Projet

Général

Profil

Révision 0b7bcb5d

ID0b7bcb5de9fe26c617dda5ba3e1c8e9310296a24
Parent 0e7fe75e
Enfant 069c9fd2

Ajouté par mh il y a plus de 2 ans

Align filemode on RedHat to distro default

The RPM acutally ships the configuration and directory with
0600/0700 while this module sets the mode to 0640/0750.

However, this has the drawback that on new nftables RPM versions,
we are setting it back to the modules mode and triggering an nft
validate.

Voir les différences:

data/common.yaml
1 1 
---
2 

  		




  
  2
  
    
nftables::default_config_mode: '0640'


  		




  3
  3
  
    
nftables::configuration_path: '/etc/sysconfig/nftables.conf'


  		












  

    
      data/os/RedHat.yaml
    
  





  1
  1
  
    
---


  		




  2
  2
  
    
nftables::nft_path: /usr/sbin/nft


  		




  3
  3
  
    
nftables::echo: /usr/bin/echo


  		




  
  4
  
    
nftables::default_config_mode: '0600'


  		












  

    
      manifests/chain.pp
    
  





  15
  15
  
    
      path           => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",


  		




  16
  16
  
    
      owner          => root,


  		




  17
  17
  
    
      group          => root,


  		




  18
  
  
    
      mode           => '0640',


  		




  
  18
  
    
      mode           => $nftables::default_config_mode,


  		




  19
  19
  
    
      ensure_newline => true,


  		




  20
  20
  
    
      require        => Package['nftables'],


  		




  21
  21
  
    
  } ~> Exec['nft validate'] -> file {


  		




  ......




  24
  24
  
    
      source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",


  		




  25
  25
  
    
      owner  => root,


  		




  26
  26
  
    
      group  => root,


  		




  27
  
  
    
      mode   => '0640',


  		




  
  27
  
    
      mode   => $nftables::default_config_mode,


  		




  28
  28
  
    
  } ~> Service['nftables']


  		




  29
  29
  
    

  		




  30
  30
  
    
  concat::fragment {


  		












  

    
      manifests/config.pp
    
  





  19
  19
  
    
      ensure_newline => true,


  		




  20
  20
  
    
      owner          => root,


  		




  21
  21
  
    
      group          => root,


  		




  22
  
  
    
      mode           => '0640',


  		




  
  22
  
    
      mode           => $nftables::default_config_mode,


  		




  23
  23
  
    
  } ~> Exec['nft validate'] -> file {


  		




  24
  24
  
    
    "/etc/nftables/puppet/${prefix}${name}.nft":


  		




  25
  25
  
    
      ensure => file,


  		




  26
  26
  
    
      source => "/etc/nftables/puppet-preflight/${prefix}${name}.nft",


  		




  27
  27
  
    
      owner  => root,


  		




  28
  28
  
    
      group  => root,


  		




  29
  
  
    
      mode   => '0640',


  		




  
  29
  
    
      mode   => $nftables::default_config_mode,


  		




  30
  30
  
    
  } ~> Service['nftables']


  		




  31
  31
  
    

  		




  32
  32
  
    
  $data = split($name, '-')


  		












  

    
      manifests/file.pp
    
  





  30
  30
  
    
    ensure  => file,


  		




  31
  31
  
    
    owner   => root,


  		




  32
  32
  
    
    group   => root,


  		




  33
  
  
    
    mode    => '0640',


  		




  
  33
  
    
    mode    => $nftables::default_config_mode,


  		




  34
  34
  
    
    content => $content,


  		




  35
  35
  
    
    source  => $source,


  		




  36
  36
  
    
  } ~> Exec['nft validate'] -> file { "/etc/nftables/puppet/${prefix}${label}.nft":


  		




  37
  37
  
    
    ensure  => file,


  		




  38
  38
  
    
    owner   => root,


  		




  39
  39
  
    
    group   => root,


  		




  40
  
  
    
    mode    => '0640',


  		




  
  40
  
    
    mode    => $nftables::default_config_mode,


  		




  41
  41
  
    
    content => $content,


  		




  42
  42
  
    
    source  => $source,


  		




  43
  43
  
    
  } ~> Service['nftables']


  		












  

    
      manifests/init.pp
    
  





  96
  96
  
    
# @param echo


  		




  97
  97
  
    
#   Path to the echo binary


  		




  98
  98
  
    
#


  		




  
  99
  
    
# @param default_config_mode


  		




  
  100
  
    
#   The default file & dir mode for configuration files and directories. The


  		




  
  101
  
    
#   default varies depending on the system, and is set in the module's data.


  		




  
  102
  
    
#


  		




  99
  103
  
    
class nftables (


  		




  100
  104
  
    
  Boolean $in_ssh = true,


  		




  101
  105
  
    
  Boolean $in_icmp = true,


  		




  ......




