Révision 61f03b47
Switch $order$fragmenta/b to $order-$fragment-a/b
| manifests/rule.pp | ||
|---|---|---|
| 27 | 27 |
|
| 28 | 28 |
concat::fragment{"${fragment}_header":
|
| 29 | 29 |
content => "# Start of fragment order:${order} rulename:${rulename}",
|
| 30 |
order => "${order}${fragment}a",
|
|
| 30 |
order => "${order}-${fragment}-a",
|
|
| 31 | 31 |
target => "nftables-${table}-chain-${data[0]}",
|
| 32 | 32 |
} |
| 33 | 33 |
|
| 34 | 34 |
concat::fragment{
|
| 35 | 35 |
$fragment: |
| 36 |
order => "${order}${fragment}b",
|
|
| 36 |
order => "${order}-${fragment}-b",
|
|
| 37 | 37 |
target => "nftables-${table}-chain-${data[0]}",
|
| 38 | 38 |
} |
| 39 | 39 |
|
| spec/classes/bridges_spec.rb | ||
|---|---|---|
| 29 | 29 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-bridge_br0_br0').with(
|
| 30 | 30 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 31 | 31 |
content: %r{^ iifname br0 oifname br0 accept$},
|
| 32 |
order: '08nftables-inet-filter-chain-default_fwd-rule-bridge_br0_br0b',
|
|
| 32 |
order: '08-nftables-inet-filter-chain-default_fwd-rule-bridge_br0_br0-b',
|
|
| 33 | 33 |
) |
| 34 | 34 |
} |
| 35 | 35 |
it {
|
| 36 | 36 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-bridge_br1_br1').with(
|
| 37 | 37 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 38 | 38 |
content: %r{^ iifname br1 oifname br1 accept$},
|
| 39 |
order: '08nftables-inet-filter-chain-default_fwd-rule-bridge_br1_br1b',
|
|
| 39 |
order: '08-nftables-inet-filter-chain-default_fwd-rule-bridge_br1_br1-b',
|
|
| 40 | 40 |
) |
| 41 | 41 |
} |
| 42 | 42 |
it { is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-bridge_br0_br1') }
|
| spec/classes/dnat4_spec.rb | ||
|---|---|---|
| 70 | 70 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
|
| 71 | 71 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 72 | 72 |
content: %r{^ iifname eth0 oifname eth1 jump ingoing$},
|
| 73 |
order: '20nftables-inet-filter-chain-default_fwd-rule-jump_ingoingb',
|
|
| 73 |
order: '20-nftables-inet-filter-chain-default_fwd-rule-jump_ingoing-b',
|
|
| 74 | 74 |
) |
| 75 | 75 |
} |
| 76 | 76 |
it {
|
| ... | ... | |
| 92 | 92 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
|
| 93 | 93 |
target: 'nftables-inet-filter-chain-ingoing', |
| 94 | 94 |
content: %r{^ ip daddr 192.0.2.2 tcp dport http accept$},
|
| 95 |
order: '10nftables-inet-filter-chain-ingoing-rule-httpb',
|
|
| 95 |
order: '10-nftables-inet-filter-chain-ingoing-rule-http-b',
|
|
| 96 | 96 |
) |
| 97 | 97 |
} |
| 98 | 98 |
it {
|
| 99 | 99 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
|
| 100 | 100 |
target: 'nftables-inet-filter-chain-ingoing', |
| 101 | 101 |
content: %r{^ ip daddr 192.0.2.2 tcp dport https accept$},
|
| 102 |
order: '10nftables-inet-filter-chain-ingoing-rule-httpsb',
|
|
| 102 |
order: '10-nftables-inet-filter-chain-ingoing-rule-https-b',
|
|
| 103 | 103 |
) |
| 104 | 104 |
} |
| 105 | 105 |
it {
|
| 106 | 106 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
|
| 107 | 107 |
target: 'nftables-inet-filter-chain-ingoing', |
| 108 | 108 |
content: %r{^ iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},
|
| 109 |
order: '10nftables-inet-filter-chain-ingoing-rule-http_altb',
|
|
| 109 |
order: '10-nftables-inet-filter-chain-ingoing-rule-http_alt-b',
|
|
| 110 | 110 |
) |
| 111 | 111 |
} |
| 112 | 112 |
it {
|
| 113 | 113 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
|
| 114 | 114 |
target: 'nftables-inet-filter-chain-ingoing', |
| 115 | 115 |
content: %r{^ iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},
|
| 116 |
order: '10nftables-inet-filter-chain-ingoing-rule-wireguardb',
|
|
| 116 |
order: '10-nftables-inet-filter-chain-ingoing-rule-wireguard-b',
|
|
| 117 | 117 |
) |
| 118 | 118 |
} |
| 119 | 119 |
it {
|
| ... | ... | |
| 144 | 144 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
|
| 145 | 145 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 146 | 146 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 147 |
order: '01nftables-ip-nat-chain-PREROUTING-rule-typeb',
|
|
| 147 |
order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b',
|
|
| 148 | 148 |
) |
| 149 | 149 |
} |
| 150 | 150 |
it {
|
| 151 | 151 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
|
| 152 | 152 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 153 | 153 |
content: %r{^ policy accept$},
|
| 154 |
order: '02nftables-ip-nat-chain-PREROUTING-rule-policyb',
|
|
| 154 |
order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b',
|
|
| 155 | 155 |
) |
| 156 | 156 |
} |
| 157 | 157 |
it {
|
| 158 | 158 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
|
| 159 | 159 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 160 | 160 |
content: %r{^ tcp dport http dnat to 192.0.2.2$},
|
| 161 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-httpb',
|
|
| 161 |
order: '10-nftables-ip-nat-chain-PREROUTING-rule-http-b',
|
|
| 162 | 162 |
) |
| 163 | 163 |
} |
| 164 | 164 |
it {
|
| 165 | 165 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
|
