/spec/classes/dnat4_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / spec / classes / dnat4_spec.rb @ a1f09048

Historique | Voir | Annoter | Télécharger (7,36 ko)

1	c82b960a	Steve Traylen	# frozen_string_literal: true
2
3	a5205d2f	tr	require 'spec_helper'
4
5			describe 'nftables' do
6			let(:pre_condition) { 'Exec{path => "/bin"}' }
7
8			on_supported_os.each do \|os, os_facts\|
9			context "on #{os}" do
10			let(:facts) { os_facts }
11
12			context 'with dnat' do
13			let(:pre_condition) do
14	01d8a819	tr	'
15	a5205d2f	tr	# inet-filter-chain-ingoing
16	01d8a819	tr	nftables::chain{ \'ingoing\':
17			inject => \'20-default_fwd\',
18			inject_iif => \'eth0\',
19			inject_oif => \'eth1\';
20	a5205d2f	tr	}
21
22			# inet-filter-chain-default_fwd
23			nftables::rules::dnat4{
24	01d8a819	tr	\'http\':
25			order => \'10\',
26			chain => \'ingoing\',
27			daddr => \'192.0.2.2\',
28			port => \'http\';
29			\'https\':
30			order => \'10\',
31			chain => \'ingoing\',
32			daddr => \'192.0.2.2\',
33			port => \'https\';
34			\'http_alt\':
35			order => \'10\',
36			chain => \'ingoing\',
37			iif => \'eth0\',
38			daddr => \'192.0.2.2\',
39			proto => \'tcp\',
40	a5205d2f	tr	port => 8080,
41			dport => 8000;
42	01d8a819	tr	\'wireguard\':
43			order => \'10\',
44			chain => \'ingoing\',
45			iif => \'eth0\',
46			daddr => \'192.0.2.3\',
47			proto => \'udp\',
48			port => \'51820\';
49	a5205d2f	tr	}
50	01d8a819	tr	'
51	a5205d2f	tr	end
52
53			it { is_expected.to compile }
54
55	01d8a819	tr	it {
56	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-inet-filter-chain-default_fwd').with(
57			path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
58			owner: 'root',
59			group: 'root',
60			mode: '0640',
61	fa92e118	Romain Tartière	ensure_newline: true
62	01d8a819	tr	)
63			}
64	c82b960a	Steve Traylen
65	01d8a819	tr	it {
66	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
67			target: 'nftables-inet-filter-chain-default_fwd',
68	01d8a819	tr	content: %r{^chain default_fwd \{$},
69	c82b960a	Steve Traylen	order: '00'
70	01d8a819	tr	)
71			}
72	c82b960a	Steve Traylen
73	01d8a819	tr	it {
74	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
75			target: 'nftables-inet-filter-chain-default_fwd',
76	01d8a819	tr	content: %r{^ iifname eth0 oifname eth1 jump ingoing$},
77	c82b960a	Steve Traylen	order: '20-nftables-inet-filter-chain-default_fwd-rule-jump_ingoing-b'
78	01d8a819	tr	)
79			}
80	c82b960a	Steve Traylen
81	01d8a819	tr	it {
82	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
83			target: 'nftables-inet-filter-chain-default_fwd',
84	01d8a819	tr	content: %r{^\}$},
85	c82b960a	Steve Traylen	order: '99'
86	01d8a819	tr	)
87			}
88	a5205d2f	tr
89	01d8a819	tr	it {
90	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(
91			target: 'nftables-inet-filter-chain-ingoing',
92	01d8a819	tr	content: %r{^chain ingoing \{$},
93	c82b960a	Steve Traylen	order: '00'
94	01d8a819	tr	)
95			}
96	c82b960a	Steve Traylen
97	01d8a819	tr	it {
98	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
99			target: 'nftables-inet-filter-chain-ingoing',
100	01d8a819	tr	content: %r{^ ip daddr 192.0.2.2 tcp dport http accept$},
101	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-http-b'
102	01d8a819	tr	)
103			}
104	c82b960a	Steve Traylen
105	01d8a819	tr	it {
106	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
107			target: 'nftables-inet-filter-chain-ingoing',
108	01d8a819	tr	content: %r{^ ip daddr 192.0.2.2 tcp dport https accept$},
109	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-https-b'
110	01d8a819	tr	)
111			}
112	c82b960a	Steve Traylen
113	01d8a819	tr	it {
114	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
115			target: 'nftables-inet-filter-chain-ingoing',