  120
  124
  
    
  Stdlib::Unixpath $echo,


  		




  121
  125
  
    
  Stdlib::Unixpath $configuration_path,


  		




  122
  126
  
    
  Stdlib::Unixpath $nft_path,


  		




  
  127
  
    
  Stdlib::Filemode $default_config_mode,


  		




  123
  128
  
    
) {


  		




  124
  129
  
    
  package { 'nftables':


  		




  125
  130
  
    
    ensure => installed,


  		




  ......




  132
  137
  
    
    default:


  		




  133
  138
  
    
      owner => 'root',


  		




  134
  139
  
    
      group => 'root',


  		




  135
  
  
    
      mode  => '0640';


  		




  
  140
  
    
      mode  => $default_config_mode;


  		




  136
  141
  
    
    '/etc/nftables':


  		




  137
  142
  
    
      ensure => directory,


  		




  138
  
  
    
      mode   => '0750';


  		




  
  143
  
    
      mode   => $default_config_mode;


  		




  139
  144
  
    
    '/etc/nftables/puppet-preflight':


  		




  140
  145
  
    
      ensure  => directory,


  		




  141
  
  
    
      mode    => '0750',


  		




  
  146
  
    
      mode    => $default_config_mode,


  		




  142
  147
  
    
      purge   => true,


  		




  143
  148
  
    
      force   => true,


  		




  144
  149
  
    
      recurse => true;


  		




  ......




  158
  163
  
    
    default:


  		




  159
  164
  
    
      owner => 'root',


  		




  160
  165
  
    
      group => 'root',


  		




  161
  
  
    
      mode  => '0640';


  		




  
  166
  
    
      mode  => $default_config_mode;


  		




  162
  167
  
    
    '/etc/nftables/puppet.nft':


  		




  163
  168
  
    
      ensure  => file,


  		




  164
  169
  
    
      content => epp('nftables/config/puppet.nft.epp', {


  		




  ......




  169
  174
  
    
      );


  		




  170
  175
  
    
    '/etc/nftables/puppet':


  		




  171
  176
  
    
      ensure  => directory,


  		




  172
  
  
    
      mode    => '0750',


  		




  
  177
  
    
      mode    => $default_config_mode,


  		




  173
  178
  
    
      purge   => true,


  		




  174
  179
  
    
      force   => true,


  		




  175
  180
  
    
      recurse => true;


  		












  

    
      spec/classes/dnat4_spec.rb
    
  





  9
  9
  
    
    context "on #{os}" do


  		




  10
  10
  
    
      let(:facts) { os_facts }


  		




  11
  11
  
    

  		




  
  12
  
    
      nft_mode = case os_facts[:os]['family']


  		




  
  13
  
    
                 when 'RedHat'


  		




  
  14
  
    
                   '0600'


  		




  
  15
  
    
                 else


  		




  
  16
  
    
                   '0640'


  		




  
  17
  
    
                 end


  		




  
  18
  
    

  		




  12
  19
  
    
      context 'with dnat' do


  		




  13
  20
  
    
        let(:pre_condition) do


  		




  14
  21
  
    
          '


  		




  ......




  57
  64
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',


  		




  58
  65
  
    
            owner: 'root',


  		




  59
  66
  
    
            group: 'root',


  		




  60
  
  
    
            mode: '0640',


  		




  
  67
  
    
            mode: nft_mode,


  		




  61
  68
  
    
            ensure_newline: true


  		




  62
  69
  
    
          )


  		




  63
  70
  
    
        }


  		




  ......