| 166 | 166 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 167 | 167 |
content: %r{^ tcp dport https dnat to 192.0.2.2$},
|
| 168 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-httpsb',
|
|
| 168 |
order: '10-nftables-ip-nat-chain-PREROUTING-rule-https-b',
|
|
| 169 | 169 |
) |
| 170 | 170 |
} |
| 171 | 171 |
it {
|
| 172 | 172 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
|
| 173 | 173 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 174 | 174 |
content: %r{^ iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},
|
| 175 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-http_altb',
|
|
| 175 |
order: '10-nftables-ip-nat-chain-PREROUTING-rule-http_alt-b',
|
|
| 176 | 176 |
) |
| 177 | 177 |
} |
| 178 | 178 |
it {
|
| 179 | 179 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
|
| 180 | 180 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 181 | 181 |
content: %r{^ iifname eth0 udp dport 51820 dnat to 192.0.2.3$},
|
| 182 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-wireguardb',
|
|
| 182 |
order: '10-nftables-ip-nat-chain-PREROUTING-rule-wireguard-b',
|
|
| 183 | 183 |
) |
| 184 | 184 |
} |
| 185 | 185 |
it {
|
| spec/classes/inet_filter_spec.rb | ||
|---|---|---|
| 63 | 63 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-type').with(
|
| 64 | 64 |
target: 'nftables-inet-filter-chain-INPUT', |
| 65 | 65 |
content: %r{^ type filter hook input priority 0$},
|
| 66 |
order: '01nftables-inet-filter-chain-INPUT-rule-typeb',
|
|
| 66 |
order: '01-nftables-inet-filter-chain-INPUT-rule-type-b',
|
|
| 67 | 67 |
) |
| 68 | 68 |
} |
| 69 | 69 |
it {
|
| 70 | 70 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-policy').with(
|
| 71 | 71 |
target: 'nftables-inet-filter-chain-INPUT', |
| 72 | 72 |
content: %r{^ policy drop$},
|
| 73 |
order: '02nftables-inet-filter-chain-INPUT-rule-policyb',
|
|
| 73 |
order: '02-nftables-inet-filter-chain-INPUT-rule-policy-b',
|
|
| 74 | 74 |
) |
| 75 | 75 |
} |
| 76 | 76 |
it {
|
| 77 | 77 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-lo').with(
|
| 78 | 78 |
target: 'nftables-inet-filter-chain-INPUT', |
| 79 | 79 |
content: %r{^ iifname lo accept$},
|
| 80 |
order: '03nftables-inet-filter-chain-INPUT-rule-lob',
|
|
| 80 |
order: '03-nftables-inet-filter-chain-INPUT-rule-lo-b',
|
|
| 81 | 81 |
) |
| 82 | 82 |
} |
| 83 | 83 |
it {
|
| 84 | 84 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_global').with(
|
| 85 | 85 |
target: 'nftables-inet-filter-chain-INPUT', |
| 86 | 86 |
content: %r{^ jump global$},
|
| 87 |
order: '04nftables-inet-filter-chain-INPUT-rule-jump_globalb',
|
|
| 87 |
order: '04-nftables-inet-filter-chain-INPUT-rule-jump_global-b',
|
|
| 88 | 88 |
) |
| 89 | 89 |
} |
| 90 | 90 |
it {
|
| 91 | 91 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
|
| 92 | 92 |
target: 'nftables-inet-filter-chain-INPUT', |
| 93 | 93 |
content: %r{^ jump default_in$},
|
| 94 |
order: '10nftables-inet-filter-chain-INPUT-rule-jump_default_inb',
|
|
| 94 |
order: '10-nftables-inet-filter-chain-INPUT-rule-jump_default_in-b',
|
|
| 95 | 95 |
) |
| 96 | 96 |
} |
| 97 | 97 |
it {
|
| 98 | 98 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 99 | 99 |
target: 'nftables-inet-filter-chain-INPUT', |
| 100 | 100 |
content: %r{^ log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
|
| 101 |
order: '97nftables-inet-filter-chain-INPUT-rule-log_discardedb',
|
|
| 101 |
order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
|
|
| 102 | 102 |
) |
| 103 | 103 |
} |
| 104 | 104 |
it {
|
| 105 | 105 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
|
| 106 | 106 |
target: 'nftables-inet-filter-chain-INPUT', |
| 107 | 107 |
content: %r{^ reject with icmpx type port-unreachable$},
|
| 108 |
order: '98nftables-inet-filter-chain-INPUT-rule-rejectb',
|
|
| 108 |
order: '98-nftables-inet-filter-chain-INPUT-rule-reject-b',
|
|
| 109 | 109 |
) |
| 110 | 110 |
} |
| 111 | 111 |
it {
|
| ... | ... | |
| 143 | 143 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-rule-ssh').with(
|
| 144 | 144 |
target: 'nftables-inet-filter-chain-default_in', |
| 145 | 145 |
content: %r{^ tcp dport \{22\} accept$},
|
| 146 |
order: '50nftables-inet-filter-chain-default_in-rule-sshb',
|
|
| 146 |
order: '50-nftables-inet-filter-chain-default_in-rule-ssh-b',
|
|
| 147 | 147 |
) |
| 148 | 148 |
} |
| 149 | 149 |
end |
| ... | ... | |
| 169 | 169 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-type').with(
|
| 170 | 170 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 171 | 171 |
content: %r{^ type filter hook output priority 0$},
|
| 172 |
order: '01nftables-inet-filter-chain-OUTPUT-rule-typeb',
|
|
| 172 |
order: '01-nftables-inet-filter-chain-OUTPUT-rule-type-b',
|
|
| 173 | 173 |
) |
| 174 | 174 |
} |
| 175 | 175 |
it {
|
| 176 | 176 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-policy').with(
|
| 177 | 177 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 178 | 178 |
content: %r{^ policy drop$},
|
| 179 |
order: '02nftables-inet-filter-chain-OUTPUT-rule-policyb',
|
|
| 179 |
order: '02-nftables-inet-filter-chain-OUTPUT-rule-policy-b',
