Révision 9e100a98
Add acceptance test covering tables of type netdev
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 181 | 181 |
it { is_expected.to be_enabled }
|
| 182 | 182 |
end |
| 183 | 183 |
end |
| 184 |
|
|
| 185 |
context 'with only an empty netdev table' do |
|
| 186 |
it 'rules validate okay' do |
|
| 187 |
pp = <<-EOS |
|
| 188 |
class{'nftables':
|
|
| 189 |
firewalld_enable => false, |
|
| 190 |
inet_filter => false, |
|
| 191 |
nat => false, |
|
| 192 |
} |
|
| 193 |
nftables::config {
|
|
| 194 |
'netdev-filter': |
|
| 195 |
prefix => '', |
|
| 196 |
} |
|
| 197 |
nftables::chain {
|
|
| 198 |
[ |
|
| 199 |
'INPUT', |
|
| 200 |
'OUTPUT', |
|
| 201 |
'FORWARD', |
|
| 202 |
]: |
|
| 203 |
table => 'netdev-filter'; |
|
| 204 |
} |
|
| 205 |
$config_path = $facts['os']['family'] ? {
|
|
| 206 |
'Archlinux' => '/etc/nftables.conf', |
|
| 207 |
'Debian' => '/etc/nftables.conf', |
|
| 208 |
default => '/etc/sysconfig/nftables.conf', |
|
| 209 |
} |
|
| 210 |
$nft_path = $facts['os']['family'] ? {
|
|
| 211 |
'Archlinux' => '/usr/bin/nft', |
|
| 212 |
default => '/usr/sbin/nft', |
|
| 213 |
} |
|
| 214 |
# nftables cannot be started in docker so replace service with a validation only. |
|
| 215 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
|
| 216 |
ensure => present, |
|
| 217 |
unit => "nftables.service", |
|
| 218 |
content => [ |
|
| 219 |
"[Service]", |
|
| 220 |
"ExecStart=", |
|
| 221 |
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 222 |
"ExecReload=", |
|
| 223 |
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 224 |
"", |
|
| 225 |
].join("\n"),
|
|
| 226 |
notify => Service["nftables"], |
|
| 227 |
} |
|
| 228 |
EOS |
|
| 229 |
apply_manifest(pp, catch_failures: true) |
|
| 230 |
end |
|
| 231 |
|
|
| 232 |
describe service('nftables') do
|
|
| 233 |
it { is_expected.to be_running }
|
|
| 234 |
it { is_expected.to be_enabled }
|
|
| 235 |
end |
|
| 236 |
end |
|
| 184 | 237 |
end |
Formats disponibles : Unified diff