  139
  146
  
    
            path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',


  		




  140
  147
  
    
            owner: 'root',


  		




  141
  148
  
    
            group: 'root',


  		




  142
  
  
    
            mode: '0640',


  		




  
  149
  
    
            mode: nft_mode,


  		




  143
  150
  
    
            ensure_newline: true


  		




  144
  151
  
    
          )


  		




  145
  152
  
    
        }


  		












  

    
      spec/classes/inet_filter_spec.rb
    
  





  9
  9
  
    
    context "on #{os}" do


  		




  10
  10
  
    
      let(:facts) { os_facts }


  		




  11
  11
  
    

  		




  12
  
  
    
      it { is_expected.to compile }


  		




  
  12
  
    
      nft_mode = case os_facts[:os]['family']


  		




  
  13
  
    
                 when 'RedHat'


  		




  
  14
  
    
                   '0600'


  		




  
  15
  
    
                 else


  		




  
  16
  
    
                   '0640'


  		




  
  17
  
    
                 end


  		




  13
  18
  
    

  		




  14
  19
  
    
      it {


  		




  15
  20
  
    
        expect(subject).to contain_concat('nftables-inet-filter').with(


  		




  ......




  17
  22
  
    
          ensure: 'present',


  		




  18
  23
  
    
          owner: 'root',


  		




  19
  24
  
    
          group: 'root',


  		




  20
  
  
    
          mode: '0640'


  		




  
  25
  
    
          mode: nft_mode


  		




  21
  26
  
    
        )


  		




  22
  27
  
    
      }


  		




  23
  28
  
    

  		




  ......




  50
  55
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-INPUT.nft',


  		




  51
  56
  
    
            owner: 'root',


  		




  52
  57
  
    
            group: 'root',


  		




  53
  
  
    
            mode: '0640',


  		




  
  58
  
    
            mode: nft_mode,


  		




  54
  59
  
    
            ensure_newline: true


  		




  55
  60
  
    
          )


  		




  56
  61
  
    
        }


  		




  ......




  132
  137
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_in.nft',


  		




  133
  138
  
    
            owner: 'root',


  		




  134
  139
  
    
            group: 'root',


  		




  135
  
  
    
            mode: '0640',


  		




  
  140
  
    
            mode: nft_mode,


  		




  136
  141
  
    
            ensure_newline: true


  		




  137
  142
  
    
          )


  		




  138
  143
  
    
        }


  		




  ......




  172
  177
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-OUTPUT.nft',


  		




  173
  178
  
    
            owner: 'root',


  		




  174
  179
  
    
            group: 'root',


  		




  175
  
  
    
            mode: '0640',


  		




  
  180
  
    
            mode: nft_mode,


  		




  176
  181
  
    
            ensure_newline: true


  		




  177
  182
  
    
          )


  		




  178
  183
  
    
        }


  		




  ......




  254
  259
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_out.nft',


  		




  255
  260
  
    
            owner: 'root',


  		




  256
  261
  
    
            group: 'root',


  		




  257
  
  
    
            mode: '0640',


  		




  
  262
  
    
            mode: nft_mode,


  		




  258
  263
  
    
            ensure_newline: true


  		




  259
  264
  
    
          )


  		




  260
  265
  
    
        }


  		




  ......




  326
  331
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-FORWARD.nft',


  		




  327
  332
  
    
            owner: 'root',


  		




  328
  333
  
    
            group: 'root',


  		




  329
  
  
    
            mode: '0640',


  		




  
  334
  
    
            mode: nft_mode,


  		




  330
  335
  
    
            ensure_newline: true


  		




  331
  336
  
    
          )


  		




  332
  337
  
    
        }


  		




  ......




  404
  409
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',


  		




  405
  410
  
    
            owner: 'root',


  		




  406
  411
  
    
            group: 'root',


  		




  407
  
  
    
            mode: '0640',


  		




  
  412
  
    
            mode: nft_mode,


  		




  408
  413
  
    
            ensure_newline: true


  		




  409
  414
  
    
          )


  		




  410
  415
  
    
        }


  		




  ......




