/ - Diff - puppet nftables - Koumbit's Redmine

Révision c82b960a

ID	c82b960ad4293947acbff27429bad5639d3a4692
Parent	20eaf3c2
Enfant	6c2f0f10

Ajouté par Steve Traylen il y a plus de 3 ans

rubocop:auto_correct results

     # frozen_string_literal: true
+    #
     # Produce an array of nftables.
     # nft list tables
-...
         tables = []
         table_result = Facter::Core::Execution.execute(%(#{@nft_cmd} list tables))
         table_result.each_line do |line|
           tables.push(line.split(' ')[1, 2].join('-'))
           tables.push(line.split[1, 2].join('-'))
         end
         version = Facter::Core::Execution.execute(%(#{@nft_cmd} --version))[%r{^.*v(\d+\.\d+.\d+)\s.*$}, 1]
+        {
           'tables'  => tables,
           'tables' => tables,
           'version' => version,
+        }
       end

spec/acceptance/all_rules_spec.rb
	1	# frozen_string_literal: true
	2
1	3	require 'spec_helper_acceptance'
2	4
3	5	describe 'nftables class' do

     # frozen_string_literal: true
     require 'spec_helper_acceptance'
     describe 'nftables class' do
-...
           it { is_expected.to be_directory }
         end
       end
       context 'with bad invalid nft rules' do
         it 'puppet fails but should leave nft service running' do
           pp = <<-EOS
-...
           EOS
           apply_manifest(pp, expect_failures: true)
         end
         describe service('nftables') do
           it { is_expected.to be_running }
           it { is_expected.to be_enabled }
         end
       end
       context 'with totally empty firewall' do
         it 'no rules validate okay' do
           pp = <<-EOS
-...
           EOS
           apply_manifest(pp, catch_failures: true)
         end
         describe service('nftables') do
           it { is_expected.to be_running }
           it { is_expected.to be_enabled }
         end
       end
       context 'with custom nat_table_name' do
         it 'no rules validate okay' do
           pp = <<-EOS
-...
           EOS
           apply_manifest(pp, catch_failures: true)
         end
         describe service('nftables') do
           it { is_expected.to be_running }
           it { is_expected.to be_enabled }

     # frozen_string_literal: true
     require 'spec_helper'
     describe 'nftables' do
-...
             it { is_expected.not_to contain_nftables__rule('default_fwd-bridge_lo_lo') }
             it {
               is_expected.to contain_nftables__rule('default_fwd-bridge_br0_br0').with(
               expect(subject).to contain_nftables__rule('default_fwd-bridge_br0_br0').with(
                 order: '08',
                 content: 'iifname br0 oifname br0 accept'
+              )
+            }
             it { is_expected.to contain_nftables__rule('default_fwd-bridge_br1_br1') }
             it {
               is_expected.to contain_nftables__rule('default_fwd-bridge_br1_br1').with(
               expect(subject).to contain_nftables__rule('default_fwd-bridge_br1_br1').with(
                 order: '08',
                 content: 'iifname br1 oifname br1 accept'
+              )

