Révision 30462da1
Reload rules atomically
Background: The unit file for nftables on CentOS 8 contains:
```
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
```
As things stood on config modication `systemctl stop nftables ; systemctl start nftables` was being
called resulting in:
```
nft flush ruleset
nft -f /etc/sysconfig/nftables.conf
```
as distinct commands so a non-atomic flush and load of ruleset.
With this change it is now.
```
/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
```
There is subsequently a redundant extra 'flush ruleset' in there to be followed
up in a seperate patch as I have desire to make that tunable.
To verify what happens when broken rules have been applied, e.g
```puppet
nftables::rule{'default_in-junk':
content => 'junk',
}
```
This results in puppet run of
```
Error: /Stage[main]/Nftables/Service[nftables]: Failed to call refresh: Systemd restart for nftables failed!
journalctl log for nftables:
```
and the existing rules are left live, previously the flush from the stop was occuring.
The reload attempt would only happen once however leaving a time bomb at reboot.
To resvole this the configuration is modified to force a reconfig and reload every puppet run.
| .fixtures.yml | ||
|---|---|---|
| 5 | 5 |
forge_modules: |
| 6 | 6 |
concat: "puppetlabs/concat" |
| 7 | 7 |
stdlib: "puppetlabs/stdlib" |
| 8 |
systemd: "camptocamp/systemd" |
|
| README.md | ||
|---|---|---|
| 42 | 42 |
INPUT and OUTPUT to the loopback device is allowed by |
| 43 | 43 |
default, though you could restrict it later. |
| 44 | 44 |
|
| 45 |
### Rules Validation |
|
| 46 |
Initially puppet deploys all configuration to |
|
| 47 |
`/etc/nftables/puppet-preflight/` and |
|
| 48 |
`/etc/nftables/puppet-preflight.nft`. This is validated with |
|
| 49 |
`nfc -c -L /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft`. |
|
| 50 |
If and only if successful the configuration will be copied to |
|
| 51 |
the real locations before the service is reloaded. |
|
| 52 |
|
|
| 45 | 53 |
### nftables::config |
| 46 | 54 |
|
| 47 | 55 |
Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
| files/config/puppet-inet-filter.nft | ||
|---|---|---|
| 1 |
include "/etc/nftables/puppet/inet-filter-chain-*.nft"
|
|
| 1 |
include "inet-filter-chain-*.nft" |
|
| 2 | 2 |
|
| 3 | 3 |
# something we want for all |
| 4 | 4 |
chain global {
|
| files/config/puppet-ip-nat.nft | ||
|---|---|---|
| 1 |
include "/etc/nftables/puppet/ip-nat-chain-*.nft" |
|
| 1 |
include "ip-nat-chain-*.nft" |
|
| files/config/puppet-ip6-nat.nft | ||
|---|---|---|
| 1 |
include "/etc/nftables/puppet/ip6-nat-chain-*.nft" |
|
| 1 |
include "ip6-nat-chain-*.nft" |
|
| files/config/puppet.nft | ||
|---|---|---|
| 1 |
# puppet-preflight.nft is only used by puppet for validating new configs |
|
| 2 |
# puppet.nft is real configuration that the nftables services uses. |
|
| 3 |
# To process either the -I flag must be specified. |
|
| 4 |
# nft -c -I /etc/nftables/puppet -f /etc/nftables/puppet.nft |
|