|
|
| 180 | 180 |
) |
| 181 | 181 |
} |
| 182 | 182 |
it {
|
| 183 | 183 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-lo').with(
|
| 184 | 184 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 185 | 185 |
content: %r{^ oifname lo accept$},
|
| 186 |
order: '03nftables-inet-filter-chain-OUTPUT-rule-lob',
|
|
| 186 |
order: '03-nftables-inet-filter-chain-OUTPUT-rule-lo-b',
|
|
| 187 | 187 |
) |
| 188 | 188 |
} |
| 189 | 189 |
it {
|
| 190 | 190 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_global').with(
|
| 191 | 191 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 192 | 192 |
content: %r{^ jump global$},
|
| 193 |
order: '04nftables-inet-filter-chain-OUTPUT-rule-jump_globalb',
|
|
| 193 |
order: '04-nftables-inet-filter-chain-OUTPUT-rule-jump_global-b',
|
|
| 194 | 194 |
) |
| 195 | 195 |
} |
| 196 | 196 |
it {
|
| 197 | 197 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
|
| 198 | 198 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 199 | 199 |
content: %r{^ jump default_out$},
|
| 200 |
order: '10nftables-inet-filter-chain-OUTPUT-rule-jump_default_outb',
|
|
| 200 |
order: '10-nftables-inet-filter-chain-OUTPUT-rule-jump_default_out-b',
|
|
| 201 | 201 |
) |
| 202 | 202 |
} |
| 203 | 203 |
it {
|
| 204 | 204 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 205 | 205 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 206 | 206 |
content: %r{^ log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
|
| 207 |
order: '97nftables-inet-filter-chain-OUTPUT-rule-log_discardedb',
|
|
| 207 |
order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
|
|
| 208 | 208 |
) |
| 209 | 209 |
} |
| 210 | 210 |
it {
|
| 211 | 211 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
|
| 212 | 212 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 213 | 213 |
content: %r{^ reject with icmpx type port-unreachable$},
|
| 214 |
order: '98nftables-inet-filter-chain-OUTPUT-rule-rejectb',
|
|
| 214 |
order: '98-nftables-inet-filter-chain-OUTPUT-rule-reject-b',
|
|
| 215 | 215 |
) |
| 216 | 216 |
} |
| 217 | 217 |
it {
|
| ... | ... | |
| 249 | 249 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
|
| 250 | 250 |
target: 'nftables-inet-filter-chain-default_out', |
| 251 | 251 |
content: %r{^ udp dport 53 accept$},
|
| 252 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudpb',
|
|
| 252 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnsudp-b',
|
|
| 253 | 253 |
) |
| 254 | 254 |
} |
| 255 | 255 |
it {
|
| 256 | 256 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
|
| 257 | 257 |
target: 'nftables-inet-filter-chain-default_out', |
| 258 | 258 |
content: %r{^ tcp dport 53 accept$},
|
| 259 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcpb',
|
|
| 259 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnstcp-b',
|
|
| 260 | 260 |
) |
| 261 | 261 |
} |
| 262 | 262 |
it {
|
| 263 | 263 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony').with(
|
| 264 | 264 |
target: 'nftables-inet-filter-chain-default_out', |
| 265 | 265 |
content: %r{^ udp dport 123 accept$},
|
| 266 |
order: '50nftables-inet-filter-chain-default_out-rule-chronyb',
|
|
| 266 |
order: '50-nftables-inet-filter-chain-default_out-rule-chrony-b',
|
|
| 267 | 267 |
) |
| 268 | 268 |
} |
| 269 | 269 |
it {
|
| 270 | 270 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-http').with(
|
| 271 | 271 |
target: 'nftables-inet-filter-chain-default_out', |
| 272 | 272 |
content: %r{^ tcp dport 80 accept$},
|
| 273 |
order: '50nftables-inet-filter-chain-default_out-rule-httpb',
|
|
| 273 |
order: '50-nftables-inet-filter-chain-default_out-rule-http-b',
|
|
| 274 | 274 |
) |
| 275 | 275 |
} |
| 276 | 276 |
it {
|
| 277 | 277 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-https').with(
|
| 278 | 278 |
target: 'nftables-inet-filter-chain-default_out', |
| 279 | 279 |
content: %r{^ tcp dport 443 accept$},
|
| 280 |
order: '50nftables-inet-filter-chain-default_out-rule-httpsb',
|
|
| 280 |
order: '50-nftables-inet-filter-chain-default_out-rule-https-b',
|
|
| 281 | 281 |
) |
| 282 | 282 |
} |
| 283 | 283 |
end |
| ... | ... | |
| 303 | 303 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-type').with(
|
| 304 | 304 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 305 | 305 |
content: %r{^ type filter hook forward priority 0$},
|
| 306 |
order: '01nftables-inet-filter-chain-FORWARD-rule-typeb',
|
|
| 306 |
order: '01-nftables-inet-filter-chain-FORWARD-rule-type-b',
|
|
| 307 | 307 |
) |
| 308 | 308 |
} |
| 309 | 309 |
it {
|
| 310 | 310 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-policy').with(
|
| 311 | 311 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 312 | 312 |
content: %r{^ policy drop$},
|
| 313 |
order: '02nftables-inet-filter-chain-FORWARD-rule-policyb',
|
|
| 313 |
order: '02-nftables-inet-filter-chain-FORWARD-rule-policy-b',
|
|
| 314 | 314 |
) |
| 315 | 315 |
} |
| 316 | 316 |
it {
|
| 317 | 317 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_global').with(
|
| 318 | 318 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 319 | 319 |
