Révision 1fd3f550
Add all families as a valid noflush pattern
nftables has more valid families than the ones currently accepted by the
module.
This patch adds support for all the families currently supported as per
the documentation at:
https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
| manifests/init.pp | ||
|---|---|---|
| 116 | 116 |
Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets', |
| 117 | 117 |
Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable', |
| 118 | 118 |
Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask', |
| 119 |
Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] $noflush_tables = undef, |
|
| 119 |
Optional[Array[Pattern[/^(ip|ip6|inet|arp|bridge|netdev)-[-a-zA-Z0-9_]+$/],1]] $noflush_tables = undef,
|
|
| 120 | 120 |
Stdlib::Unixpath $echo, |
| 121 | 121 |
Stdlib::Unixpath $configuration_path, |
| 122 | 122 |
Stdlib::Unixpath $nft_path, |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 247 | 247 |
it { is_expected.to have_nftables__set_resource_count(0) }
|
| 248 | 248 |
end |
| 249 | 249 |
|
| 250 |
context 'with with noflush_tables parameter' do |
|
| 251 |
let(:params) do |
|
| 252 |
{
|
|
| 253 |
noflush_tables: ['inet-f2b-table'], |
|
| 254 |
} |
|
| 255 |
end |
|
| 256 |
|
|
| 257 |
context 'with no nftables fact' do |
|
| 258 |
it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }
|
|
| 259 |
end |
|
| 250 |
%w[ip ip6 inet arp bridge netdev].each do |family| |
|
| 251 |
context "with noflush_tables parameter set to valid family #{family}" do
|
|
| 252 |
let(:params) do |
|
| 253 |
{
|
|
| 254 |
noflush_tables: ["#{family}-f2b-table"],
|
|
| 255 |
} |
|
| 256 |
end |
|
| 260 | 257 |
|
| 261 |
context 'with nftables fact matching' do |
|
| 262 |
let(:facts) do |
|
| 263 |
super().merge(nftables: { tables: %w[inet-abc inet-f2b-table] })
|
|
| 258 |
context 'with no nftables fact' do |
|
| 259 |
it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }
|
|
| 264 | 260 |
end |
| 265 | 261 |
|
| 266 |
it {
|
|
| 267 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 268 |
with_content(%r{^table inet abc \{\}$})
|
|
| 269 |
}
|
|
| 262 |
context 'with nftables fact matching' do
|
|
| 263 |
let(:facts) do
|
|
| 264 |
super().merge(nftables: { tables: %W[#{family}-abc #{family}-f2b-table] })
|
|
| 265 |
end
|
|
| 270 | 266 |
|
| 271 |
it {
|
|
| 272 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 273 |
with_content(%r{^flush table inet abc$})
|
|
| 274 |
} |
|
| 275 |
end |
|
| 267 |
it {
|
|
| 268 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 269 |
with_content(%r{^table #{family} abc \{\}$})
|
|
| 270 |
} |
|
| 276 | 271 |
|
| 277 |
context 'with nftables fact not matching' do |
|
| 278 |
let(:facts) do |
|
| 279 |
super().merge(nftables: { tables: %w[inet-abc inet-ijk] })
|
|
| 272 |
it {
|
|
| 273 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 274 |
with_content(%r{^flush table #{family} abc$})
|
|
| 275 |
} |
|
| 280 | 276 |
end |
| 281 | 277 |
|
| 282 |
it {
|
|
| 283 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 284 |
with_content(%r{^table inet abc \{\}$})
|
|
| 285 |
} |
|
| 286 |
|
|
| 287 |
it {
|
|
| 288 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 289 |
with_content(%r{^flush table inet abc$})
|
|
| 290 |
} |
|
| 278 |
context 'with nftables fact not matching' do |
|
| 279 |
let(:facts) do |
|
| 280 |
super().merge(nftables: { tables: %W[#{family}-abc #{family}-ijk] })
|
|
| 281 |
end |
|
| 282 |
|
|
| 283 |
it {
|
|
| 284 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 285 |
with_content(%r{^table #{family} abc \{\}$})
|
|
| 286 |
} |
|
| 287 |
|
|
| 288 |
it {
|
|
| 289 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 290 |
with_content(%r{^flush table #{family} abc$})
|
|
| 291 |
} |
|
| 292 |
|
|
| 293 |
it {
|
|
| 294 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 295 |
with_content(%r{^table #{family} ijk \{\}$})
|
|
| 296 |
} |
|
| 297 |
|
|
| 298 |
it {
|
|
| 299 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 300 |
with_content(%r{^flush table #{family} ijk$})
|
|
| 301 |
} |
|
| 302 |
end |
|
| 303 |
end |
|
| 304 |
end |
|
| 291 | 305 |
|
| 292 |
it {
|
|
| 293 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 294 |
with_content(%r{^table inet ijk \{\}$})
|
|
| 295 |
} |
|
| 306 |
%w[it ip7 inter arpa brid netdevs].each do |family| |
|
| 307 |
context "with noflush_tables parameter set to invalid family #{family}" do
|
|
| 308 |
let(:params) do |
|
| 309 |
{
|
|
| 310 |
noflush_tables: ["#{family}-f2b-table"],
|
|
| 311 |
} |
|
| 312 |
end |
|
| 296 | 313 |
|
| 297 |
it {
|
|
| 298 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 299 |
with_content(%r{^flush table inet ijk$})
|
|
| 300 |
} |
|
| 314 |
it { is_expected.not_to compile }
|
|
| 301 | 315 |
end |
| 302 | 316 |
end |
| 303 | 317 |
end |
Formats disponibles : Unified diff