     # frozen_string_literal: true
     require 'spec_helper'
     describe 'nftables' do
-...
             it { is_expected.to compile }
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-default_fwd').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
                 target: 'nftables-inet-filter-chain-default_fwd',
                 content: %r{^chain default_fwd \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
                 target: 'nftables-inet-filter-chain-default_fwd',
                 content: %r{^  iifname eth0 oifname eth1 jump ingoing$},
                 order:   '20-nftables-inet-filter-chain-default_fwd-rule-jump_ingoing-b'
                 order: '20-nftables-inet-filter-chain-default_fwd-rule-jump_ingoing-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
                 target: 'nftables-inet-filter-chain-default_fwd',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(
                 target:  'nftables-inet-filter-chain-ingoing',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(
                 target: 'nftables-inet-filter-chain-ingoing',
                 content: %r{^chain ingoing \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
                 target:  'nftables-inet-filter-chain-ingoing',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
                 target: 'nftables-inet-filter-chain-ingoing',
                 content: %r{^  ip daddr 192.0.2.2 tcp dport http accept$},
                 order:   '10-nftables-inet-filter-chain-ingoing-rule-http-b'
                 order: '10-nftables-inet-filter-chain-ingoing-rule-http-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
                 target:  'nftables-inet-filter-chain-ingoing',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
                 target: 'nftables-inet-filter-chain-ingoing',
                 content: %r{^  ip daddr 192.0.2.2 tcp dport https accept$},
                 order:   '10-nftables-inet-filter-chain-ingoing-rule-https-b'
                 order: '10-nftables-inet-filter-chain-ingoing-rule-https-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
                 target:  'nftables-inet-filter-chain-ingoing',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
                 target: 'nftables-inet-filter-chain-ingoing',
                 content: %r{^  iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},
                 order:   '10-nftables-inet-filter-chain-ingoing-rule-http_alt-b'
                 order: '10-nftables-inet-filter-chain-ingoing-rule-http_alt-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
                 target:  'nftables-inet-filter-chain-ingoing',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
                 target: 'nftables-inet-filter-chain-ingoing',
                 content: %r{^  iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},
                 order:   '10-nftables-inet-filter-chain-ingoing-rule-wireguard-b'
                 order: '10-nftables-inet-filter-chain-ingoing-rule-wireguard-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(
                 target:  'nftables-inet-filter-chain-ingoing',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(
                 target: 'nftables-inet-filter-chain-ingoing',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
                 path:           '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
                 path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^chain PREROUTING \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  type nat hook prerouting priority -100$},
                 order:   '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'
                 order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  policy accept$},
                 order:   '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'
                 order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  tcp dport http dnat to 192.0.2.2$},
                 order:   '10-nftables-ip-nat-chain-PREROUTING-rule-http-b'
                 order: '10-nftables-ip-nat-chain-PREROUTING-rule-http-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  tcp dport https dnat to 192.0.2.2$},
                 order:   '10-nftables-ip-nat-chain-PREROUTING-rule-https-b'
                 order: '10-nftables-ip-nat-chain-PREROUTING-rule-https-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},
                 order:   '10-nftables-ip-nat-chain-PREROUTING-rule-http_alt-b'
                 order: '10-nftables-ip-nat-chain-PREROUTING-rule-http_alt-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  iifname eth0 udp dport 51820 dnat to 192.0.2.3$},
                 order:   '10-nftables-ip-nat-chain-PREROUTING-rule-wireguard-b'
                 order: '10-nftables-ip-nat-chain-PREROUTING-rule-wireguard-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
           end