content: %r{^ jump global$},
|
| 320 |
order: '03nftables-inet-filter-chain-FORWARD-rule-jump_globalb',
|
|
| 320 |
order: '03-nftables-inet-filter-chain-FORWARD-rule-jump_global-b',
|
|
| 321 | 321 |
) |
| 322 | 322 |
} |
| 323 | 323 |
it {
|
| 324 | 324 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd').with(
|
| 325 | 325 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 326 | 326 |
content: %r{^ jump default_fwd$},
|
| 327 |
order: '10nftables-inet-filter-chain-FORWARD-rule-jump_default_fwdb',
|
|
| 327 |
order: '10-nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd-b',
|
|
| 328 | 328 |
) |
| 329 | 329 |
} |
| 330 | 330 |
it {
|
| 331 | 331 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 332 | 332 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 333 | 333 |
content: %r{^ log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
|
| 334 |
order: '97nftables-inet-filter-chain-FORWARD-rule-log_discardedb',
|
|
| 334 |
order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
|
|
| 335 | 335 |
) |
| 336 | 336 |
} |
| 337 | 337 |
it {
|
| 338 | 338 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
|
| 339 | 339 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 340 | 340 |
content: %r{^ reject with icmpx type port-unreachable$},
|
| 341 |
order: '98nftables-inet-filter-chain-FORWARD-rule-rejectb',
|
|
| 341 |
order: '98-nftables-inet-filter-chain-FORWARD-rule-reject-b',
|
|
| 342 | 342 |
) |
| 343 | 343 |
} |
| 344 | 344 |
it {
|
| ... | ... | |
| 381 | 381 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 382 | 382 |
target: 'nftables-inet-filter-chain-INPUT', |
| 383 | 383 |
content: %r{^ log prefix \"test " flags all counter$},
|
| 384 |
order: '97nftables-inet-filter-chain-INPUT-rule-log_discardedb',
|
|
| 384 |
order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
|
|
| 385 | 385 |
) |
| 386 | 386 |
} |
| 387 | 387 |
it {
|
| 388 | 388 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 389 | 389 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 390 | 390 |
content: %r{^ log prefix \"test " flags all counter$},
|
| 391 |
order: '97nftables-inet-filter-chain-OUTPUT-rule-log_discardedb',
|
|
| 391 |
order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
|
|
| 392 | 392 |
) |
| 393 | 393 |
} |
| 394 | 394 |
it {
|
| 395 | 395 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 396 | 396 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 397 | 397 |
content: %r{^ log prefix \"test " flags all counter$},
|
| 398 |
order: '97nftables-inet-filter-chain-FORWARD-rule-log_discardedb',
|
|
| 398 |
order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
|
|
| 399 | 399 |
) |
| 400 | 400 |
} |
| 401 | 401 |
end |
| ... | ... | |
| 407 | 407 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 408 | 408 |
target: 'nftables-inet-filter-chain-INPUT', |
| 409 | 409 |
content: %r{^ log prefix \" bar \[INPUT\] " flags all counter$},
|
| 410 |
order: '97nftables-inet-filter-chain-INPUT-rule-log_discardedb',
|
|
| 410 |
order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b',
|
|
| 411 | 411 |
) |
| 412 | 412 |
} |
| 413 | 413 |
it {
|
| 414 | 414 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 415 | 415 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 416 | 416 |
content: %r{^ log prefix \" bar \[OUTPUT\] " flags all counter$},
|
| 417 |
order: '97nftables-inet-filter-chain-OUTPUT-rule-log_discardedb',
|
|
| 417 |
order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b',
|
|
| 418 | 418 |
) |
| 419 | 419 |
} |
| 420 | 420 |
it {
|
| 421 | 421 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 422 | 422 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 423 | 423 |
content: %r{^ log prefix \" bar \[FORWARD\] " flags all counter$},
|
| 424 |
order: '97nftables-inet-filter-chain-FORWARD-rule-log_discardedb',
|
|
| 424 |
order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b',
|
|
| 425 | 425 |
) |
| 426 | 426 |
} |
| 427 | 427 |
end |
| ... | ... | |
| 464 | 464 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
|
| 465 | 465 |
target: 'nftables-inet-filter-chain-INPUT', |
| 466 | 466 |
content: %r{^ reject with tcp reset$},
|
| 467 |
order: '98nftables-inet-filter-chain-INPUT-rule-rejectb',
|
|
| 467 |
order: '98-nftables-inet-filter-chain-INPUT-rule-reject-b',
|
|
| 468 | 468 |
) |
| 469 | 469 |
} |
| 470 | 470 |
it {
|
| 471 | 471 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
|
| 472 | 472 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 473 | 473 |
content: %r{^ reject with tcp reset$},
|
| 474 |
order: '98nftables-inet-filter-chain-OUTPUT-rule-rejectb',
|
|
| 474 |
order: '98-nftables-inet-filter-chain-OUTPUT-rule-reject-b',
|
|
| 475 | 475 |
) |
| 476 | 476 |
} |
| 477 | 477 |
it {
|
| 478 | 478 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
|
| 479 | 479 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 480 | 480 |
content: %r{^ reject with tcp reset$},
|
| 481 |
order: '98nftables-inet-filter-chain-FORWARD-rule-rejectb',
|
|
| 481 |