| 5 |
# nft -c -I /etc/nftables/puppet-preflight -f /etc/nftables/puppet-preflight.nft |
|
| 6 |
|
|
| 1 | 7 |
# drop any existing nftables ruleset |
| 2 | 8 |
flush ruleset |
| 3 | 9 |
|
| 4 |
include "/etc/nftables/puppet/custom-*.nft" |
|
| 5 |
include "/etc/nftables/puppet/inet-filter.nft" |
|
| 6 |
include "/etc/nftables/puppet/ip-nat.nft" |
|
| 7 |
include "/etc/nftables/puppet/ip6-nat.nft" |
|
| 10 |
include "custom-*.nft" |
|
| 11 |
include "inet-filter.nft" |
|
| 12 |
include "ip-nat.nft" |
|
| 13 |
include "ip6-nat.nft" |
|
| files/systemd/puppet_nft.conf | ||
|---|---|---|
| 1 |
# Specify directory to look for relative includes |
|
| 2 |
[Service] |
|
| 3 |
ExecStart= |
|
| 4 |
ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf |
|
| 5 |
ExecReload= |
|
| 6 |
ExecReload=/sbin/nft -I /etc/nftables/puppet 'flush ruleset; include "/etc/sysconfig/nftables.conf";' |
|
| 7 |
|
|
| manifests/chain.pp | ||
|---|---|---|
| 15 | 15 |
|
| 16 | 16 |
concat{
|
| 17 | 17 |
$concat_name: |
| 18 |
path => "/etc/nftables/puppet/${table}-chain-${chain}.nft",
|
|
| 18 |
path => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
|
| 19 | 19 |
owner => root, |
| 20 | 20 |
group => root, |
| 21 | 21 |
mode => '0640', |
| 22 | 22 |
ensure_newline => true, |
| 23 | 23 |
require => Package['nftables'], |
| 24 |
notify => Service['nftables'], |
|
| 25 |
} |
|
| 24 |
} ~> Exec['nft validate'] -> file{
|
|
| 25 |
"/etc/nftables/puppet/${table}-chain-${chain}.nft":
|
|
| 26 |
ensure => file, |
|
| 27 |
source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
|
| 28 |
owner => root, |
|
| 29 |
group => root, |
|
| 30 |
mode => '0640', |
|
| 31 |
} ~> Service['nftables'] |
|
| 26 | 32 |
|
| 27 | 33 |
concat::fragment{
|
| 28 | 34 |
default: |
| manifests/config.pp | ||
|---|---|---|
| 9 | 9 |
|
| 10 | 10 |
Package['nftables'] -> concat{
|
| 11 | 11 |
$concat_name: |
| 12 |
path => "/etc/nftables/puppet/${name}.nft",
|
|
| 12 |
path => "/etc/nftables/puppet-preflight/${name}.nft",
|
|
| 13 | 13 |
ensure_newline => true, |
| 14 | 14 |
owner => root, |
| 15 | 15 |
group => root, |
| 16 | 16 |
mode => '0640', |
| 17 |
} ~> Exec['nft validate'] -> file{
|
|
| 18 |
"/etc/nftables/puppet/${name}.nft":
|
|
| 19 |
ensure => file, |
|
| 20 |
source => "/etc/nftables/puppet-preflight/${name}.nft",
|
|
| 21 |
owner => root, |
|
| 22 |
group => root, |
|
| 23 |
mode => '0640', |
|
| 17 | 24 |
} ~> Service['nftables'] |
| 18 | 25 |
|
| 19 | 26 |
$data = split($name, '-') |
| manifests/init.pp | ||
|---|---|---|
| 84 | 84 |
owner => 'root', |
| 85 | 85 |
group => 'root', |
| 86 | 86 |
mode => '0640'; |
| 87 |
'/etc/nftables/puppet-preflight': |
|
| 88 |
ensure => directory, |
|
| 89 |
mode => '0750', |
|
| 90 |
purge => true, |
|
| 91 |
force => true, |
|
| 92 |
recurse => true; |
|
| 93 |
'/etc/nftables/puppet-preflight.nft': |
|
| 94 |
ensure => file, |
|
| 95 |
source => 'puppet:///modules/nftables/config/puppet.nft'; |
|
| 96 |
} ~> exec{
|
|