     # frozen_string_literal: true
     require 'spec_helper'
     describe 'nftables' do
-...
           it { is_expected.to compile }
           it {
             is_expected.to contain_concat('nftables-inet-filter').with(
               path:   '/etc/nftables/puppet-preflight/inet-filter.nft',
             expect(subject).to contain_concat('nftables-inet-filter').with(
               path: '/etc/nftables/puppet-preflight/inet-filter.nft',
               ensure: 'present',
               owner:  'root',
               group:  'root',
               mode:   '0640'
               owner: 'root',
               group: 'root',
               mode: '0640'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-inet-filter-header').with(
               target:  'nftables-inet-filter',
             expect(subject).to contain_concat__fragment('nftables-inet-filter-header').with(
               target: 'nftables-inet-filter',
               content: %r{^table inet filter \{$},
               order:   '00'
               order: '00'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-inet-filter-body').with(
               target:  'nftables-inet-filter',
               order:   '98'
             expect(subject).to contain_concat__fragment('nftables-inet-filter-body').with(
               target: 'nftables-inet-filter',
               order: '98'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-inet-filter-footer').with(
               target:  'nftables-inet-filter',
             expect(subject).to contain_concat__fragment('nftables-inet-filter-footer').with(
               target: 'nftables-inet-filter',
               content: %r{^\}$},
               order:   '99'
               order: '99'
+            )
+          }
           context 'chain input' do
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-INPUT').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-INPUT.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-INPUT').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-INPUT.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-header').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-header').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^chain INPUT \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-type').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-type').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  type filter hook input priority 0$},
                 order:   '01-nftables-inet-filter-chain-INPUT-rule-type-b'
                 order: '01-nftables-inet-filter-chain-INPUT-rule-type-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-policy').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-policy').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  policy drop$},
                 order:   '02-nftables-inet-filter-chain-INPUT-rule-policy-b'
                 order: '02-nftables-inet-filter-chain-INPUT-rule-policy-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-lo').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-lo').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  iifname lo accept$},
                 order:   '03-nftables-inet-filter-chain-INPUT-rule-lo-b'
                 order: '03-nftables-inet-filter-chain-INPUT-rule-lo-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_global').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_global').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  jump global$},
                 order:   '04-nftables-inet-filter-chain-INPUT-rule-jump_global-b'
                 order: '04-nftables-inet-filter-chain-INPUT-rule-jump_global-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  ct state established,related accept$},
                 order:   '05-nftables-inet-filter-chain-INPUT-rule-accept_established_related-b'
                 order: '05-nftables-inet-filter-chain-INPUT-rule-accept_established_related-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  ct state invalid drop$},
                 order:   '06-nftables-inet-filter-chain-INPUT-rule-drop_invalid-b'
                 order: '06-nftables-inet-filter-chain-INPUT-rule-drop_invalid-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  jump default_in$},
                 order:   '10-nftables-inet-filter-chain-INPUT-rule-jump_default_in-b'
                 order: '10-nftables-inet-filter-chain-INPUT-rule-jump_default_in-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix "\[nftables\] INPUT Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  reject with icmpx type port-unreachable$},
                 order:   '98-nftables-inet-filter-chain-INPUT-rule-reject-b'
                 order: '98-nftables-inet-filter-chain-INPUT-rule-reject-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-footer').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-footer').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_in').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-default_in.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-default_in').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_in.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-header').with(
                 target:  'nftables-inet-filter-chain-default_in',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_in-header').with(
                 target: 'nftables-inet-filter-chain-default_in',
                 content: %r{^chain default_in \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-footer').with(
                 target:  'nftables-inet-filter-chain-default_in',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_in-footer').with(
                 target: 'nftables-inet-filter-chain-default_in',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-rule-ssh').with(
                 target:  'nftables-inet-filter-chain-default_in',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_in-rule-ssh').with(
                 target: 'nftables-inet-filter-chain-default_in',
                 content: %r{^  tcp dport \{22\} accept$},
                 order:   '50-nftables-inet-filter-chain-default_in-rule-ssh-b'
                 order: '50-nftables-inet-filter-chain-default_in-rule-ssh-b'
+              )
+            }
             it {
               is_expected.to contain_class('nftables::rules::icmp')
               expect(subject).to contain_class('nftables::rules::icmp')
+            }
           end
           context 'chain output' do
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-OUTPUT').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-OUTPUT.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-OUTPUT').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-OUTPUT.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-header').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-header').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^chain OUTPUT \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-type').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-type').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  type filter hook output priority 0$},
                 order:   '01-nftables-inet-filter-chain-OUTPUT-rule-type-b'
                 order: '01-nftables-inet-filter-chain-OUTPUT-rule-type-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-policy').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-policy').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  policy drop$},