  432
  437
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-global.nft',


  		




  433
  438
  
    
            owner: 'root',


  		




  434
  439
  
    
            group: 'root',


  		




  435
  
  
    
            mode: '0640',


  		




  
  440
  
    
            mode: nft_mode,


  		




  436
  441
  
    
            ensure_newline: true


  		




  437
  442
  
    
          )


  		




  438
  443
  
    
        }


  		












  

    
      spec/classes/ip_nat_spec.rb
    
  





  9
  9
  
    
    context "on #{os}" do


  		




  10
  10
  
    
      let(:facts) { os_facts }


  		




  11
  11
  
    

  		




  
  12
  
    
      nft_mode = case os_facts[:os]['family']


  		




  
  13
  
    
                 when 'RedHat'


  		




  
  14
  
    
                   '0600'


  		




  
  15
  
    
                 else


  		




  
  16
  
    
                   '0640'


  		




  
  17
  
    
                 end


  		




  
  18
  
    

  		




  12
  19
  
    
      it { is_expected.to compile }


  		




  13
  20
  
    

  		




  14
  21
  
    
      it {


  		




  ......




  17
  24
  
    
          ensure: 'present',


  		




  18
  25
  
    
          owner: 'root',


  		




  19
  26
  
    
          group: 'root',


  		




  20
  
  
    
          mode: '0640'


  		




  
  27
  
    
          mode: nft_mode


  		




  21
  28
  
    
        )


  		




  22
  29
  
    
      }


  		




  23
  30
  
    

  		




  ......




  51
  58
  
    
          ensure: 'present',


  		




  52
  59
  
    
          owner: 'root',


  		




  53
  60
  
    
          group: 'root',


  		




  54
  
  
    
          mode: '0640'


  		




  
  61
  
    
          mode: nft_mode


  		




  55
  62
  
    
        )


  		




  56
  63
  
    
      }


  		




  57
  64
  
    

  		




  ......




  85
  92
  
    
            path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',


  		




  86
  93
  
    
            owner: 'root',


  		




  87
  94
  
    
            group: 'root',


  		




  88
  
  
    
            mode: '0640',


  		




  
  95
  
    
            mode: nft_mode,


  		




  89
  96
  
    
            ensure_newline: true


  		




  90
  97
  
    
          )


  		




  91
  98
  
    
        }


  		




  ......




  129
  136
  
    
            path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',


  		




  130
  137
  
    
            owner: 'root',


  		




  131
  138
  
    
            group: 'root',


  		




  132
  
  
    
            mode: '0640',


  		




  
  139
  
    
            mode: nft_mode,


  		




  133
  140
  
    
            ensure_newline: true


  		




  134
  141
  
    
          )


  		




  135
  142
  
    
        }


  		




  ......




  173
  180
  
    
            path: '/etc/nftables/puppet-preflight/ip6-nat-chain-PREROUTING6.nft',


  		




  174
  181
  
    
            owner: 'root',


  		




  175
  182
  
    
            group: 'root',


  		




  176
  
  
    
            mode: '0640',


  		




  
  183
  
    
            mode: nft_mode,


  		




  177
  184
  
    
            ensure_newline: true


  		




  178
  185
  
    
          )


  		




  179
  186
  
    
        }


  		




  ......




  217
  224
  
    
            path: '/etc/nftables/puppet-preflight/ip6-nat-chain-POSTROUTING6.nft',


  		




  218
  225
  
    
            owner: 'root',


  		




  219
  226
  
    
            group: 'root',


  		




  220
  
  
    
            mode: '0640',


  		




  
  227
  
    
            mode: nft_mode,


  		




  221
  228
  
    
            ensure_newline: true


  		




  222
  229
  
    
          )


  		




  223
  230
  
    
        }


  		




  ......




  270
  277
  
    
            ensure: 'present',


  		




  271
  278
  
    
            owner: 'root',


  		




  272
  279
  
    
            group: 'root',


  		




  273
  
  
    
            mode: '0640'


  		




  
  280
  
    
            mode: nft_mode


  		




  274
  281
  
    
          )


  		




  275
  282
  
    
        }


  		




  276
  283
  
    
      end


  		












  

    
      spec/classes/masquerade_spec.rb
    
  





  9
  9
  
    
    context "on #{os}" do


  		




  10
  10
  
    
      let(:facts) { os_facts }


  		




  11
  11
  
    

  		




  
  12
  
    
      nft_mode = case os_facts[:os]['family']


  		




  
  13
  
    
                 when 'RedHat'


  		




  
  14
  
    
                   '0600'


  		




  
  15
  
    
                 else


  		




  
  16
  
    
                   '0640'


  		




  
  17
  
    
                 end


  		




  
  18
  
    

  		




  12
  19
  
    
      context 'with masquerade' do


  		




  13
  20
  
    
        let(:pre_condition) do


  		




  14
  21
  
    
          '


  		




  ......