| 97 |
'nft validate': |
|
| 98 |
refreshonly => true, |
|
| 99 |
command => '/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( /usr/bin/echo "#CONFIG BROKEN" >> /etc/nftables/puppet-preflight.nft && /bin/false)'; |
|
| 100 |
} -> file{
|
|
| 101 |
default: |
|
| 102 |
owner => 'root', |
|
| 103 |
group => 'root', |
|
| 104 |
mode => '0640'; |
|
| 87 | 105 |
'/etc/nftables/puppet.nft': |
| 88 | 106 |
ensure => file, |
| 89 | 107 |
source => 'puppet:///modules/nftables/config/puppet.nft'; |
| ... | ... | |
| 94 | 112 |
force => true, |
| 95 | 113 |
recurse => true; |
| 96 | 114 |
} ~> service{'nftables':
|
| 97 |
ensure => running, |
|
| 98 |
enable => true, |
|
| 115 |
ensure => running, |
|
| 116 |
enable => true, |
|
| 117 |
hasrestart => true, |
|
| 118 |
restart => '/usr/bin/systemctl reload nftables', |
|
| 119 |
} |
|
| 120 |
|
|
| 121 |
systemd::dropin_file{'puppet_nft.conf':
|
|
| 122 |
ensure => present, |
|
| 123 |
unit => 'nftables.service', |
|
| 124 |
source => 'puppet:///modules/nftables/systemd/puppet_nft.conf', |
|
| 125 |
notify => Service['nftables'], |
|
| 99 | 126 |
} |
| 100 | 127 |
|
| 101 | 128 |
service{'firewalld':
|
| metadata.json | ||
|---|---|---|
| 12 | 12 |
"version_requirement": ">= 6.2.0 < 7.0.0" |
| 13 | 13 |
}, |
| 14 | 14 |
{
|
| 15 |
"name": "camptocamp/systemd", |
|
| 16 |
"version_requirement": ">= 2.0.0 < 3.0.0" |
|
| 17 |
}, |
|
| 18 |
{
|
|
| 15 | 19 |
"name": "puppetlabs/stdlib", |
| 16 | 20 |
"version_requirement": ">= 4.13.1 < 7.0.0" |
| 17 | 21 |
} |
| spec/classes/bridges_spec.rb | ||
|---|---|---|
| 11 | 11 |
|
| 12 | 12 |
it {
|
| 13 | 13 |
is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
|
| 14 |
path: '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft', |
|
| 14 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
|
|
| 15 | 15 |
owner: 'root', |
| 16 | 16 |
group: 'root', |
| 17 | 17 |
mode: '0640', |
| spec/classes/dnat4_spec.rb | ||
|---|---|---|
| 52 | 52 |
|
| 53 | 53 |
it {
|
| 54 | 54 |
is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
|
| 55 |
path: '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft', |
|
| 55 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
|
|
| 56 | 56 |
owner: 'root', |
| 57 | 57 |
group: 'root', |
| 58 | 58 |
mode: '0640', |
| ... | ... | |
| 126 | 126 |
|
| 127 | 127 |
it {
|
| 128 | 128 |
is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
|
| 129 |
path: '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft', |
|
| 129 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
|
|
| 130 | 130 |
owner: 'root', |
| 131 | 131 |
group: 'root', |
| 132 | 132 |
mode: '0640', |
| spec/classes/inet_filter_spec.rb | ||
|---|---|---|
| 11 | 11 |
|
| 12 | 12 |
it {
|
| 13 | 13 |
is_expected.to contain_concat('nftables-inet-filter').with(
|
| 14 |
path: '/etc/nftables/puppet/inet-filter.nft', |
|
| 14 |
path: '/etc/nftables/puppet-preflight/inet-filter.nft',
|
|
| 15 | 15 |
ensure: 'present', |
| 16 | 16 |
owner: 'root', |
| 17 | 17 |