                 order:   '02-nftables-inet-filter-chain-OUTPUT-rule-policy-b'
                 order: '02-nftables-inet-filter-chain-OUTPUT-rule-policy-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-lo').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-lo').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  oifname lo accept$},
                 order:   '03-nftables-inet-filter-chain-OUTPUT-rule-lo-b'
                 order: '03-nftables-inet-filter-chain-OUTPUT-rule-lo-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_global').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_global').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  jump global$},
                 order:   '04-nftables-inet-filter-chain-OUTPUT-rule-jump_global-b'
                 order: '04-nftables-inet-filter-chain-OUTPUT-rule-jump_global-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  ct state established,related accept$},
                 order:   '05-nftables-inet-filter-chain-OUTPUT-rule-accept_established_related-b'
                 order: '05-nftables-inet-filter-chain-OUTPUT-rule-accept_established_related-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  ct state invalid drop$},
                 order:   '06-nftables-inet-filter-chain-OUTPUT-rule-drop_invalid-b'
                 order: '06-nftables-inet-filter-chain-OUTPUT-rule-drop_invalid-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  jump default_out$},
                 order:   '10-nftables-inet-filter-chain-OUTPUT-rule-jump_default_out-b'
                 order: '10-nftables-inet-filter-chain-OUTPUT-rule-jump_default_out-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix "\[nftables\] OUTPUT Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  reject with icmpx type port-unreachable$},
                 order:   '98-nftables-inet-filter-chain-OUTPUT-rule-reject-b'
                 order: '98-nftables-inet-filter-chain-OUTPUT-rule-reject-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-footer').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-footer').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_out').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-default_out.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-default_out').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_out.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-header').with(
                 target:  'nftables-inet-filter-chain-default_out',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_out-header').with(
                 target: 'nftables-inet-filter-chain-default_out',
                 content: %r{^chain default_out \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-footer').with(
                 target:  'nftables-inet-filter-chain-default_out',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_out-footer').with(
                 target: 'nftables-inet-filter-chain-default_out',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
                 target:  'nftables-inet-filter-chain-default_out',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
                 target: 'nftables-inet-filter-chain-default_out',
                 content: %r{^  udp dport 53 accept$},
                 order:   '50-nftables-inet-filter-chain-default_out-rule-dnsudp-b'
                 order: '50-nftables-inet-filter-chain-default_out-rule-dnsudp-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
                 target:  'nftables-inet-filter-chain-default_out',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
                 target: 'nftables-inet-filter-chain-default_out',
                 content: %r{^  tcp dport 53 accept$},
                 order:   '50-nftables-inet-filter-chain-default_out-rule-dnstcp-b'
                 order: '50-nftables-inet-filter-chain-default_out-rule-dnstcp-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony').with(
                 target:  'nftables-inet-filter-chain-default_out',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony').with(
                 target: 'nftables-inet-filter-chain-default_out',
                 content: %r{^  udp dport 123 accept$},
                 order:   '50-nftables-inet-filter-chain-default_out-rule-chrony-b'
                 order: '50-nftables-inet-filter-chain-default_out-rule-chrony-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-http').with(
                 target:  'nftables-inet-filter-chain-default_out',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-http').with(
                 target: 'nftables-inet-filter-chain-default_out',
                 content: %r{^  tcp dport 80 accept$},
                 order:   '50-nftables-inet-filter-chain-default_out-rule-http-b'
                 order: '50-nftables-inet-filter-chain-default_out-rule-http-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-https').with(
                 target:  'nftables-inet-filter-chain-default_out',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-https').with(
                 target: 'nftables-inet-filter-chain-default_out',
                 content: %r{^  tcp dport 443 accept$},
                 order:   '50-nftables-inet-filter-chain-default_out-rule-https-b'
                 order: '50-nftables-inet-filter-chain-default_out-rule-https-b'
+              )
+            }
             it {
               is_expected.to contain_class('nftables::rules::out::icmp')
               expect(subject).to contain_class('nftables::rules::out::icmp')
+            }
           end
           context 'chain forward' do
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-FORWARD').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-FORWARD.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-FORWARD').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-FORWARD.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-header').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-header').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^chain FORWARD \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-type').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-type').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  type filter hook forward priority 0$},
                 order:   '01-nftables-inet-filter-chain-FORWARD-rule-type-b'
                 order: '01-nftables-inet-filter-chain-FORWARD-rule-type-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-policy').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-policy').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  policy drop$},
                 order:   '02-nftables-inet-filter-chain-FORWARD-rule-policy-b'
                 order: '02-nftables-inet-filter-chain-FORWARD-rule-policy-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_global').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_global').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  jump global$},
                 order:   '03-nftables-inet-filter-chain-FORWARD-rule-jump_global-b'
                 order: '03-nftables-inet-filter-chain-FORWARD-rule-jump_global-b'
+              )
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  jump default_fwd$},
                 order:   '10-nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd-b'