order: '98-nftables-inet-filter-chain-FORWARD-rule-reject-b',
|
|
| 482 | 482 |
) |
| 483 | 483 |
} |
| 484 | 484 |
end |
| spec/classes/ip_nat_spec.rb | ||
|---|---|---|
| 96 | 96 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
|
| 97 | 97 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 98 | 98 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 99 |
order: '01nftables-ip-nat-chain-PREROUTING-rule-typeb',
|
|
| 99 |
order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b',
|
|
| 100 | 100 |
) |
| 101 | 101 |
} |
| 102 | 102 |
it {
|
| 103 | 103 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
|
| 104 | 104 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 105 | 105 |
content: %r{^ policy accept$},
|
| 106 |
order: '02nftables-ip-nat-chain-PREROUTING-rule-policyb',
|
|
| 106 |
order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b',
|
|
| 107 | 107 |
) |
| 108 | 108 |
} |
| 109 | 109 |
it {
|
| ... | ... | |
| 136 | 136 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 137 | 137 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 138 | 138 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 139 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 139 |
order: '01-nftables-ip-nat-chain-POSTROUTING-rule-type-b',
|
|
| 140 | 140 |
) |
| 141 | 141 |
} |
| 142 | 142 |
it {
|
| 143 | 143 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 144 | 144 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 145 | 145 |
content: %r{^ policy accept$},
|
| 146 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 146 |
order: '02-nftables-ip-nat-chain-POSTROUTING-rule-policy-b',
|
|
| 147 | 147 |
) |
| 148 | 148 |
} |
| 149 | 149 |
it {
|
| ... | ... | |
| 176 | 176 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-type').with(
|
| 177 | 177 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
| 178 | 178 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 179 |
order: '01nftables-ip6-nat-chain-PREROUTING6-rule-typeb',
|
|
| 179 |
order: '01-nftables-ip6-nat-chain-PREROUTING6-rule-type-b',
|
|
| 180 | 180 |
) |
| 181 | 181 |
} |
| 182 | 182 |
it {
|
| 183 | 183 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-policy').with(
|
| 184 | 184 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
| 185 | 185 |
content: %r{^ policy accept$},
|
| 186 |
order: '02nftables-ip6-nat-chain-PREROUTING6-rule-policyb',
|
|
| 186 |
order: '02-nftables-ip6-nat-chain-PREROUTING6-rule-policy-b',
|
|
| 187 | 187 |
) |
| 188 | 188 |
} |
| 189 | 189 |
it {
|
| ... | ... | |
| 216 | 216 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-type').with(
|
| 217 | 217 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
| 218 | 218 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 219 |
order: '01nftables-ip6-nat-chain-POSTROUTING6-rule-typeb',
|
|
| 219 |
order: '01-nftables-ip6-nat-chain-POSTROUTING6-rule-type-b',
|
|
| 220 | 220 |
) |
| 221 | 221 |
} |
| 222 | 222 |
it {
|
| 223 | 223 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-policy').with(
|
| 224 | 224 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
| 225 | 225 |
content: %r{^ policy accept$},
|
| 226 |
order: '02nftables-ip6-nat-chain-POSTROUTING6-rule-policyb',
|
|
| 226 |
order: '02-nftables-ip6-nat-chain-POSTROUTING6-rule-policy-b',
|
|
| 227 | 227 |
) |
| 228 | 228 |
} |
| 229 | 229 |
it {
|
| spec/classes/masquerade_spec.rb | ||
|---|---|---|
| 54 | 54 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 55 | 55 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 56 | 56 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 57 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 57 |
order: '01-nftables-ip-nat-chain-POSTROUTING-rule-type-b',
|
|
| 58 | 58 |
) |
| 59 | 59 |
} |
| 60 | 60 |
it {
|
| 61 | 61 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 62 | 62 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 63 | 63 |
content: %r{^ policy accept$},
|
| 64 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 64 |
order: '02-nftables-ip-nat-chain-POSTROUTING-rule-policy-b',
|
|
| 65 | 65 |
) |
| 66 | 66 |
} |
| 67 | 67 |
it {
|
| 68 | 68 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0').with(
|
| 69 | 69 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 70 | 70 |
content: %r{^ oifname eth0 masquerade$},
|
| 71 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0b',
|
|
| 71 |
order: '70-nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0-b',
|
|
| 72 | 72 |
) |
| 73 | 73 |
} |
| 74 | 74 |
it {
|
| 75 | 75 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpn').with(
|
| 76 | 76 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 77 | 77 |
content: %r{^ oifname eth1 ip saddr 192\.0\.2\.0\/24 masquerade$},
|
| 78 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpnb',
|
|
| 78 |
order: '70-nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpn-b',
|
|
| 79 | 79 |
) |
| 80 | 80 |
} |
| 81 | 81 |
it {
|
| 82 | 82 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh').with(
|
| 83 | 83 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 84 | 84 |
