/ - Diff - puppet nftables - Koumbit's Redmine

Révision 01d8a819

ID	01d8a819a56fcaf14e4b7b73774a6ed4dc30635a
Parent	705bb26f
Enfant	9d7d63a6

Ajouté par tr il y a plus de 4 ans

Styling to make tests green

           context 'with dnat' do
             let(:pre_condition) do
               """
+              '
               # inet-filter-chain-ingoing
               nftables::chain{ 'ingoing':
                 inject     => '20-default_fwd',
                 inject_iif => 'eth0',
                 inject_oif => 'eth1';
               nftables::chain{ \'ingoing\':
                 inject     => \'20-default_fwd\',
                 inject_iif => \'eth0\',
                 inject_oif => \'eth1\';
+              }
               # inet-filter-chain-default_fwd
               nftables::rules::dnat4{
                 'http':
                   order => '10',
                   chain => 'ingoing',
                   daddr => '192.0.2.2',
                   port  => 'http';
                 'https':
                   order => '10',
                   chain => 'ingoing',
                   daddr => '192.0.2.2',
                   port  => 'https';
                 'http_alt':
                   order => '10',
                   chain => 'ingoing',
                   iif   => 'eth0',
                   daddr => '192.0.2.2',
                   proto => 'tcp',
                 \'http\':
                   order => \'10\',
                   chain => \'ingoing\',
                   daddr => \'192.0.2.2\',
                   port  => \'http\';
                 \'https\':
                   order => \'10\',
                   chain => \'ingoing\',
                   daddr => \'192.0.2.2\',
                   port  => \'https\';
                 \'http_alt\':
                   order => \'10\',
                   chain => \'ingoing\',
                   iif   => \'eth0\',
                   daddr => \'192.0.2.2\',
                   proto => \'tcp\',
                   port  => 8080,
                   dport => 8000;
                 'wireguard':
                   order => '10',
                   chain => 'ingoing',
                   iif   => 'eth0',
                   daddr => '192.0.2.3',
                   proto => 'udp',
                   port  => '51820';
                 \'wireguard\':
                   order => \'10\',
                   chain => \'ingoing\',
                   iif   => \'eth0\',
                   daddr => \'192.0.2.3\',
                   proto => \'udp\',
                   port  => \'51820\';
+              }
               """
+              '
             end
             it { is_expected.to compile }
             it { is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^chain default_fwd {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^  iifname eth0 oifname eth1 jump ingoing$/,
               :order   => '20',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^chain default_fwd \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^  iifname eth0 oifname eth1 jump ingoing$},
                 order:   '20',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(
               :target  => 'nftables-inet-filter-chain-ingoing',
               :content => /^chain ingoing {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
               :target  => 'nftables-inet-filter-chain-ingoing',
               :content => /^  ip daddr 192.0.2.2 tcp dport http accept$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
               :target  => 'nftables-inet-filter-chain-ingoing',
               :content => /^  ip daddr 192.0.2.2 tcp dport https accept$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
               :target  => 'nftables-inet-filter-chain-ingoing',
               :content => /^  iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
               :target  => 'nftables-inet-filter-chain-ingoing',
               :content => /^  iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(
               :target  => 'nftables-inet-filter-chain-ingoing',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(
                 target:  'nftables-inet-filter-chain-ingoing',
                 content: %r{^chain ingoing \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
                 target:  'nftables-inet-filter-chain-ingoing',
                 content: %r{^  ip daddr 192.0.2.2 tcp dport http accept$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
                 target:  'nftables-inet-filter-chain-ingoing',
                 content: %r{^  ip daddr 192.0.2.2 tcp dport https accept$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
                 target:  'nftables-inet-filter-chain-ingoing',
                 content: %r{^  iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
                 target:  'nftables-inet-filter-chain-ingoing',
                 content: %r{^  iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(
                 target:  'nftables-inet-filter-chain-ingoing',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it { is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
               :path           => '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^chain PREROUTING {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  type nat hook prerouting priority -100$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  policy accept$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  tcp dport http dnat to 192.0.2.2$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  tcp dport https dnat to 192.0.2.2$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  iifname eth0 udp dport 51820 dnat to 192.0.2.3$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
                 path:           '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^chain PREROUTING \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  type nat hook prerouting priority -100$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  policy accept$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  tcp dport http dnat to 192.0.2.2$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  tcp dport https dnat to 192.0.2.2$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  iifname eth0 udp dport 51820 dnat to 192.0.2.3$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
           end
         end
       end