group: 'root', |
| ... | ... | |
| 45 | 45 |
context 'chain input' do |
| 46 | 46 |
it {
|
| 47 | 47 |
is_expected.to contain_concat('nftables-inet-filter-chain-INPUT').with(
|
| 48 |
path: '/etc/nftables/puppet/inet-filter-chain-INPUT.nft', |
|
| 48 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-INPUT.nft',
|
|
| 49 | 49 |
owner: 'root', |
| 50 | 50 |
group: 'root', |
| 51 | 51 |
mode: '0640', |
| ... | ... | |
| 132 | 132 |
|
| 133 | 133 |
it {
|
| 134 | 134 |
is_expected.to contain_concat('nftables-inet-filter-chain-default_in').with(
|
| 135 |
path: '/etc/nftables/puppet/inet-filter-chain-default_in.nft', |
|
| 135 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_in.nft',
|
|
| 136 | 136 |
owner: 'root', |
| 137 | 137 |
group: 'root', |
| 138 | 138 |
mode: '0640', |
| ... | ... | |
| 168 | 168 |
context 'chain output' do |
| 169 | 169 |
it {
|
| 170 | 170 |
is_expected.to contain_concat('nftables-inet-filter-chain-OUTPUT').with(
|
| 171 |
path: '/etc/nftables/puppet/inet-filter-chain-OUTPUT.nft', |
|
| 171 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-OUTPUT.nft',
|
|
| 172 | 172 |
owner: 'root', |
| 173 | 173 |
group: 'root', |
| 174 | 174 |
mode: '0640', |
| ... | ... | |
| 255 | 255 |
|
| 256 | 256 |
it {
|
| 257 | 257 |
is_expected.to contain_concat('nftables-inet-filter-chain-default_out').with(
|
| 258 |
path: '/etc/nftables/puppet/inet-filter-chain-default_out.nft', |
|
| 258 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_out.nft',
|
|
| 259 | 259 |
owner: 'root', |
| 260 | 260 |
group: 'root', |
| 261 | 261 |
mode: '0640', |
| ... | ... | |
| 319 | 319 |
context 'chain forward' do |
| 320 | 320 |
it {
|
| 321 | 321 |
is_expected.to contain_concat('nftables-inet-filter-chain-FORWARD').with(
|
| 322 |
path: '/etc/nftables/puppet/inet-filter-chain-FORWARD.nft', |
|
| 322 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-FORWARD.nft',
|
|
| 323 | 323 |
owner: 'root', |
| 324 | 324 |
group: 'root', |
| 325 | 325 |
mode: '0640', |
| ... | ... | |
| 391 | 391 |
|
| 392 | 392 |
it {
|
| 393 | 393 |
is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
|
| 394 |
path: '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft', |
|
| 394 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
|
|
| 395 | 395 |
owner: 'root', |
| 396 | 396 |
group: 'root', |
| 397 | 397 |
mode: '0640', |
| spec/classes/ip_nat_spec.rb | ||
|---|---|---|
| 11 | 11 |
|
| 12 | 12 |
it {
|
| 13 | 13 |
is_expected.to contain_concat('nftables-ip-nat').with(
|
| 14 |
path: '/etc/nftables/puppet/ip-nat.nft', |
|
| 14 |
path: '/etc/nftables/puppet-preflight/ip-nat.nft',
|
|
| 15 | 15 |
ensure: 'present', |
| 16 | 16 |
owner: 'root', |
| 17 | 17 |
group: 'root', |
| ... | ... | |
| 44 | 44 |
|
| 45 | 45 |
it {
|
| 46 | 46 |
is_expected.to contain_concat('nftables-ip6-nat').with(
|
| 47 |
path: '/etc/nftables/puppet/ip6-nat.nft', |
|
| 47 |
path: '/etc/nftables/puppet-preflight/ip6-nat.nft',
|
|
| 48 | 48 |
ensure: 'present', |
| 49 | 49 |