content: %r{^ ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
|
| 85 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_sshb',
|
|
| 85 |
order: '70-nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh-b',
|
|
| 86 | 86 |
) |
| 87 | 87 |
} |
| 88 | 88 |
it {
|
| 89 | 89 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlab').with(
|
| 90 | 90 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 91 | 91 |
content: %r{^ ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
|
| 92 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlabb',
|
|
| 92 |
order: '70-nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlab-b',
|
|
| 93 | 93 |
) |
| 94 | 94 |
} |
| 95 | 95 |
it {
|
| 96 | 96 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguard').with(
|
| 97 | 97 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 98 | 98 |
content: %r{^ udp dport 51820 masquerade$},
|
| 99 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguardb',
|
|
| 99 |
order: '70-nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguard-b',
|
|
| 100 | 100 |
) |
| 101 | 101 |
} |
| 102 | 102 |
it {
|
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 85 | 85 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-web_accept').with(
|
| 86 | 86 |
target: 'nftables-inet-filter-chain-INPUT', |
| 87 | 87 |
content: %r{^ iifname eth0 tcp dport \{ 80, 443 \} accept$},
|
| 88 |
order: '50nftables-inet-filter-chain-INPUT-rule-web_acceptb',
|
|
| 88 |
order: '50-nftables-inet-filter-chain-INPUT-rule-web_accept-b',
|
|
| 89 | 89 |
) |
| 90 | 90 |
} |
| 91 | 91 |
end |
| spec/classes/router_spec.rb | ||
|---|---|---|
| 50 | 50 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-out').with(
|
| 51 | 51 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 52 | 52 |
content: %r{^ iifname eth1 oifname eth0 accept$},
|
| 53 |
order: '20nftables-inet-filter-chain-default_fwd-rule-outb',
|
|
| 53 |
order: '20-nftables-inet-filter-chain-default_fwd-rule-out-b',
|
|
| 54 | 54 |
) |
| 55 | 55 |
} |
| 56 | 56 |
it {
|
| 57 | 57 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-drop').with(
|
| 58 | 58 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 59 | 59 |
content: %r{^ iifname eth0 drop$},
|
| 60 |
order: '90nftables-inet-filter-chain-default_fwd-rule-dropb',
|
|
| 60 |
order: '90-nftables-inet-filter-chain-default_fwd-rule-drop-b',
|
|
| 61 | 61 |
) |
| 62 | 62 |
} |
| 63 | 63 |
it {
|
| ... | ... | |
| 88 | 88 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
|
| 89 | 89 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 90 | 90 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 91 |
order: '01nftables-ip-nat-chain-PREROUTING-rule-typeb',
|
|
| 91 |
order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b',
|
|
| 92 | 92 |
) |
| 93 | 93 |
} |
| 94 | 94 |
it {
|
| 95 | 95 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
|
| 96 | 96 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 97 | 97 |
content: %r{^ policy accept$},
|
| 98 |
order: '02nftables-ip-nat-chain-PREROUTING-rule-policyb',
|
|
| 98 |
order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b',
|
|
| 99 | 99 |
) |
| 100 | 100 |
} |
| 101 | 101 |
it {
|
| ... | ... | |
| 126 | 126 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 127 | 127 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 128 | 128 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 129 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 129 |
order: '01-nftables-ip-nat-chain-POSTROUTING-rule-type-b',
|
|
| 130 | 130 |
) |
| 131 | 131 |
} |
| 132 | 132 |
it {
|
| 133 | 133 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 134 | 134 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 135 | 135 |
content: %r{^ policy accept$},
|
| 136 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 136 |
order: '02-nftables-ip-nat-chain-POSTROUTING-rule-policy-b',
|
|
| 137 | 137 |
) |
| 138 | 138 |
} |
| 139 | 139 |
it {
|
| 140 | 140 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade').with(
|
| 141 | 141 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 142 | 142 |
content: %r{^ oifname eth0 masquerade$},
|
| 143 |
order: '20nftables-ip-nat-chain-POSTROUTING-rule-masqueradeb',
|
|
| 143 |
order: '20-nftables-ip-nat-chain-POSTROUTING-rule-masquerade-b',
|
|
| 144 | 144 |
) |
| 145 | 145 |
} |
| 146 | 146 |
it {
|
| spec/classes/rules_out_dns_spec.rb | ||
|---|---|---|
| 18 | 18 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
|
| 19 | 19 |
target: 'nftables-inet-filter-chain-default_out', |
| 20 | 20 |
content: %r{^ udp dport 53 accept$},
|
| 21 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudpb',
|
|
| 21 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnsudp-b',
|
|
| 22 | 22 |
) |
| 23 | 23 |
} |
| 24 | 24 |
it {
|
| 25 | 25 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
|
| 26 | 26 |
target: 'nftables-inet-filter-chain-default_out', |
| 27 | 27 |
content: %r{^ tcp dport 53 accept$},
|
| 28 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcpb',
|
|
| 28 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnstcp-b',
|
