90 if fact('selinux') == 'true'
|
|
|
91 apply_manifest(pp, :catch_failures => true)
|
|
|
92 else
|
|
|
93 apply_manifest(pp, :catch_changes => true)
|
|
|
94 end
|
|
|
95 end
|
|
|
96
|
|
|
97 it 'adds managed rules with ignored rules' do
|
|
|
98 pp = <<-EOS
|
|
|
99 class { 'firewall': }
|
|
|
100 firewallchain { 'INPUT:filter:IPv4':
|
|
|
101 purge => true,
|
|
|
102 ignore => [
|
|
|
103 '-s 1\.2\.1\.1',
|
|
|
104 ],
|
|
|
105 }
|
|
|
106 firewall { '014 input-1.2.1.6':
|
|
|
107 chain => 'INPUT',
|
|
|
108 proto => 'all',
|
|
|
109 source => '1.2.1.6',
|
|
|
110 }
|
|
|
111 -> firewall { '013 input-1.2.1.5':
|
|
|
112 chain => 'INPUT',
|
|
|
113 proto => 'all',
|
|
|
114 source => '1.2.1.5',
|
|
|
115 }
|
|
|
116 -> firewall { '012 input-1.2.1.4':
|
|
|
117 chain => 'INPUT',
|
|
|
118 proto => 'all',
|
|
|
119 source => '1.2.1.4',
|
|
|
120 }
|
|
|
121 -> firewall { '011 input-1.2.1.3':
|
|
|
122 chain => 'INPUT',
|
|
|
123 proto => 'all',
|
|
|
124 source => '1.2.1.3',
|
|
|
125 }
|
|
|
126 EOS
|
|
|
127
|
|
|
128 apply_manifest(pp, :catch_failures => true)
|
|
|
129
|
|
|
130 expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
|
|
|
131 end
|
|
|
132 end
|
|
|
133 context 'ipv6 chain purge', :unless => (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') do
|
|
|
134 after(:all) do
|
|
|
135 ip6tables_flush_all_tables
|
|
|
136 end
|
|
|
137 before(:each) do
|
|
|
138 ip6tables_flush_all_tables
|
|
|
139
|
|
|
140 shell('ip6tables -A INPUT -p tcp -s 1::42')
|
|
|
141 shell('ip6tables -A INPUT -p udp -s 1::42')
|
|
|
142 shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
|
|
|
143 end
|
|
|
144
|
|
|
145 it 'purges only the specified chain' do
|
|
|
146 pp = <<-EOS
|
|
|
147 class { 'firewall': }
|
|
|
148 firewallchain { 'INPUT:filter:IPv6':
|
|
|
149 purge => true,
|
|
|
150 }
|
|
|
151 EOS
|
|
|
152
|
|
|
153 apply_manifest(pp, :expect_changes => true)
|
|
|
154
|
|
|
155 shell('ip6tables-save') do |r|
|
|
|
156 expect(r.stdout).to match(/010 output-1::50/)
|
|
|
157 expect(r.stdout).to_not match(/1::42/)
|
|
|
158 expect(r.stderr).to eq("")
|
|
|
159 end
|
|
|
160 end
|
|
|
161
|
|
|
162 it 'ignores managed rules' do
|
|
|
163 pp = <<-EOS
|
|
|
164 class { 'firewall': }
|
|
|
165 firewallchain { 'OUTPUT:filter:IPv6':
|
|
|
166 purge => true,
|
|
|
167 }
|
|
|
168 firewall { '010 output-1::50':
|
|
|
169 chain => 'OUTPUT',
|
|
|
170 proto => 'all',
|
|
|
171 source => '1::50',
|
|
|
172 provider => 'ip6tables',
|
|
|
173 }
|
|
|
174 EOS
|
|
|
175
|
|
|
176 unless fact('selinux') == 'true'
|
|
|
177 apply_manifest(pp, :catch_changes => true)
|
|
|
178 end
|
|
|
179 end
|
|
|
180
|
|
|
181 it 'ignores specified rules' do
|
|
|
182 pp = <<-EOS
|
|
|
183 class { 'firewall': }
|
|
|
184 firewallchain { 'INPUT:filter:IPv6':
|
|
|
185 purge => true,
|
|
|
186 ignore => [
|
|
|
187 '-s 1::42',
|
|
|
188 ],
|
|
|
189 }
|
|
|
190 EOS
|
|
|
191
|
|
|
192 if fact('selinux') == 'true'
|
|
|
193 apply_manifest(pp, :catch_failures => true)
|
|
|
194 else
|
|
|
195 apply_manifest(pp, :catch_changes => true)
|
|
|
196 end
|
|
|
197 end
|
|
|
198
|
|
|
199 it 'adds managed rules with ignored rules' do
|
|
|
200 pp = <<-EOS
|
|
|
201 class { 'firewall': }
|
|
|
202 firewallchain { 'INPUT:filter:IPv6':
|
|
|
203 purge => true,
|
|
|
204 ignore => [
|
|
|
205 '-s 1::42',
|
|
|
206 ],
|
|
|
207 }
|
|
|
208 firewall { '014 input-1::46':
|
|
|
209 chain => 'INPUT',
|
|
|
210 proto => 'all',
|
|
|
211 source => '1::46',
|
|
|
212 provider => 'ip6tables',
|
|
|
213 }
|
|
|
214 -> firewall { '013 input-1::45':
|
|
|
215 chain => 'INPUT',
|
|
|
216 proto => 'all',
|
|
|
217 source => '1::45',
|
|
|
218 provider => 'ip6tables',
|
|
|
219 }
|
|
|
220 -> firewall { '012 input-1::44':
|
|
|
221 chain => 'INPUT',
|
|
|
222 proto => 'all',
|
|
|
223 source => '1::44',
|
|
|
224 provider => 'ip6tables',
|
|
|
225 }
|
|
|
226 -> firewall { '011 input-1::43':
|
|
|
227 chain => 'INPUT',
|
|
|
228 proto => 'all',
|
|
|
229 source => '1::43',
|
|
|
230 provider => 'ip6tables',
|
|
|
231 }
|
|
|
232 EOS
|
|
|
233
|
|
|
234 apply_manifest(pp, :catch_failures => true)
|
|
|
235
|
|
|
236 expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/)
|
|
|
237 end
|
|
|
238 end
|
|
|
239 end
|