owner: 'root', |
| 50 | 50 |
group: 'root', |
| ... | ... | |
| 78 | 78 |
context 'table ip nat chain prerouting' do |
| 79 | 79 |
it {
|
| 80 | 80 |
is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
|
| 81 |
path: '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft', |
|
| 81 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
|
|
| 82 | 82 |
owner: 'root', |
| 83 | 83 |
group: 'root', |
| 84 | 84 |
mode: '0640', |
| ... | ... | |
| 118 | 118 |
context 'table ip nat chain postrouting' do |
| 119 | 119 |
it {
|
| 120 | 120 |
is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
|
| 121 |
path: '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft', |
|
| 121 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
|
|
| 122 | 122 |
owner: 'root', |
| 123 | 123 |
group: 'root', |
| 124 | 124 |
mode: '0640', |
| ... | ... | |
| 158 | 158 |
context 'table ip6 nat chain prerouting' do |
| 159 | 159 |
it {
|
| 160 | 160 |
is_expected.to contain_concat('nftables-ip6-nat-chain-PREROUTING6').with(
|
| 161 |
path: '/etc/nftables/puppet/ip6-nat-chain-PREROUTING6.nft', |
|
| 161 |
path: '/etc/nftables/puppet-preflight/ip6-nat-chain-PREROUTING6.nft',
|
|
| 162 | 162 |
owner: 'root', |
| 163 | 163 |
group: 'root', |
| 164 | 164 |
mode: '0640', |
| ... | ... | |
| 198 | 198 |
context 'table ip nat chain postrouting' do |
| 199 | 199 |
it {
|
| 200 | 200 |
is_expected.to contain_concat('nftables-ip6-nat-chain-POSTROUTING6').with(
|
| 201 |
path: '/etc/nftables/puppet/ip6-nat-chain-POSTROUTING6.nft', |
|
| 201 |
path: '/etc/nftables/puppet-preflight/ip6-nat-chain-POSTROUTING6.nft',
|
|
| 202 | 202 |
owner: 'root', |
| 203 | 203 |
group: 'root', |
| 204 | 204 |
mode: '0640', |
| spec/classes/masquerade_spec.rb | ||
|---|---|---|
| 36 | 36 |
|
| 37 | 37 |
it {
|
| 38 | 38 |
is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
|
| 39 |
path: '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft', |
|
| 39 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
|
|
| 40 | 40 |
owner: 'root', |
| 41 | 41 |
group: 'root', |
| 42 | 42 |
mode: '0640', |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 34 | 34 |
} |
| 35 | 35 |
|
| 36 | 36 |
it {
|
| 37 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with(
|
|
| 38 |
ensure: 'file', |
|
| 39 |
owner: 'root', |
|
| 40 |
group: 'root', |
|
| 41 |
mode: '0640', |
|
| 42 |
source: 'puppet:///modules/nftables/config/puppet.nft', |
|
| 43 |
) |
|
| 44 |
} |
|
| 45 |
|
|
| 46 |
it {
|
|
| 47 |
is_expected.to contain_file('/etc/nftables/puppet-preflight').with(
|
|
| 48 |
ensure: 'directory', |
|
| 49 |
owner: 'root', |
|
| 50 |
group: 'root', |
|
| 51 |
mode: '0750', |
|
| 52 |
purge: true, |
|
| 53 |
force: true, |
|
| 54 |
recurse: true, |
|
| 55 |
) |
|
| 56 |
} |
|
| 57 |
|
|
| 58 |
it {
|
|
| 59 |
is_expected.to contain_exec('nft validate').with(
|
|
| 60 |
refreshonly: true, |
|
| 61 |
command: %r{^/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*},
|
|
| 62 |
) |
|
| 63 |
} |