116	01d8a819	tr	content: %r{^ iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},
117	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-http_alt-b'
118	01d8a819	tr	)
119			}
120	c82b960a	Steve Traylen
121	01d8a819	tr	it {
122	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
123			target: 'nftables-inet-filter-chain-ingoing',
124	01d8a819	tr	content: %r{^ iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},
125	c82b960a	Steve Traylen	order: '10-nftables-inet-filter-chain-ingoing-rule-wireguard-b'
126	01d8a819	tr	)
127			}
128	c82b960a	Steve Traylen
129	01d8a819	tr	it {
130	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(
131			target: 'nftables-inet-filter-chain-ingoing',
132	01d8a819	tr	content: %r{^\}$},
133	c82b960a	Steve Traylen	order: '99'
134	01d8a819	tr	)
135			}
136	a5205d2f	tr
137	01d8a819	tr	it {
138	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
139			path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
140			owner: 'root',
141			group: 'root',
142			mode: '0640',
143	fa92e118	Romain Tartière	ensure_newline: true
144	01d8a819	tr	)
145			}
146	c82b960a	Steve Traylen
147	01d8a819	tr	it {
148	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
149			target: 'nftables-ip-nat-chain-PREROUTING',
150	01d8a819	tr	content: %r{^chain PREROUTING \{$},
151	c82b960a	Steve Traylen	order: '00'
152	01d8a819	tr	)
153			}
154	c82b960a	Steve Traylen
155	01d8a819	tr	it {
156	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
157			target: 'nftables-ip-nat-chain-PREROUTING',
158	01d8a819	tr	content: %r{^ type nat hook prerouting priority -100$},
159	c82b960a	Steve Traylen	order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'
160	01d8a819	tr	)
161			}
162	c82b960a	Steve Traylen
163	01d8a819	tr	it {
164	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
165			target: 'nftables-ip-nat-chain-PREROUTING',
166	01d8a819	tr	content: %r{^ policy accept$},
167	c82b960a	Steve Traylen	order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'
168	01d8a819	tr	)
169			}
170	c82b960a	Steve Traylen
171	01d8a819	tr	it {
172	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
173			target: 'nftables-ip-nat-chain-PREROUTING',
174	01d8a819	tr	content: %r{^ tcp dport http dnat to 192.0.2.2$},
175	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-http-b'
176	01d8a819	tr	)
177			}
178	c82b960a	Steve Traylen
179	01d8a819	tr	it {
180	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
181			target: 'nftables-ip-nat-chain-PREROUTING',
182	01d8a819	tr	content: %r{^ tcp dport https dnat to 192.0.2.2$},
183	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-https-b'
184	01d8a819	tr	)
185			}
186	c82b960a	Steve Traylen
187	01d8a819	tr	it {
188	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
189			target: 'nftables-ip-nat-chain-PREROUTING',
190	01d8a819	tr	content: %r{^ iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},
191	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-http_alt-b'
192	01d8a819	tr	)
193			}
194	c82b960a	Steve Traylen
195	01d8a819	tr	it {
196	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
197			target: 'nftables-ip-nat-chain-PREROUTING',
198	01d8a819	tr	content: %r{^ iifname eth0 udp dport 51820 dnat to 192.0.2.3$},
199	c82b960a	Steve Traylen	order: '10-nftables-ip-nat-chain-PREROUTING-rule-wireguard-b'
200	01d8a819	tr	)
201			}
202	c82b960a	Steve Traylen
203	01d8a819	tr	it {
204	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
205			target: 'nftables-ip-nat-chain-PREROUTING',
206	01d8a819	tr	content: %r{^\}$},
207	c82b960a	Steve Traylen	order: '99'
208	01d8a819	tr	)
209			}
210	a5205d2f	tr	end
211			end
212			end
213			end

Projet

Général

Profil

puppet nftables

root / spec / classes / dnat4_spec.rb @ a1f09048