  41
  48
  
    
            path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',


  		




  42
  49
  
    
            owner: 'root',


  		




  43
  50
  
    
            group: 'root',


  		




  44
  
  
    
            mode: '0640',


  		




  
  51
  
    
            mode: nft_mode,


  		




  45
  52
  
    
            ensure_newline: true


  		




  46
  53
  
    
          )


  		




  47
  54
  
    
        }


  		












  

    
      spec/classes/nftables_spec.rb
    
  





  22
  22
  
    
                     '/etc/nftables.conf'


  		




  23
  23
  
    
                   end


  		




  24
  24
  
    

  		




  
  25
  
    
      nft_mode = case os_facts[:os]['family']


  		




  
  26
  
    
                 when 'RedHat'


  		




  
  27
  
    
                   '0600'


  		




  
  28
  
    
                 else


  		




  
  29
  
    
                   '0640'


  		




  
  30
  
    
                 end


  		




  
  31
  
    

  		




  25
  32
  
    
      it { is_expected.to compile.with_all_deps }


  		




  26
  33
  
    

  		




  27
  34
  
    
      it { is_expected.to contain_package('nftables') }


  		




  ......




  31
  38
  
    
          ensure: 'directory',


  		




  32
  39
  
    
          owner: 'root',


  		




  33
  40
  
    
          group: 'root',


  		




  34
  
  
    
          mode: '0750'


  		




  
  41
  
    
          mode: nft_mode


  		




  35
  42
  
    
        )


  		




  36
  43
  
    
      }


  		




  37
  44
  
    

  		




  ......




  40
  47
  
    
          ensure: 'file',


  		




  41
  48
  
    
          owner: 'root',


  		




  42
  49
  
    
          group: 'root',


  		




  43
  
  
    
          mode: '0640',


  		




  
  50
  
    
          mode: nft_mode,


  		




  44
  51
  
    
          content: %r{flush ruleset}


  		




  45
  52
  
    
        )


  		




  46
  53
  
    
      }


  		




  ......




  56
  63
  
    
          ensure: 'directory',


  		




  57
  64
  
    
          owner: 'root',


  		




  58
  65
  
    
          group: 'root',


  		




  59
  
  
    
          mode: '0750',


  		




  
  66
  
    
          mode: nft_mode,


  		




  60
  67
  
    
          purge: true,


  		




  61
  68
  
    
          force: true,


  		




  62
  69
  
    
          recurse: true


  		




  ......




  68
  75
  
    
          ensure: 'file',


  		




  69
  76
  
    
          owner: 'root',


  		




  70
  77
  
    
          group: 'root',


  		




  71
  
  
    
          mode: '0640',


  		




  
  78
  
    
          mode: nft_mode,


  		




  72
  79
  
    
          content: %r{flush ruleset}


  		




  73
  80
  
    
        )


  		




  74
  81
  
    
      }


  		




  ......




  84
  91
  
    
          ensure: 'directory',


  		




  85
  92
  
    
          owner: 'root',


  		




  86
  93
  
    
          group: 'root',


  		




  87
  
  
    
          mode: '0750',


  		




  
  94
  
    
          mode: nft_mode,


  		




  88
  95
  
    
          purge: true,


  		




  89
  96
  
    
          force: true,


  		




  90
  97
  
    
          recurse: true


  		












  

    
      spec/classes/router_spec.rb
    
  





  9
  9
  
    
    context "on #{os}" do


  		




  10
  10
  
    
      let(:facts) { os_facts }


  		




  11
  11
  
    

  		




  
  12
  
    
      nft_mode = case os_facts[:os]['family']


  		




  
  13
  
    
                 when 'RedHat'


  		




  
  14
  
    
                   '0600'


  		




  
  15
  
    
                 else


  		




  
  16
  
    
                   '0640'


  		




  
  17
  
    
                 end


  		




  
  18
  
    

  		




  12
  19
  
    
      context 'as router' do


  		




  13
  20
  
    
        let(:pre_condition) do


  		




  14
  21
  
    
          '


  		




  ......