|
| 64 |
|
|
| 65 |
it {
|
|
| 37 | 66 |
is_expected.to contain_service('nftables').with(
|
| 38 | 67 |
ensure: 'running', |
| 39 | 68 |
enable: true, |
| 69 |
hasrestart: true, |
|
| 70 |
restart: %r{/usr/bin/systemctl reload nft.*},
|
|
| 40 | 71 |
) |
| 41 | 72 |
} |
| 42 | 73 |
|
| spec/classes/router_spec.rb | ||
|---|---|---|
| 32 | 32 |
|
| 33 | 33 |
it {
|
| 34 | 34 |
is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
|
| 35 |
path: '/etc/nftables/puppet/inet-filter-chain-default_fwd.nft', |
|
| 35 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
|
|
| 36 | 36 |
owner: 'root', |
| 37 | 37 |
group: 'root', |
| 38 | 38 |
mode: '0640', |
| ... | ... | |
| 70 | 70 |
|
| 71 | 71 |
it {
|
| 72 | 72 |
is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
|
| 73 |
path: '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft', |
|
| 73 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
|
|
| 74 | 74 |
owner: 'root', |
| 75 | 75 |
group: 'root', |
| 76 | 76 |
mode: '0640', |
| ... | ... | |
| 108 | 108 |
|
| 109 | 109 |
it {
|
| 110 | 110 |
is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
|
| 111 |
path: '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft', |
|
| 111 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
|
|
| 112 | 112 |
owner: 'root', |
| 113 | 113 |
group: 'root', |
| 114 | 114 |
mode: '0640', |
| spec/classes/snat4_spec.rb | ||
|---|---|---|
| 37 | 37 |
|
| 38 | 38 |
it {
|
| 39 | 39 |
is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
|
| 40 |
path: '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft', |
|
| 40 |
path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
|
|
| 41 | 41 |
owner: 'root', |
| 42 | 42 |
group: 'root', |
| 43 | 43 |
mode: '0640', |
| spec/defines/chain_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::chain' do |
|
| 4 |
let(:title) { 'MYCHAIN' }
|
|
| 5 |
let(:pre_condition) { 'include nftables' }
|
|
| 6 |
|
|
| 7 |
on_supported_os.each do |os, facts| |
|
| 8 |
context "on #{os}" do
|
|
| 9 |
let(:facts) do |
|
| 10 |
facts |
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
it { is_expected.to compile }
|
|
| 14 |
|
|
| 15 |
it { is_expected.to contain_concat('nftables-inet-filter-chain-MYCHAIN').that_notifies('Exec[nft validate]') }
|
|
| 16 |
it { is_expected.to contain_exec('nft validate').that_comes_before('File[/etc/nftables/puppet/inet-filter-chain-MYCHAIN.nft]') }
|
|
| 17 |
it { is_expected.to contain_file('/etc/nftables/puppet/inet-filter-chain-MYCHAIN.nft').that_comes_before('Service[nftables]') }
|
|
| 18 |
|
|
| 19 |
it {
|
|
| 20 |
is_expected.to contain_concat('nftables-inet-filter-chain-MYCHAIN').with(
|
|
| 21 |
path: '/etc/nftables/puppet-preflight/inet-filter-chain-MYCHAIN.nft', |
|
| 22 |
owner: 'root', |
|
| 23 |
group: 'root', |
|
| 24 |
mode: '0640', |
|
| 25 |
ensure_newline: true, |
|
| 26 |
) |
|
| 27 |
} |
|
| 28 |
it {
|
|
| 29 |
is_expected.to contain_file('/etc/nftables/puppet/inet-filter-chain-MYCHAIN.nft').with(
|