|
| 29 | 29 |
) |
| 30 | 30 |
} |
| 31 | 31 |
end |
| ... | ... | |
| 45 | 45 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp-0').with(
|
| 46 | 46 |
target: 'nftables-inet-filter-chain-default_out', |
| 47 | 47 |
content: %r{^ ip daddr 192.0.2.1 udp dport 53 accept$},
|
| 48 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudp-0b',
|
|
| 48 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnsudp-0-b',
|
|
| 49 | 49 |
) |
| 50 | 50 |
} |
| 51 | 51 |
it {
|
| 52 | 52 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp-0').with(
|
| 53 | 53 |
target: 'nftables-inet-filter-chain-default_out', |
| 54 | 54 |
content: %r{^ ip daddr 192.0.2.1 tcp dport 53 accept$},
|
| 55 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcp-0b',
|
|
| 55 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnstcp-0-b',
|
|
| 56 | 56 |
) |
| 57 | 57 |
} |
| 58 | 58 |
|
| ... | ... | |
| 60 | 60 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp-1').with(
|
| 61 | 61 |
target: 'nftables-inet-filter-chain-default_out', |
| 62 | 62 |
content: %r{^ ip6 daddr 2001:db8::1 udp dport 53 accept$},
|
| 63 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudp-1b',
|
|
| 63 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnsudp-1-b',
|
|
| 64 | 64 |
) |
| 65 | 65 |
} |
| 66 | 66 |
it {
|
| 67 | 67 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp-1').with(
|
| 68 | 68 |
target: 'nftables-inet-filter-chain-default_out', |
| 69 | 69 |
content: %r{^ ip6 daddr 2001:db8::1 tcp dport 53 accept$},
|
| 70 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcp-1b',
|
|
| 70 |
order: '50-nftables-inet-filter-chain-default_out-rule-dnstcp-1-b',
|
|
| 71 | 71 |
) |
| 72 | 72 |
} |
| 73 | 73 |
end |
| spec/classes/snat4_spec.rb | ||
|---|---|---|
| 55 | 55 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 56 | 56 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 57 | 57 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 58 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 58 |
order: '01-nftables-ip-nat-chain-POSTROUTING-rule-type-b',
|
|
| 59 | 59 |
) |
| 60 | 60 |
} |
| 61 | 61 |
it {
|
| 62 | 62 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 63 | 63 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 64 | 64 |
content: %r{^ policy accept$},
|
| 65 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 65 |
order: '02-nftables-ip-nat-chain-POSTROUTING-rule-policy-b',
|
|
| 66 | 66 |
) |
| 67 | 67 |
} |
| 68 | 68 |
it {
|
| 69 | 69 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-static').with(
|
| 70 | 70 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 71 | 71 |
content: %r{^ oifname eth0 snat 198\.51\.100\.1$},
|
| 72 |
order: '60nftables-ip-nat-chain-POSTROUTING-rule-staticb',
|
|
| 72 |
order: '60-nftables-ip-nat-chain-POSTROUTING-rule-static-b',
|
|
| 73 | 73 |
) |
| 74 | 74 |
} |
| 75 | 75 |
it {
|
| 76 | 76 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1').with(
|
| 77 | 77 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 78 | 78 |
content: %r{^ oifname eth0 ip saddr 192\.0\.2\.2 snat 198\.51\.100\.3$},
|
| 79 |
order: '61nftables-ip-nat-chain-POSTROUTING-rule-1_1b',
|
|
| 79 |
order: '61-nftables-ip-nat-chain-POSTROUTING-rule-1_1-b',
|
|
| 80 | 80 |
) |
| 81 | 81 |
} |
| 82 | 82 |
it {
|
| 83 | 83 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1_smtp').with(
|
| 84 | 84 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 85 | 85 |
content: %r{^ ip saddr 192\.0\.2\.2 tcp dport 25 snat 198\.51\.100\.2$},
|
| 86 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-1_1_smtpb',
|
|
| 86 |
order: '70-nftables-ip-nat-chain-POSTROUTING-rule-1_1_smtp-b',
|
|
| 87 | 87 |
) |
| 88 | 88 |
} |
| 89 | 89 |
it {
|
| 90 | 90 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1_wireguard').with(
|
| 91 | 91 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 92 | 92 |
content: %r{^ ip saddr 192\.0\.2\.2 udp dport 51820 snat 198\.51\.100\.2$},
|
| 93 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-1_1_wireguardb',
|
|
| 93 |
order: '70-nftables-ip-nat-chain-POSTROUTING-rule-1_1_wireguard-b',
|
|
| 94 | 94 |
) |
| 95 | 95 |
} |
| 96 | 96 |
it {
|
| spec/defines/rule_spec.rb | ||
|---|---|---|
| 31 | 31 |
|
| 32 | 32 |
context 'with content parameter set' do |
| 33 | 33 |
let(:params) do |
| 34 |
{
|
|
| 35 |
content: 'port 22 allow', |
|
| 36 |
} |
|
| 34 |
{ content: 'port 22 allow' }
|
|
| 37 | 35 |
end |
| 38 | 36 |
|
| 39 | 37 |
it { is_expected.to compile.with_all_deps }
|
| 40 | 38 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE') }
|
| 41 | 39 |
it {
|
| 42 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 43 |
{
|
|
| 44 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEa', |
|
| 40 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE_header').with(
|
|
| 41 |
order: '50-nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-a', |
|
| 45 | 42 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
| 46 | 43 |
content: %r{^#.*$},
|
| 47 |
}
|
|
| 44 |
)
|
|
| 48 | 45 |
} |
| 49 | 46 |
it {
|