  37
  44
  
    
            path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',


  		




  38
  45
  
    
            owner: 'root',


  		




  39
  46
  
    
            group: 'root',


  		




  40
  
  
    
            mode: '0640',


  		




  
  47
  
    
            mode: nft_mode,


  		




  41
  48
  
    
            ensure_newline: true


  		




  42
  49
  
    
          )


  		




  43
  50
  
    
        }


  		




  ......




  79
  86
  
    
            path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',


  		




  80
  87
  
    
            owner: 'root',


  		




  81
  88
  
    
            group: 'root',


  		




  82
  
  
    
            mode: '0640',


  		




  
  89
  
    
            mode: nft_mode,


  		




  83
  90
  
    
            ensure_newline: true


  		




  84
  91
  
    
          )


  		




  85
  92
  
    
        }


  		




  ......




  121
  128
  
    
            path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',


  		




  122
  129
  
    
            owner: 'root',


  		




  123
  130
  
    
            group: 'root',


  		




  124
  
  
    
            mode: '0640',


  		




  
  131
  
    
            mode: nft_mode,


  		




  125
  132
  
    
            ensure_newline: true


  		




  126
  133
  
    
          )


  		




  127
  134
  
    
        }


  		












  

    
      spec/classes/snat4_spec.rb
    
  





  9
  9
  
    
    context "on #{os}" do


  		




  10
  10
  
    
      let(:facts) { os_facts }


  		




  11
  11
  
    

  		




  
  12
  
    
      nft_mode = case os_facts[:os]['family']


  		




  
  13
  
    
                 when 'RedHat'


  		




  
  14
  
    
                   '0600'


  		




  
  15
  
    
                 else


  		




  
  16
  
    
                   '0640'


  		




  
  17
  
    
                 end


  		




  
  18
  
    

  		




  12
  19
  
    
      context 'with snat4' do


  		




  13
  20
  
    
        let(:pre_condition) do


  		




  14
  21
  
    
          '


  		




  ......




  42
  49
  
    
            path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',


  		




  43
  50
  
    
            owner: 'root',


  		




  44
  51
  
    
            group: 'root',


  		




  45
  
  
    
            mode: '0640',


  		




  
  52
  
    
            mode: nft_mode,


  		




  46
  53
  
    
            ensure_newline: true


  		




  47
  54
  
    
          )


  		




  48
  55
  
    
        }


  		












  

    
      spec/defines/chain_spec.rb
    
  





  12
  12
  
    
        facts


  		




  13
  13
  
    
      end


  		




  14
  14
  
    

  		




  
  15
  
    
      nft_mode = case facts[:os]['family']


  		




  
  16
  
    
                 when 'RedHat'


  		




  
  17
  
    
                   '0600'


  		




  
  18
  
    
                 else


  		




  
  19
  
    
                   '0640'


  		




  
  20
  
    
                 end


  		




  
  21
  
    

  		




  15
  22
  
    
      it { is_expected.to compile }


  		




  16
  23
  
    

  		




  17
  24
  
    
      it { is_expected.to contain_concat('nftables-inet-filter-chain-MYCHAIN').that_notifies('Exec[nft validate]') }


  		




  ......




  23
  30
  
    
          path: '/etc/nftables/puppet-preflight/inet-filter-chain-MYCHAIN.nft',


  		




  24
  31
  
    
          owner: 'root',


  		




  25
  32
  
    
          group: 'root',


  		




  26
  
  
    
          mode: '0640',


  		




  
  33
  
    
          mode: nft_mode,


  		




  27
  34
  
    
          ensure_newline: true


  		




  28
  35
  
    
        )


  		




  29
  36
  
    
      }


  		




  ......




  32
  39
  
    
        expect(subject).to contain_file('/etc/nftables/puppet/inet-filter-chain-MYCHAIN.nft').with(


  		




  33
  40
  
    
          ensure: 'file',


  		




  34
  41
  
    
          source: '/etc/nftables/puppet-preflight/inet-filter-chain-MYCHAIN.nft',


  		




  35
  
  
    
          mode: '0640',


  		




  
  42
  
    
          mode: nft_mode,


  		




  36
  43
  
    
          owner: 'root',


  		




  37
  44
  
    
          group: 'root'


  		




  38
  45
  
    
        )


  		




  ......