|
| 30 |
ensure: 'file', |
|
| 31 |
source: '/etc/nftables/puppet-preflight/inet-filter-chain-MYCHAIN.nft', |
|
| 32 |
mode: '0640', |
|
| 33 |
owner: 'root', |
|
| 34 |
group: 'root', |
|
| 35 |
) |
|
| 36 |
} |
|
| 37 |
it {
|
|
| 38 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-MYCHAIN-header').with(
|
|
| 39 |
order: '00', |
|
| 40 |
content: "# Start of fragment order:00 MYCHAIN header\nchain MYCHAIN {",
|
|
| 41 |
target: 'nftables-inet-filter-chain-MYCHAIN', |
|
| 42 |
) |
|
| 43 |
} |
|
| 44 |
it {
|
|
| 45 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-MYCHAIN-footer').with(
|
|
| 46 |
order: '99', |
|
| 47 |
content: "# Start of fragment order:99 MYCHAIN footer\n}", |
|
| 48 |
target: 'nftables-inet-filter-chain-MYCHAIN', |
|
| 49 |
) |
|
| 50 |
} |
|
| 51 |
|
|
| 52 |
context('with table set to ip6-foo') do
|
|
| 53 |
let(:params) do |
|
| 54 |
{
|
|
| 55 |
table: 'ip6-foo', |
|
| 56 |
} |
|
| 57 |
end |
|
| 58 |
|
|
| 59 |
it {
|
|
| 60 |
is_expected.to contain_concat('nftables-ip6-foo-chain-MYCHAIN').with(
|
|
| 61 |
path: '/etc/nftables/puppet-preflight/ip6-foo-chain-MYCHAIN.nft', |
|
| 62 |
owner: 'root', |
|
| 63 |
group: 'root', |
|
| 64 |
mode: '0640', |
|
| 65 |
ensure_newline: true, |
|
| 66 |
) |
|
| 67 |
} |
|
| 68 |
it {
|
|
| 69 |
is_expected.to contain_file('/etc/nftables/puppet/ip6-foo-chain-MYCHAIN.nft').with(
|
|
| 70 |
ensure: 'file', |
|
| 71 |
source: '/etc/nftables/puppet-preflight/ip6-foo-chain-MYCHAIN.nft', |
|
| 72 |
mode: '0640', |
|
| 73 |
owner: 'root', |
|
| 74 |
group: 'root', |
|
| 75 |
) |
|
| 76 |
} |
|
| 77 |
it {
|
|
| 78 |
is_expected.to contain_concat__fragment('nftables-ip6-foo-chain-MYCHAIN-header').with(
|
|
| 79 |
order: '00', |
|
| 80 |
content: "# Start of fragment order:00 MYCHAIN header\nchain MYCHAIN {",
|
|
| 81 |
target: 'nftables-ip6-foo-chain-MYCHAIN', |
|
| 82 |
) |
|
| 83 |
} |
|
| 84 |
it {
|
|
| 85 |
is_expected.to contain_concat__fragment('nftables-ip6-foo-chain-MYCHAIN-footer').with(
|
|
| 86 |
order: '99', |
|
| 87 |
content: "# Start of fragment order:99 MYCHAIN footer\n}", |
|
| 88 |
target: 'nftables-ip6-foo-chain-MYCHAIN', |
|
| 89 |
) |
|
| 90 |
} |
|
| 91 |
end |
|
| 92 |
context 'with inject set to 22-foobar' do |
|
| 93 |
let(:params) do |
|
| 94 |
{
|
|
| 95 |
inject: '22-foobar', |
|
| 96 |
} |
|
| 97 |
end |
|
| 98 |
|
|
| 99 |
it { is_expected.to contain_nftables__rule('foobar-jump_MYCHAIN') }
|
|
| 100 |
it {
|
|
| 101 |
is_expected.to contain_nftables__rule('foobar-jump_MYCHAIN').with(
|
|
| 102 |
order: '22', |
|
| 103 |
content: 'jump MYCHAIN', |
|
| 104 |
) |
|
| 105 |
} |
|
| 106 |
context 'with inject_oif set to alpha and inject_oif set to beta' do |
|
| 107 |
let(:params) do |
|
| 108 |
super().merge(inject_iif: 'alpha', inject_oif: 'beta') |
|
| 109 |
end |
|
| 110 |
|
|
| 111 |
it {
|
|
| 112 |
is_expected.to contain_nftables__rule('foobar-jump_MYCHAIN').with(
|
|
| 113 |
order: '22', |
|
| 114 |
content: 'iifname alpha oifname beta jump MYCHAIN', |