           it { is_expected.to compile }
           it { is_expected.to contain_file('/etc/nftables/puppet/inet-filter.nft').with(
             :ensure => 'file',
             :owner  => 'root',
             :group  => 'root',
             :mode   => '0640',
           )}
           it {
             is_expected.to contain_file('/etc/nftables/puppet/inet-filter.nft').with(
               ensure: 'file',
               owner:  'root',
               group:  'root',
               mode:   '0640',
+            )
+          }
           context 'chain input' do
             it { is_expected.to contain_concat('nftables-inet-filter-chain-INPUT').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-INPUT.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-header').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^chain INPUT {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-type').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^  type filter hook input priority 0$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-policy').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^  policy drop$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-lo').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^  iifname lo accept$/,
               :order   => '03',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_global').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^  jump global$/,
               :order   => '04',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^  jump default_in$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_rejected').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^  log prefix \"\[nftables\] INPUT Rejected: \" flags all counter reject with icmpx type port-unreachable$/,
               :order   => '98',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-footer').with(
               :target  => 'nftables-inet-filter-chain-INPUT',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-INPUT').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-INPUT.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-header').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^chain INPUT \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-type').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  type filter hook input priority 0$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-policy').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  policy drop$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-lo').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  iifname lo accept$},
                 order:   '03',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_global').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  jump global$},
                 order:   '04',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  jump default_in$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_rejected').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  log prefix \"\[nftables\] INPUT Rejected: \" flags all counter reject with icmpx type port-unreachable$},
                 order:   '98',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-footer').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it { is_expected.to contain_concat('nftables-inet-filter-chain-default_in').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-default_in.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-header').with(
               :target  => 'nftables-inet-filter-chain-default_in',
               :content => /^chain default_in {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-footer').with(
               :target  => 'nftables-inet-filter-chain-default_in',
               :content => /^}$/,
               :order   => '99',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-rule-ssh').with(
               :target  => 'nftables-inet-filter-chain-default_in',
               :content => /^  tcp dport \{22\} accept$/,
               :order   => '50',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_in').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-default_in.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-header').with(
                 target:  'nftables-inet-filter-chain-default_in',
                 content: %r{^chain default_in \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-footer').with(
                 target:  'nftables-inet-filter-chain-default_in',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-rule-ssh').with(
                 target:  'nftables-inet-filter-chain-default_in',
                 content: %r{^  tcp dport \{22\} accept$},
                 order:   '50',
+              )
+            }
           end
           context 'chain output' do
             it { is_expected.to contain_concat('nftables-inet-filter-chain-OUTPUT').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-OUTPUT.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-header').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^chain OUTPUT {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-type').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^  type filter hook output priority 0$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-policy').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^  policy drop$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-lo').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^  oifname lo accept$/,
               :order   => '03',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_global').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^  jump global$/,
               :order   => '04',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^  jump default_out$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_rejected').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^  log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter reject with icmpx type port-unreachable$/,
               :order   => '98',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-footer').with(
               :target  => 'nftables-inet-filter-chain-OUTPUT',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-OUTPUT').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-OUTPUT.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-header').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^chain OUTPUT \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-type').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  type filter hook output priority 0$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-policy').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  policy drop$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-lo').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  oifname lo accept$},
                 order:   '03',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_global').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  jump global$},
                 order:   '04',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  jump default_out$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_rejected').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter reject with icmpx type port-unreachable$},
                 order:   '98',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-footer').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it { is_expected.to contain_concat('nftables-inet-filter-chain-default_out').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-default_out.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-header').with(
               :target  => 'nftables-inet-filter-chain-default_out',
               :content => /^chain default_out {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-footer').with(
               :target  => 'nftables-inet-filter-chain-default_out',
               :content => /^}$/,
               :order   => '99',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
               :target  => 'nftables-inet-filter-chain-default_out',
               :content => /^  udp dport 53 accept$/,
               :order   => '50',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
               :target  => 'nftables-inet-filter-chain-default_out',
               :content => /^  tcp dport 53 accept$/,
               :order   => '50',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony').with(
               :target  => 'nftables-inet-filter-chain-default_out',
               :content => /^  udp dport 123 accept$/,
               :order   => '50',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-http').with(
               :target  => 'nftables-inet-filter-chain-default_out',
               :content => /^  tcp dport 80 accept$/,
               :order   => '50',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-https').with(
               :target  => 'nftables-inet-filter-chain-default_out',
               :content => /^  tcp dport 443 accept$/,
               :order   => '50',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_out').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-default_out.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-header').with(
                 target:  'nftables-inet-filter-chain-default_out',
                 content: %r{^chain default_out \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-footer').with(
                 target:  'nftables-inet-filter-chain-default_out',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
                 target:  'nftables-inet-filter-chain-default_out',
                 content: %r{^  udp dport 53 accept$},
                 order:   '50',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
                 target:  'nftables-inet-filter-chain-default_out',
                 content: %r{^  tcp dport 53 accept$},
                 order:   '50',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony').with(
                 target:  'nftables-inet-filter-chain-default_out',
                 content: %r{^  udp dport 123 accept$},
                 order:   '50',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-http').with(
                 target:  'nftables-inet-filter-chain-default_out',
                 content: %r{^  tcp dport 80 accept$},
                 order:   '50',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-https').with(
                 target:  'nftables-inet-filter-chain-default_out',
                 content: %r{^  tcp dport 443 accept$},
                 order:   '50',
+              )
+            }
           end
           context 'chain forward' do
             it { is_expected.to contain_concat('nftables-inet-filter-chain-FORWARD').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-FORWARD.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-header').with(
               :target  => 'nftables-inet-filter-chain-FORWARD',
               :content => /^chain FORWARD {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-type').with(
               :target  => 'nftables-inet-filter-chain-FORWARD',
               :content => /^  type filter hook forward priority 0$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-policy').with(
               :target  => 'nftables-inet-filter-chain-FORWARD',
               :content => /^  policy drop$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_global').with(
               :target  => 'nftables-inet-filter-chain-FORWARD',
               :content => /^  jump global$/,
               :order   => '03',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd').with(
               :target  => 'nftables-inet-filter-chain-FORWARD',
               :content => /^  jump default_fwd$/,
               :order   => '10',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_rejected').with(
               :target  => 'nftables-inet-filter-chain-FORWARD',
               :content => /^  log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter reject with icmpx type port-unreachable$/,
               :order   => '98',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-footer').with(
               :target  => 'nftables-inet-filter-chain-FORWARD',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-FORWARD').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-FORWARD.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-header').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^chain FORWARD \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-type').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  type filter hook forward priority 0$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-policy').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  policy drop$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_global').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  jump global$},
                 order:   '03',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  jump default_fwd$},
                 order:   '10',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_rejected').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter reject with icmpx type port-unreachable$},
                 order:   '98',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-footer').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it { is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^chain default_fwd {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^chain default_fwd \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
           end
         end
       end