  66
  73
  
    
            path: '/etc/nftables/puppet-preflight/ip6-foo-chain-MYCHAIN.nft',


  		




  67
  74
  
    
            owner: 'root',


  		




  68
  75
  
    
            group: 'root',


  		




  69
  
  
    
            mode: '0640',


  		




  
  76
  
    
            mode: nft_mode,


  		




  70
  77
  
    
            ensure_newline: true


  		




  71
  78
  
    
          )


  		




  72
  79
  
    
        }


  		




  ......




  75
  82
  
    
          expect(subject).to contain_file('/etc/nftables/puppet/ip6-foo-chain-MYCHAIN.nft').with(


  		




  76
  83
  
    
            ensure: 'file',


  		




  77
  84
  
    
            source: '/etc/nftables/puppet-preflight/ip6-foo-chain-MYCHAIN.nft',


  		




  78
  
  
    
            mode: '0640',


  		




  
  85
  
    
            mode: nft_mode,


  		




  79
  86
  
    
            owner: 'root',


  		




  80
  87
  
    
            group: 'root'


  		




  81
  88
  
    
          )


  		












  

    
      spec/defines/config_spec.rb
    
  





  12
  12
  
    
        facts


  		




  13
  13
  
    
      end


  		




  14
  14
  
    

  		




  
  15
  
    
      nft_mode = case facts[:os]['family']


  		




  
  16
  
    
                 when 'RedHat'


  		




  
  17
  
    
                   '0600'


  		




  
  18
  
    
                 else


  		




  
  19
  
    
                   '0640'


  		




  
  20
  
    
                 end


  		




  
  21
  
    

  		




  15
  22
  
    
      context 'with source and content both unset' do


  		




  16
  23
  
    
        it { is_expected.to compile }


  		




  17
  24
  
    
        it { is_expected.to contain_concat('nftables-FOO-BAR') }


  		




  ......




  20
  27
  
    
          expect(subject).to contain_concat('nftables-FOO-BAR').with(


  		




  21
  28
  
    
            path: '/etc/nftables/puppet-preflight/custom-FOO-BAR.nft',


  		




  22
  29
  
    
            ensure_newline: true,


  		




  23
  
  
    
            mode: '0640'


  		




  
  30
  
    
            mode: nft_mode


  		




  24
  31
  
    
          )


  		




  25
  32
  
    
        }


  		




  26
  33
  
    

  		




  ......




  30
  37
  
    
          expect(subject).to contain_file('/etc/nftables/puppet/custom-FOO-BAR.nft').with(


  		




  31
  38
  
    
            ensure: 'file',


  		




  32
  39
  
    
            source: '/etc/nftables/puppet-preflight/custom-FOO-BAR.nft',


  		




  33
  
  
    
            mode: '0640'


  		




  
  40
  
    
            mode: nft_mode


  		




  34
  41
  
    
          )


  		




  35
  42
  
    
        }


  		




  36
  43
  
    

  		




  ......




  86
  93
  
    
          expect(subject).to contain_concat('nftables-FOO-BAR').with(


  		




  87
  94
  
    
            path: '/etc/nftables/puppet-preflight/custom-FOO-BAR.nft',


  		




  88
  95
  
    
            ensure_newline: true,


  		




  89
  
  
    
            mode: '0640'


  		




  
  96
  
    
            mode: nft_mode


  		




  90
  97
  
    
          )


  		




  91
  98
  
    
        }


  		




  92
  99
  
    

  		




  ......




  96
  103
  
    
          expect(subject).to contain_file('/etc/nftables/puppet/custom-FOO-BAR.nft').with(


  		




  97
  104
  
    
            ensure: 'file',


  		




  98
  105
  
    
            source: '/etc/nftables/puppet-preflight/custom-FOO-BAR.nft',


  		




  99
  
  
    
            mode: '0640'


  		




  
  106
  
    
            mode: nft_mode


  		




  100
  107
  
    
          )


  		




  101
  108
  
    
        }


  		




  102
  109
  
    

  		












Formats disponibles :  Unified diff