root / spec / defines / simplerule_spec.rb @ 6793d286
Historique | Voir | Annoter | Télécharger (4,69 ko)
| 1 |
require 'spec_helper'
|
|---|---|
| 2 |
|
| 3 |
describe 'nftables::simplerule' do |
| 4 |
let(:pre_condition) { 'include nftables' } |
| 5 |
|
| 6 |
let(:title) { 'my_default_rule_name' } |
| 7 |
|
| 8 |
on_supported_os.each do |os, os_facts|
|
| 9 |
context "on #{os}" do |
| 10 |
let(:facts) { os_facts }
|
| 11 |
|
| 12 |
describe 'minimum instantiation' do |
| 13 |
it { is_expected.to compile }
|
| 14 |
it {
|
| 15 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 16 |
content: 'accept', |
| 17 |
order: '50', |
| 18 |
) |
| 19 |
} |
| 20 |
end
|
| 21 |
|
| 22 |
describe 'port without protocol' do |
| 23 |
let(:params) do |
| 24 |
{
|
| 25 |
dport: 333, |
| 26 |
} |
| 27 |
end
|
| 28 |
|
| 29 |
it { is_expected.not_to compile }
|
| 30 |
end
|
| 31 |
|
| 32 |
describe 'all parameters provided' do |
| 33 |
let(:title) { 'my_big_rule' } |
| 34 |
let(:params) do |
| 35 |
{
|
| 36 |
action: 'accept', |
| 37 |
comment: 'this is my rule', |
| 38 |
counter: true, |
| 39 |
dport: 333, |
| 40 |
proto: 'udp', |
| 41 |
chain: 'default_out', |
| 42 |
daddr: '2001:1458::/32', |
| 43 |
} |
| 44 |
end
|
| 45 |
|
| 46 |
it { is_expected.to compile }
|
| 47 |
it {
|
| 48 |
is_expected.to contain_nftables__rule('default_out-my_big_rule').with(
|
| 49 |
content: 'udp dport {333} ip6 daddr 2001:1458::/32 counter accept comment "this is my rule"', |
| 50 |
order: '50', |
| 51 |
) |
| 52 |
} |
| 53 |
end
|
| 54 |
|
| 55 |
describe 'port range' do |
| 56 |
let(:params) do |
| 57 |
{
|
| 58 |
dport: '333-334', |
| 59 |
proto: 'tcp', |
| 60 |
} |
| 61 |
end
|
| 62 |
|
| 63 |
it { is_expected.to compile }
|
| 64 |
it {
|
| 65 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 66 |
content: 'tcp dport {333-334} accept', |
| 67 |
) |
| 68 |
} |
| 69 |
end
|
| 70 |
|
| 71 |
describe 'port array' do |
| 72 |
let(:params) do |
| 73 |
{
|
| 74 |
dport: [333, 335], |
| 75 |
proto: 'tcp', |
| 76 |
} |
| 77 |
end
|
| 78 |
|
| 79 |
it { is_expected.to compile }
|
| 80 |
it {
|
| 81 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 82 |
content: 'tcp dport {333, 335} accept', |
| 83 |
) |
| 84 |
} |
| 85 |
end
|
| 86 |
|
| 87 |
describe 'only IPv4 TCP traffic' do |
| 88 |
let(:params) do |
| 89 |
{
|
| 90 |
dport: 333, |
| 91 |
proto: 'tcp4', |
| 92 |
} |
| 93 |
end
|
| 94 |
|
| 95 |
it { is_expected.to compile }
|
| 96 |
it {
|
| 97 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 98 |
content: 'ip version 4 tcp dport {333} accept', |
| 99 |
) |
| 100 |
} |
| 101 |
end
|
| 102 |
|
| 103 |
describe 'only IPv6 UDP traffic' do |
| 104 |
let(:params) do |
| 105 |
{
|
| 106 |
dport: 33, |
| 107 |
proto: 'udp6', |
| 108 |
} |
| 109 |
end
|
| 110 |
|
| 111 |
it { is_expected.to compile }
|
| 112 |
it {
|
| 113 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 114 |
content: 'ip version 6 udp dport {33} accept', |
| 115 |
) |
| 116 |
} |
| 117 |
end
|
| 118 |
|
| 119 |
describe 'with an IPv4 CIDR as daddr' do |
| 120 |
let(:params) do |
| 121 |
{
|
| 122 |
daddr: '192.168.0.1/24', |
| 123 |
dport: 33, |
| 124 |
proto: 'tcp', |
| 125 |
} |
| 126 |
end
|
| 127 |
|
| 128 |
it { is_expected.to compile }
|
| 129 |
it {
|
| 130 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 131 |
content: 'tcp dport {33} ip daddr 192.168.0.1/24 accept', |
| 132 |
) |
| 133 |
} |
| 134 |
end
|
| 135 |
|
| 136 |
describe 'with an IPv6 address as daddr' do |
| 137 |
let(:params) do |
| 138 |
{
|
| 139 |
daddr: '2001:1458::1', |
| 140 |
} |
| 141 |
end
|
| 142 |
|
| 143 |
it { is_expected.to compile }
|
| 144 |
it {
|
| 145 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 146 |
content: 'ip6 daddr 2001:1458::1 accept', |
| 147 |
) |
| 148 |
} |
| 149 |
end
|
| 150 |
|
| 151 |
describe 'with an IPv6 set as daddr, default set_type' do |
| 152 |
let(:params) do |
| 153 |
{
|
| 154 |
daddr: '@my6_set', |
| 155 |
} |
| 156 |
end
|
| 157 |
|
| 158 |
it { is_expected.to compile }
|
| 159 |
it {
|
| 160 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 161 |
content: 'ip6 daddr @my6_set accept', |
| 162 |
) |
| 163 |
} |
| 164 |
end
|
| 165 |
|
| 166 |
describe 'with a IPv4 set as daddr' do |
| 167 |
let(:params) do |
| 168 |
{
|
| 169 |
daddr: '@my4_set', |
| 170 |
set_type: 'ip', |
| 171 |
} |
| 172 |
end
|
| 173 |
|
| 174 |
it { is_expected.to compile }
|
| 175 |
it {
|
| 176 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 177 |
content: 'ip daddr @my4_set accept', |
| 178 |
) |
| 179 |
} |
| 180 |
end
|
| 181 |
|
| 182 |
describe 'with counter enabled' do |
| 183 |
let(:params) do |
| 184 |
{
|
| 185 |
counter: true, |
| 186 |
} |
| 187 |
end
|
| 188 |
|
| 189 |
it { is_expected.to compile }
|
| 190 |
it {
|
| 191 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
| 192 |
content: 'counter accept', |
| 193 |
) |
| 194 |
} |
| 195 |
end
|
| 196 |
end
|
| 197 |
end
|
| 198 |
end
|