           it { is_expected.to compile }
           it { is_expected.to contain_file('/etc/nftables/puppet/ip-nat.nft').with(
             :ensure => 'file',
             :owner  => 'root',
             :group  => 'root',
             :mode   => '0640',
           )}
           it {
             is_expected.to contain_file('/etc/nftables/puppet/ip-nat.nft').with(
               ensure: 'file',
               owner:  'root',
               group:  'root',
               mode:   '0640',
+            )
+          }
           context 'chain prerouting' do
             it { is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
               :path           => '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^chain PREROUTING {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  type nat hook prerouting priority -100$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  policy accept$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
                 path:           '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^chain PREROUTING \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  type nat hook prerouting priority -100$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  policy accept$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
           end
           context 'chain output' do
             it { is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
               :path           => '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^chain POSTROUTING {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  type nat hook postrouting priority 100$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  policy accept$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-footer').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
                 path:           '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^chain POSTROUTING \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  type nat hook postrouting priority 100$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  policy accept$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-footer').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
           end
         end
       end

           context 'with masquerade' do
             let(:pre_condition) do
               """
+              '
               nftables::rules::masquerade{
                 'masquerade_eth0':
                   oif => 'eth0';
                 'masquerade_eth1_vpn':
                   oif   => 'eth1',
                   saddr => '192.0.2.0/24';
                 'masquerade_ssh':
                   saddr => '192.0.2.0/24',
                   daddr => '198.51.100.2',
                   proto => 'tcp',
                   dport => '22';
                 'masquerade_ssh_gitlab':
                   saddr => '192.0.2.0/24',
                   daddr => '198.51.100.2',
                   dport => '22';
                 'masquerade_wireguard':
                   proto => 'udp',
                   dport => '51820';
                 \'masquerade_eth0\':
                   oif => \'eth0\';
                 \'masquerade_eth1_vpn\':
                   oif   => \'eth1\',
                   saddr => \'192.0.2.0/24\';
                 \'masquerade_ssh\':
                   saddr => \'192.0.2.0/24\',
                   daddr => \'198.51.100.2\',
                   proto => \'tcp\',
                   dport => \'22\';
                 \'masquerade_ssh_gitlab\':
                   saddr => \'192.0.2.0/24\',
                   daddr => \'198.51.100.2\',
                   dport => \'22\';
                 \'masquerade_wireguard\':
                   proto => \'udp\',
                   dport => \'51820\';
+              }
               """
+              '
             end
             it { is_expected.to compile }
             it { is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
               :path           => '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^chain POSTROUTING {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  type nat hook postrouting priority 100$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  policy accept$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  oifname eth0 masquerade$/,
               :order   => '70',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpn').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  oifname eth1 ip saddr 192\.0\.2\.0\/24 masquerade$/,
               :order   => '70',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$/,
               :order   => '70',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlab').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$/,
               :order   => '70',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguard').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  udp dport 51820 masquerade$/,
               :order   => '70',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-footer').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
                 path:           '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^chain POSTROUTING \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  type nat hook postrouting priority 100$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  policy accept$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  oifname eth0 masquerade$},
                 order:   '70',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpn').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  oifname eth1 ip saddr 192\.0\.2\.0\/24 masquerade$},
                 order:   '70',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
                 order:   '70',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlab').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
                 order:   '70',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguard').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^  udp dport 51820 masquerade$},
                 order:   '70',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-footer').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
           end
         end
       end

