/spec/classes/dnat4_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / spec / classes / dnat4_spec.rb @ 9d02e9f8

Historique | Voir | Annoter | Télécharger (7,53 ko)

1	c82b960a	Steve Traylen	# frozen_string_literal: true
2
3	a5205d2f	tr	require 'spec_helper'
4
5			describe 'nftables' do
6			let(:pre_condition) { 'Exec{path => "/bin"}' }
7
8			on_supported_os.each do \|os, os_facts\|
9			context "on #{os}" do
10			let(:facts) { os_facts }
11
12	0b7bcb5d	mh	nft_mode = case os_facts[:os]['family']
13			when 'RedHat'
14			'0600'
15			else
16			'0640'
17			end
18
19	a5205d2f	tr	context 'with dnat' do
20			let(:pre_condition) do
21	01d8a819	tr	'
22	a5205d2f	tr	# inet-filter-chain-ingoing
23	01d8a819	tr	nftables::chain{ \'ingoing\':
24			inject => \'20-default_fwd\',
25			inject_iif => \'eth0\',
26			inject_oif => \'eth1\';
27	a5205d2f	tr	}
28
29			# inet-filter-chain-default_fwd
30			nftables::rules::dnat4{
31	01d8a819	tr	\'http\':
32			order => \'10\',
33			chain => \'ingoing\',
34			daddr => \'192.0.2.2\',
35			port => \'http\';
36			\'https\':
37			order => \'10\',
38			chain => \'ingoing\',
39			daddr => \'192.0.2.2\',
40			port => \'https\';
41			\'http_alt\':
42			order => \'10\',
43			chain => \'ingoing\',
44			iif => \'eth0\',
45			daddr => \'192.0.2.2\',
46			proto => \'tcp\',
47	a5205d2f	tr	port => 8080,
48			dport => 8000;
49	01d8a819	tr	\'wireguard\':
50			order => \'10\',
51			chain => \'ingoing\',
52			iif => \'eth0\',
53			daddr => \'192.0.2.3\',
54			proto => \'udp\',
55			port => \'51820\';
56	a5205d2f	tr	}
57	01d8a819	tr	'
58	a5205d2f	tr	end
59
60			it { is_expected.to compile }
61
62	01d8a819	tr	it {
63	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-inet-filter-chain-default_fwd').with(
64			path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
65			owner: 'root',
66			group: 'root',
67	0b7bcb5d	mh	mode: nft_mode,
68	fa92e118	Romain Tartière	ensure_newline: true
69	01d8a819	tr	)
70			}
71	c82b960a	Steve Traylen
72	01d8a819	tr	it {
73	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
74			target: 'nftables-inet-filter-chain-default_fwd',
75	01d8a819	tr	content: %r{^chain default_fwd \{$},
76	c82b960a	Steve Traylen	order: '00'
77	01d8a819	tr	)
78			}
79	c82b960a	Steve Traylen
80	01d8a819	tr	it {
81	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
82			target: 'nftables-inet-filter-chain-default_fwd',
83	01d8a819	tr	content: %r{^ iifname eth0 oifname eth1 jump ingoing$},
84	c82b960a	Steve Traylen	order: '20-nftables-inet-filter-chain-default_fwd-rule-jump_ingoing-b'
85	01d8a819	tr	)
86			}
87	c82b960a	Steve Traylen
88	01d8a819	tr	it {
89	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
90			target: 'nftables-inet-filter-chain-default_fwd',
91	01d8a819	tr	content: %r{^\}$},
92	c82b960a	Steve Traylen	order: '99'
93	01d8a819	tr	)
94			}
95	a5205d2f	tr
96	01d8a819	tr	it {
97	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(
98			target: 'nftables-inet-filter-chain-ingoing',
99	01d8a819	tr	content: %r{^chain ingoing \{$},
100	c82b960a	Steve Traylen	order: '00'
101	01d8a819	tr	)
102			}
103	c82b960a	Steve Traylen
104	01d8a819	tr	it {
105	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
106			target: 'nftables-inet-filter-chain-ingoing',
107	01d8a819	tr	content: %r{^ ip daddr 192.0.2.2 tcp dport http accept$},
108	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-http-b'
109	01d8a819	tr	)
110			}
111	c82b960a	Steve Traylen
112	01d8a819	tr	it {
113	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
114			target: 'nftables-inet-filter-chain-ingoing',
115	01d8a819	tr	content: %r{^ ip daddr 192.0.2.2 tcp dport https accept$},
116	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-https-b'
117	01d8a819	tr	)
118			}
119	c82b960a	Steve Traylen
120	01d8a819	tr	it {