|
| 115 |
) |
|
| 116 |
} |
|
| 117 |
end |
|
| 118 |
end |
|
| 119 |
end |
|
| 120 |
end |
|
| 121 |
end |
|
| spec/defines/config_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::config' do |
|
| 4 |
let(:pre_condition) { 'include nftables' }
|
|
| 5 |
|
|
| 6 |
on_supported_os.each do |os, facts| |
|
| 7 |
context "on #{os}" do
|
|
| 8 |
let(:title) { 'FOO-BAR' }
|
|
| 9 |
let(:facts) do |
|
| 10 |
facts |
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'with source and content both unset' do |
|
| 14 |
it { is_expected.not_to compile }
|
|
| 15 |
end |
|
| 16 |
|
|
| 17 |
context 'with a non hyphenated title' do |
|
| 18 |
let(:title) { 'STRING' }
|
|
| 19 |
|
|
| 20 |
it { is_expected.not_to compile }
|
|
| 21 |
end |
|
| 22 |
|
|
| 23 |
context 'with source and content both set' do |
|
| 24 |
let(:params) do |
|
| 25 |
{
|
|
| 26 |
source: 'foo', |
|
| 27 |
content: 'puppet:///modules/foo/bar', |
|
| 28 |
} |
|
| 29 |
end |
|
| 30 |
|
|
| 31 |
it {
|
|
| 32 |
pending('Setting source and content should be made to fail')
|
|
| 33 |
is_expected.not_to compile |
|
| 34 |
} |
|
| 35 |
end |
|
| 36 |
context 'with content set' do |
|
| 37 |
let(:params) do |
|
| 38 |
{
|
|
| 39 |
content: 'strange content', |
|
| 40 |
} |
|
| 41 |
end |
|
| 42 |
|
|
| 43 |
it { is_expected.to compile }
|
|
| 44 |
it { is_expected.to contain_concat('nftables-FOO-BAR') }
|
|
| 45 |
it {
|
|
| 46 |
is_expected.to contain_concat('nftables-FOO-BAR').with(
|
|
| 47 |
path: '/etc/nftables/puppet-preflight/FOO-BAR.nft', |
|
| 48 |
ensure_newline: true, |
|
| 49 |
mode: '0640', |
|
| 50 |
) |
|
| 51 |
} |
|
| 52 |
it { is_expected.to contain_file('/etc/nftables/puppet/FOO-BAR.nft') }
|
|
| 53 |
it {
|
|
| 54 |
is_expected.to contain_file('/etc/nftables/puppet/FOO-BAR.nft').with(
|
|
| 55 |
ensure: 'file', |
|
| 56 |
source: '/etc/nftables/puppet-preflight/FOO-BAR.nft', |
|
| 57 |
mode: '0640', |
|
| 58 |
) |
|
| 59 |
} |
|
| 60 |
it { is_expected.to contain_concat_fragment('nftables-FOO-BAR-header') }
|
|
| 61 |
it {
|
|
| 62 |
is_expected.to contain_concat_fragment('nftables-FOO-BAR-header').with(
|
|
| 63 |
target: 'nftables-FOO-BAR', |
|
| 64 |
order: '00', |
|
| 65 |
content: 'table FOO BAR {',
|
|
| 66 |
) |
|
| 67 |
} |
|
| 68 |
it {
|
|
| 69 |
is_expected.to contain_concat_fragment('nftables-FOO-BAR-body').with(
|
|
| 70 |
target: 'nftables-FOO-BAR', |
|
| 71 |
order: '98', |
|
| 72 |
content: 'strange content', |
|
| 73 |
) |
|
| 74 |
} |
|
| 75 |
end |
|
| 76 |
context 'with content set' do |
|
| 77 |
let(:params) do |
|
| 78 |
{
|
|
| 79 |
source: 'puppet:///modules/foo', |
|
| 80 |
} |
|
| 81 |
end |
|
| 82 |
|
|
| 83 |
it {
|
|
| 84 |
is_expected.to contain_concat_fragment('nftables-FOO-BAR-body').with(
|
|
| 85 |
target: 'nftables-FOO-BAR', |
|
| 86 |
order: '98', |
|
| 87 |
source: 'puppet:///modules/foo', |
|
| 88 |
) |
|
| 89 |
} |
|
| 90 |
end |
|
| 91 |
end |
|
| 92 |
end |
|
| 93 |
end |
|
Formats disponibles : Unified diff