                 order: '10-nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix "\[nftables\] FORWARD Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  reject with icmpx type port-unreachable$},
                 order:   '98-nftables-inet-filter-chain-FORWARD-rule-reject-b'
                 order: '98-nftables-inet-filter-chain-FORWARD-rule-reject-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-footer').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-footer').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-default_fwd').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-default_fwd').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(
                 target: 'nftables-inet-filter-chain-default_fwd',
                 content: %r{^chain default_fwd \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
                 target:  'nftables-inet-filter-chain-default_fwd',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(
                 target: 'nftables-inet-filter-chain-default_fwd',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
           end
           context 'chain global' do
             it {
               is_expected.to contain_concat('nftables-inet-filter-chain-global').with(
                 path:           '/etc/nftables/puppet-preflight/inet-filter-chain-global.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-inet-filter-chain-global').with(
                 path: '/etc/nftables/puppet-preflight/inet-filter-chain-global.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-global-header').with(
                 target:  'nftables-inet-filter-chain-global',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-global-header').with(
                 target: 'nftables-inet-filter-chain-global',
                 content: %r{^chain global \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
           end
-...
             let(:pre_condition) { 'class{\'nftables\': log_prefix => "test "}' }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"test " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix "test " flags all counter$},
                 order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"test " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix "test " flags all counter$},
                 order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \"test " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix "test " flags all counter$},
                 order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
+              )
+            }
           end
-...
             let(:pre_condition) { 'class{\'nftables\': log_prefix => " bar [%<chain>s] "}' }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \" bar \[INPUT\] " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix " bar \[INPUT\] " flags all counter$},
                 order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \" bar \[OUTPUT\] " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix " bar \[OUTPUT\] " flags all counter$},
                 order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix \" bar \[FORWARD\] " flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 3/minute burst 5 packets log prefix " bar \[FORWARD\] " flags all counter$},
                 order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
+              )
+            }
           end
-...
             end
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  log prefix "\[nftables\] INPUT Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  log prefix "\[nftables\] OUTPUT Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  log prefix "\[nftables\] FORWARD Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
+              )
+            }
           end
-...
             end
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 5/minute log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  limit rate 5/minute log prefix "\[nftables\] INPUT Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-INPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 5/minute log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  limit rate 5/minute log prefix "\[nftables\] OUTPUT Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-OUTPUT-rule-log_discarded-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 5/minute log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
                 order:   '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  limit rate 5/minute log prefix "\[nftables\] FORWARD Rejected: " flags all counter$},
                 order: '97-nftables-inet-filter-chain-FORWARD-rule-log_discarded-b'
+              )
+            }
           end
-...
             end
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded')
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject')
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded')
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject')
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded')
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject')
+            }
           end
-...
             end
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
                 target:  'nftables-inet-filter-chain-INPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
                 target: 'nftables-inet-filter-chain-INPUT',
                 content: %r{^  reject with tcp reset$},
                 order:   '98-nftables-inet-filter-chain-INPUT-rule-reject-b'
                 order: '98-nftables-inet-filter-chain-INPUT-rule-reject-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
                 target:  'nftables-inet-filter-chain-OUTPUT',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
                 target: 'nftables-inet-filter-chain-OUTPUT',
                 content: %r{^  reject with tcp reset$},
                 order:   '98-nftables-inet-filter-chain-OUTPUT-rule-reject-b'
                 order: '98-nftables-inet-filter-chain-OUTPUT-rule-reject-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
                 target:  'nftables-inet-filter-chain-FORWARD',
               expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
                 target: 'nftables-inet-filter-chain-FORWARD',
                 content: %r{^  reject with tcp reset$},
                 order:   '98-nftables-inet-filter-chain-FORWARD-rule-reject-b'
                 order: '98-nftables-inet-filter-chain-FORWARD-rule-reject-b'
+              )
+            }
           end
-...
             let(:params) do
+              {
                 'in_out_conntrack' => false,
                 'fwd_conntrack'    => false,
                 'fwd_conntrack' => false,
+              }
             end
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
+            }
             it {
               is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
               expect(subject).not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
+            }
           end
-...
             end
             it {
               is_expected.not_to contain_class('nftables::rules::icmp')
               expect(subject).not_to contain_class('nftables::rules::icmp')
+            }
             it {
               is_expected.not_to contain_class('nftables::rules::out::icmp')
               expect(subject).not_to contain_class('nftables::rules::out::icmp')
+            }
           end
         end