121	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
122			target: 'nftables-inet-filter-chain-ingoing',
123	01d8a819	tr	content: %r{^ iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},
124	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-http_alt-b'
125	01d8a819	tr	)
126			}
127	c82b960a	Steve Traylen
128	01d8a819	tr	it {
129	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
130			target: 'nftables-inet-filter-chain-ingoing',
131	01d8a819	tr	content: %r{^ iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},
132	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-wireguard-b'
133	01d8a819	tr	)
134			}
135	c82b960a	Steve Traylen
136	01d8a819	tr	it {
137	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(
138			target: 'nftables-inet-filter-chain-ingoing',
139	01d8a819	tr	content: %r{^\}$},
140	c82b960a	Steve Traylen	order: '99'
141	01d8a819	tr	)
142			}
143	a5205d2f	tr
144	01d8a819	tr	it {
145	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
146			path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
147			owner: 'root',
148			group: 'root',
149	0b7bcb5d	mh	mode: nft_mode,
150	fa92e118	Romain Tartière	ensure_newline: true
151	01d8a819	tr	)
152			}
153	c82b960a	Steve Traylen
154	01d8a819	tr	it {
155	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
156			target: 'nftables-ip-nat-chain-PREROUTING',
157	01d8a819	tr	content: %r{^chain PREROUTING \{$},
158	c82b960a	Steve Traylen	order: '00'
159	01d8a819	tr	)
160			}
161	c82b960a	Steve Traylen
162	01d8a819	tr	it {
163	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
164			target: 'nftables-ip-nat-chain-PREROUTING',
165	01d8a819	tr	content: %r{^ type nat hook prerouting priority -100$},
166	c82b960a	Steve Traylen	order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'
167	01d8a819	tr	)
168			}
169	c82b960a	Steve Traylen
170	01d8a819	tr	it {
171	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
172			target: 'nftables-ip-nat-chain-PREROUTING',
173	01d8a819	tr	content: %r{^ policy accept$},
174	c82b960a	Steve Traylen	order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'
175	01d8a819	tr	)
176			}
177	c82b960a	Steve Traylen
178	01d8a819	tr	it {
179	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
180			target: 'nftables-ip-nat-chain-PREROUTING',
181	01d8a819	tr	content: %r{^ tcp dport http dnat to 192.0.2.2$},
182	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-http-b'
183	01d8a819	tr	)
184			}
185	c82b960a	Steve Traylen
186	01d8a819	tr	it {
187	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
188			target: 'nftables-ip-nat-chain-PREROUTING',
189	01d8a819	tr	content: %r{^ tcp dport https dnat to 192.0.2.2$},
190	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-https-b'
191	01d8a819	tr	)
192			}
193	c82b960a	Steve Traylen
194	01d8a819	tr	it {
195	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
196			target: 'nftables-ip-nat-chain-PREROUTING',
197	01d8a819	tr	content: %r{^ iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},
198	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-http_alt-b'
199	01d8a819	tr	)
200			}
201	c82b960a	Steve Traylen
202	01d8a819	tr	it {
203	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
204			target: 'nftables-ip-nat-chain-PREROUTING',
205	01d8a819	tr	content: %r{^ iifname eth0 udp dport 51820 dnat to 192.0.2.3$},
206	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-wireguard-b'
207	01d8a819	tr	)
208			}
209	c82b960a	Steve Traylen
210	01d8a819	tr	it {
211	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
212			target: 'nftables-ip-nat-chain-PREROUTING',
213	01d8a819	tr	content: %r{^\}$},
214	c82b960a	Steve Traylen	order: '99'
215	01d8a819	tr	)
216			}
217	a5205d2f	tr	end
218			end
219			end
220			end

Projet

Général

Profil

puppet nftables

root / spec / classes / dnat4_spec.rb @ 9d02e9f8