           it { is_expected.to contain_package('nftables') }
           it { is_expected.to contain_file('/etc/nftables/puppet.nft').with(
             :ensure => 'file',
             :owner  => 'root',
             :group  => 'root',
             :mode   => '0640',
             :source => 'puppet:///modules/nftables/config/puppet.nft',
           )}
           it { is_expected.to contain_file('/etc/nftables/puppet').with(
             :ensure  => 'directory',
             :owner   => 'root',
             :group   => 'root',
             :mode    => '0750',
             :purge   => true,
             :force   => true,
             :recurse => true,
           )}
           it { is_expected.to contain_service('nftables').with(
             :ensure => 'running',
             :enable => true,
           )}
           it { is_expected.to contain_service('firewalld').with(
             :ensure => 'stopped',
             :enable => 'mask',
           )}
           it {
             is_expected.to contain_file('/etc/nftables/puppet.nft').with(
               ensure: 'file',
               owner:  'root',
               group:  'root',
               mode:   '0640',
               source: 'puppet:///modules/nftables/config/puppet.nft',
+            )
+          }
           it {
             is_expected.to contain_file('/etc/nftables/puppet').with(
               ensure:  'directory',
               owner:   'root',
               group:   'root',
               mode:    '0750',
               purge:   true,
               force:   true,
               recurse: true,
+            )
+          }
           it {
             is_expected.to contain_service('nftables').with(
               ensure: 'running',
               enable: true,
+            )
+          }
           it {
             is_expected.to contain_service('firewalld').with(
               ensure: 'stopped',
               enable: 'mask',
+            )
+          }
         end
       end
     end

           context 'as router' do
             let(:pre_condition) do
               """
+              '
               # inet-filter-chain-default_fwd
               nftables::rule{
                 'default_fwd-out':
                   order   => '20',
                   content => 'iifname eth1 oifname eth0 accept';
                 'default_fwd-drop':
                   order   => '90',
                   content => 'iifname eth0 drop';
                 \'default_fwd-out\':
                   order   => \'20\',
                   content => \'iifname eth1 oifname eth0 accept\';
                 \'default_fwd-drop\':
                   order   => \'90\',
                   content => \'iifname eth0 drop\';
+              }
               nftables::rules::masquerade{
                 'masquerade':
                   order => '20',
                   oif   => 'eth0';
                 \'masquerade\':
                   order => \'20\',
                   oif   => \'eth0\';
+              }
               """
+              '
             end
             it { is_expected.to compile }
             it { is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
               :path           => '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^chain default_fwd {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-out').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^  iifname eth1 oifname eth0 accept$/,
               :order   => '20',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-drop').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^  iifname eth0 drop$/,
               :order   => '90',
             )}
             it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
               :target  => 'nftables-inet-filter-chain-default_fwd',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
                 path:           '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^chain default_fwd \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-out').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^  iifname eth1 oifname eth0 accept$},
                 order:   '20',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-drop').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^  iifname eth0 drop$},
                 order:   '90',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it { is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
               :path           => '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^chain PREROUTING {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  type nat hook prerouting priority -100$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^  policy accept$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
               :target  => 'nftables-ip-nat-chain-PREROUTING',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
                 path:           '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^chain PREROUTING \{$},
                 order:   '00',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  type nat hook prerouting priority -100$},
                 order:   '01',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  policy accept$},
                 order:   '02',
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^\}$},
                 order:   '99',
+              )
+            }
             it { is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
               :path           => '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft',
               :owner          => 'root',
               :group          => 'root',
               :mode           => '0640',
               :ensure_newline => true,
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^chain POSTROUTING {$/,
               :order   => '00',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  type nat hook postrouting priority 100$/,
               :order   => '01',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  policy accept$/,
               :order   => '02',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^  oifname eth0 masquerade$/,
               :order   => '20',
             )}
             it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-footer').with(
               :target  => 'nftables-ip-nat-chain-POSTROUTING',
               :content => /^}$/,
               :order   => '99',
             )}
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
                 path:           '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
                 ensure_newline: true,
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',

... Ce différentiel a été tronqué car il excède la taille maximale pouvant être affichée.

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision 01d8a819