     # frozen_string_literal: true
     require 'spec_helper'
     describe 'nftables' do
-...
           it { is_expected.to compile }
           it {
             is_expected.to contain_concat('nftables-ip-nat').with(
               path:   '/etc/nftables/puppet-preflight/ip-nat.nft',
             expect(subject).to contain_concat('nftables-ip-nat').with(
               path: '/etc/nftables/puppet-preflight/ip-nat.nft',
               ensure: 'present',
               owner:  'root',
               group:  'root',
               mode:   '0640'
               owner: 'root',
               group: 'root',
               mode: '0640'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-ip-nat-header').with(
               target:  'nftables-ip-nat',
             expect(subject).to contain_concat__fragment('nftables-ip-nat-header').with(
               target: 'nftables-ip-nat',
               content: %r{^table ip nat \{$},
               order:   '00'
               order: '00'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-ip-nat-body').with(
               target:  'nftables-ip-nat',
             expect(subject).to contain_concat__fragment('nftables-ip-nat-body').with(
               target: 'nftables-ip-nat',
               content: %r{^\s+include "ip-nat-chain-\*\.nft"$},
               order:   '98'
               order: '98'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-ip-nat-footer').with(
               target:  'nftables-ip-nat',
             expect(subject).to contain_concat__fragment('nftables-ip-nat-footer').with(
               target: 'nftables-ip-nat',
               content: %r{^\}$},
               order:   '99'
               order: '99'
+            )
+          }
           it {
             is_expected.to contain_concat('nftables-ip6-nat').with(
               path:   '/etc/nftables/puppet-preflight/ip6-nat.nft',
             expect(subject).to contain_concat('nftables-ip6-nat').with(
               path: '/etc/nftables/puppet-preflight/ip6-nat.nft',
               ensure: 'present',
               owner:  'root',
               group:  'root',
               mode:   '0640'
               owner: 'root',
               group: 'root',
               mode: '0640'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-ip6-nat-header').with(
               target:  'nftables-ip6-nat',
             expect(subject).to contain_concat__fragment('nftables-ip6-nat-header').with(
               target: 'nftables-ip6-nat',
               content: %r{^table ip6 nat \{$},
               order:   '00'
               order: '00'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-ip6-nat-body').with(
               target:  'nftables-ip6-nat',
             expect(subject).to contain_concat__fragment('nftables-ip6-nat-body').with(
               target: 'nftables-ip6-nat',
               content: %r{^\s+include "ip6-nat-chain-\*\.nft"$},
               order:   '98'
               order: '98'
+            )
+          }
           it {
             is_expected.to contain_concat__fragment('nftables-ip6-nat-footer').with(
               target:  'nftables-ip6-nat',
             expect(subject).to contain_concat__fragment('nftables-ip6-nat-footer').with(
               target: 'nftables-ip6-nat',
               content: %r{^\}$},
               order:   '99'
               order: '99'
+            )
+          }
           context 'table ip nat chain prerouting' do
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
                 path:           '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
                 path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^chain PREROUTING \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  type nat hook prerouting priority -100$},
                 order:   '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'
                 order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^  policy accept$},
                 order:   '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'
                 order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
                 target:  'nftables-ip-nat-chain-PREROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
                 target: 'nftables-ip-nat-chain-PREROUTING',
                 content: %r{^\}$},
                 order:   '99'
                 order: '99'
+              )
+            }
           end
           context 'table ip nat chain postrouting' do
             it {
               is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
                 path:           '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
                 owner:          'root',
                 group:          'root',
                 mode:           '0640',
               expect(subject).to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
                 path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
                 owner: 'root',
                 group: 'root',
                 mode: '0640',
                 ensure_newline: true
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',
               expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
                 target: 'nftables-ip-nat-chain-POSTROUTING',
                 content: %r{^chain POSTROUTING \{$},
                 order:   '00'
                 order: '00'
+              )
+            }
             it {
               is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
                 target:  'nftables-ip-nat-chain-POSTROUTING',

... Ce différentiel a été tronqué car il excède la taille maximale pouvant être affichée.

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision c82b960a