| 50 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE').with
|
|
| 51 |
{
|
|
| 52 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEb', |
|
| 47 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE').with(
|
|
| 48 |
order: '50-nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-b', |
|
| 53 | 49 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
| 54 | 50 |
content: ' port 22 allow', |
| 55 |
}
|
|
| 51 |
)
|
|
| 56 | 52 |
} |
| 57 | 53 |
context 'with optional parameters set' do |
| 58 | 54 |
let(:params) do |
| ... | ... | |
| 61 | 57 |
end |
| 62 | 58 |
|
| 63 | 59 |
it {
|
| 64 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 65 |
{
|
|
| 66 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEa', |
|
| 60 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE_header').with(
|
|
| 61 |
order: '85-nftables-TABLE-chain-CHAIN_NAME-rule-RULE-a', |
|
| 67 | 62 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
| 68 | 63 |
content: %r{^#.*$},
|
| 69 |
}
|
|
| 64 |
)
|
|
| 70 | 65 |
} |
| 71 | 66 |
it { is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE') }
|
| 72 | 67 |
it {
|
| 73 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE').with
|
|
| 74 |
{
|
|
| 75 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEb', |
|
| 68 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE').with(
|
|
| 69 |
order: '85-nftables-TABLE-chain-CHAIN_NAME-rule-RULE-b', |
|
| 76 | 70 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
| 77 | 71 |
content: ' port 22 allow', |
| 78 |
}
|
|
| 72 |
)
|
|
| 79 | 73 |
} |
| 80 | 74 |
end |
| 81 | 75 |
end |
| ... | ... | |
| 90 | 84 |
it { is_expected.to compile.with_all_deps }
|
| 91 | 85 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE') }
|
| 92 | 86 |
it {
|
| 93 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 94 |
{
|
|
| 95 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEa', |
|
| 87 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE_header').with(
|
|
| 88 |
order: '50-nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-a', |
|
| 96 | 89 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
| 97 | 90 |
content: %r{^#.*$},
|
| 98 |
}
|
|
| 91 |
)
|
|
| 99 | 92 |
} |
| 100 | 93 |
it {
|
| 101 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE').with
|
|
| 102 |
{
|
|
| 103 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEb', |
|
| 94 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE').with(
|
|
| 95 |
order: '50-nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-b', |
|
| 104 | 96 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
| 105 | 97 |
source: 'puppet:///modules/foo/bar', |
| 106 |
}
|
|
| 98 |
)
|
|
| 107 | 99 |
} |
| 108 | 100 |
context 'with optional parameters set' do |
| 109 | 101 |
let(:params) do |
| ... | ... | |
| 112 | 104 |
end |
| 113 | 105 |
|
| 114 | 106 |
it {
|
| 115 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 116 |
{
|
|
| 117 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEa', |
|
| 107 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE_header').with(
|
|
| 108 |
order: '85-nftables-TABLE-chain-CHAIN_NAME-rule-RULE-a', |
|
| 118 | 109 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
| 119 | 110 |
content: %r{^#.*$},
|
| 120 |
}
|
|
| 111 |
)
|
|
| 121 | 112 |
} |
| 122 | 113 |
it { is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE') }
|
| 123 | 114 |
it {
|
| 124 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE').with
|
|
| 125 |
{
|
|
| 126 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEb', |
|
| 115 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE').with(
|
|
| 116 |
order: '85-nftables-TABLE-chain-CHAIN_NAME-rule-RULE-b', |
|
| 127 | 117 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
| 128 | 118 |
source: 'puppet:///modules/foo/bar', |
| 129 |
}
|
|
| 119 |
)
|
|
| 130 | 120 |
} |
| 131 | 121 |
end |
| 132 | 122 |
end |
| ... | ... | |
| 145 | 135 |
it { is_expected.to compile.with_all_deps }
|
| 146 | 136 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22') }
|
| 147 | 137 |
it {
|
| 148 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22_header').with
|
|
| 149 |
{
|
|
| 150 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22a', |
|
| 138 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22_header').with(
|
|
| 139 |
order: '50-nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22-a', |
|
| 151 | 140 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
| 152 | 141 |
content: %r{^#.*$},
|
| 153 |
}
|
|
| 142 |
)
|
|
| 154 | 143 |
} |
| 155 | 144 |
it {
|
| 156 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22').with
|
|
| 157 |
{
|
|
| 158 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22b', |
|
| 145 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22').with(
|
|
| 146 |
order: '50-nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22-b', |
|
| 159 | 147 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
| 160 | 148 |
content: ' port 22 allow', |
| 161 |
}
|
|
| 149 |
)
|
|
| 162 | 150 |
} |
| 163 | 151 |
end |
| 164 | 152 |
end |
Formats disponibles : Unified diff