Mercurial > repos > other > Puppet

comparison modules/firewall/spec/acceptance/purge_spec.rb @ 39:d6f2a0ee45c0 puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add "Firewall" module
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 Mar 2015 20:58:03 +0000
parents
children
comparison
equal deleted inserted replaced
38:a1960fb961c5 39:d6f2a0ee45c0
1 require 'spec_helper_acceptance'
2
3 describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
4 context('resources purge') do
5 before(:all) do
6 iptables_flush_all_tables
7
8 shell('iptables -A INPUT -s 1.2.1.2')
9 shell('iptables -A INPUT -s 1.2.1.2')
10 end
11
12 it 'make sure duplicate existing rules get purged' do
13
14 pp = <<-EOS
15 class { 'firewall': }
16 resources { 'firewall':
17 purge => true,
18 }
19 EOS
20
21 apply_manifest(pp, :expect_changes => true)
22 end
23
24 it 'saves' do
25 shell('iptables-save') do |r|
26 expect(r.stdout).to_not match(/1\.2\.1\.2/)
27 expect(r.stderr).to eq("")
28 end
29 end
30 end
31
32 context('ipv4 chain purge') do
33 after(:all) do
34 iptables_flush_all_tables
35 end
36 before(:each) do
37 iptables_flush_all_tables
38
39 shell('iptables -A INPUT -p tcp -s 1.2.1.1')
40 shell('iptables -A INPUT -p udp -s 1.2.1.1')
41 shell('iptables -A OUTPUT -s 1.2.1.2 -m comment --comment "010 output-1.2.1.2"')
42 end
43
44 it 'purges only the specified chain' do
45 pp = <<-EOS
46 class { 'firewall': }
47 firewallchain { 'INPUT:filter:IPv4':
48 purge => true,
49 }
50 EOS
51
52 apply_manifest(pp, :expect_changes => true)
53
54 shell('iptables-save') do |r|
55 expect(r.stdout).to match(/010 output-1\.2\.1\.2/)
56 expect(r.stdout).to_not match(/1\.2\.1\.1/)
57 expect(r.stderr).to eq("")
58 end
59 end
60
61 it 'ignores managed rules' do
62 pp = <<-EOS
63 class { 'firewall': }
64 firewallchain { 'OUTPUT:filter:IPv4':
65 purge => true,
66 }
67 firewall { '010 output-1.2.1.2':
68 chain => 'OUTPUT',
69 proto => 'all',
70 source => '1.2.1.2',
71 }
72 EOS
73
74 unless fact('selinux') == 'true'
75 apply_manifest(pp, :catch_changes => true)
76 end
77 end
78
79 it 'ignores specified rules' do
80 pp = <<-EOS
81 class { 'firewall': }
82 firewallchain { 'INPUT:filter:IPv4':
83 purge => true,
84 ignore => [
85 '-s 1\.2\.1\.1',
86 ],
87 }
88 EOS
89
90 if fact('selinux') == 'true'
91 apply_manifest(pp, :catch_failures => true)
92 else
93 apply_manifest(pp, :catch_changes => true)
94 end
95 end
96
97 it 'adds managed rules with ignored rules' do
98 pp = <<-EOS
99 class { 'firewall': }
100 firewallchain { 'INPUT:filter:IPv4':
101 purge => true,
102 ignore => [
103 '-s 1\.2\.1\.1',
104 ],
105 }
106 firewall { '014 input-1.2.1.6':
107 chain => 'INPUT',
108 proto => 'all',
109 source => '1.2.1.6',
110 }
111 -> firewall { '013 input-1.2.1.5':
112 chain => 'INPUT',
113 proto => 'all',
114 source => '1.2.1.5',
115 }
116 -> firewall { '012 input-1.2.1.4':
117 chain => 'INPUT',
118 proto => 'all',
119 source => '1.2.1.4',
120 }
121 -> firewall { '011 input-1.2.1.3':
122 chain => 'INPUT',
123 proto => 'all',
124 source => '1.2.1.3',
125 }
126 EOS
127
128 apply_manifest(pp, :catch_failures => true)
129
130 expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/)
131 end
132 end
133 context 'ipv6 chain purge', :unless => (fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') == '5') do
134 after(:all) do
135 ip6tables_flush_all_tables
136 end
137 before(:each) do
138 ip6tables_flush_all_tables
139
140 shell('ip6tables -A INPUT -p tcp -s 1::42')
141 shell('ip6tables -A INPUT -p udp -s 1::42')
142 shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"')
143 end
144
145 it 'purges only the specified chain' do
146 pp = <<-EOS
147 class { 'firewall': }
148 firewallchain { 'INPUT:filter:IPv6':
149 purge => true,
150 }
151 EOS
152
153 apply_manifest(pp, :expect_changes => true)
154
155 shell('ip6tables-save') do |r|
156 expect(r.stdout).to match(/010 output-1::50/)
157 expect(r.stdout).to_not match(/1::42/)
158 expect(r.stderr).to eq("")
159 end
160 end
161
162 it 'ignores managed rules' do
163 pp = <<-EOS
164 class { 'firewall': }
165 firewallchain { 'OUTPUT:filter:IPv6':
166 purge => true,
167 }
168 firewall { '010 output-1::50':
169 chain => 'OUTPUT',
170 proto => 'all',
171 source => '1::50',
172 provider => 'ip6tables',
173 }
174 EOS
175
176 unless fact('selinux') == 'true'
177 apply_manifest(pp, :catch_changes => true)
178 end
179 end
180
181 it 'ignores specified rules' do
182 pp = <<-EOS
183 class { 'firewall': }
184 firewallchain { 'INPUT:filter:IPv6':
185 purge => true,
186 ignore => [
187 '-s 1::42',
188 ],
189 }
190 EOS
191
192 if fact('selinux') == 'true'
193 apply_manifest(pp, :catch_failures => true)
194 else
195 apply_manifest(pp, :catch_changes => true)
196 end
197 end
198
199 it 'adds managed rules with ignored rules' do
200 pp = <<-EOS
201 class { 'firewall': }
202 firewallchain { 'INPUT:filter:IPv6':
203 purge => true,
204 ignore => [
205 '-s 1::42',
206 ],
207 }
208 firewall { '014 input-1::46':
209 chain => 'INPUT',
210 proto => 'all',
211 source => '1::46',
212 provider => 'ip6tables',
213 }
214 -> firewall { '013 input-1::45':
215 chain => 'INPUT',
216 proto => 'all',
217 source => '1::45',
218 provider => 'ip6tables',
219 }
220 -> firewall { '012 input-1::44':
221 chain => 'INPUT',
222 proto => 'all',
223 source => '1::44',
224 provider => 'ip6tables',
225 }
226 -> firewall { '011 input-1::43':
227 chain => 'INPUT',
228 proto => 'all',
229 source => '1::43',
230 provider => 'ip6tables',
231 }
232 EOS
233
234 apply_manifest(pp, :catch_failures => true)
235
236 expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/)
237 end
238 end
239 end