Révision c82b960a
rubocop:auto_correct results
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 1 |
# frozen_string_literal: true |
|
| 2 |
|
|
| 1 | 3 |
require 'spec_helper' |
| 2 | 4 |
|
| 3 | 5 |
describe 'nftables' do |
| ... | ... | |
| 12 | 14 |
it { is_expected.to contain_package('nftables') }
|
| 13 | 15 |
|
| 14 | 16 |
it {
|
| 15 |
is_expected.to contain_file('/etc/nftables/puppet.nft').with(
|
|
| 17 |
expect(subject).to contain_file('/etc/nftables/puppet.nft').with(
|
|
| 16 | 18 |
ensure: 'file', |
| 17 |
owner: 'root',
|
|
| 18 |
group: 'root',
|
|
| 19 |
mode: '0640',
|
|
| 19 |
owner: 'root', |
|
| 20 |
group: 'root', |
|
| 21 |
mode: '0640', |
|
| 20 | 22 |
content: %r{flush ruleset}
|
| 21 | 23 |
) |
| 22 | 24 |
} |
| 23 | 25 |
|
| 24 | 26 |
it {
|
| 25 |
is_expected.to contain_file('/etc/nftables/puppet').with(
|
|
| 26 |
ensure: 'directory',
|
|
| 27 |
owner: 'root',
|
|
| 28 |
group: 'root',
|
|
| 29 |
mode: '0750',
|
|
| 30 |
purge: true,
|
|
| 31 |
force: true,
|
|
| 27 |
expect(subject).to contain_file('/etc/nftables/puppet').with(
|
|
| 28 |
ensure: 'directory', |
|
| 29 |
owner: 'root', |
|
| 30 |
group: 'root', |
|
| 31 |
mode: '0750', |
|
| 32 |
purge: true, |
|
| 33 |
force: true, |
|
| 32 | 34 |
recurse: true |
| 33 | 35 |
) |
| 34 | 36 |
} |
| 35 | 37 |
|
| 36 | 38 |
it {
|
| 37 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with(
|
|
| 39 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').with(
|
|
| 38 | 40 |
ensure: 'file', |
| 39 |
owner: 'root',
|
|
| 40 |
group: 'root',
|
|
| 41 |
mode: '0640',
|
|
| 41 |
owner: 'root', |
|
| 42 |
group: 'root', |
|
| 43 |
mode: '0640', |
|
| 42 | 44 |
content: %r{flush ruleset}
|
| 43 | 45 |
) |
| 44 | 46 |
} |
| 45 | 47 |
|
| 46 | 48 |
it {
|
| 47 |
is_expected.to contain_file('/etc/nftables/puppet-preflight').with(
|
|
| 48 |
ensure: 'directory',
|
|
| 49 |
owner: 'root',
|
|
| 50 |
group: 'root',
|
|
| 51 |
mode: '0750',
|
|
| 52 |
purge: true,
|
|
| 53 |
force: true,
|
|
| 49 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight').with(
|
|
| 50 |
ensure: 'directory', |
|
| 51 |
owner: 'root', |
|
| 52 |
group: 'root', |
|
| 53 |
mode: '0750', |
|
| 54 |
purge: true, |
|
| 55 |
force: true, |
|
| 54 | 56 |
recurse: true |
| 55 | 57 |
) |
| 56 | 58 |
} |
| 57 | 59 |
|
| 58 | 60 |
it {
|
| 59 |
is_expected.to contain_exec('nft validate').with(
|
|
| 61 |
expect(subject).to contain_exec('nft validate').with(
|
|
| 60 | 62 |
refreshonly: true, |
| 61 | 63 |
command: %r{^/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*}
|
| 62 | 64 |
) |
| 63 | 65 |
} |
| 64 | 66 |
|
| 65 | 67 |
it {
|
| 66 |
is_expected.to contain_service('nftables').with(
|
|
| 68 |
expect(subject).to contain_service('nftables').with(
|
|
| 67 | 69 |
ensure: 'running', |
| 68 | 70 |
enable: true, |
| 69 | 71 |
hasrestart: true, |
| ... | ... | |
| 72 | 74 |
} |
| 73 | 75 |
|
| 74 | 76 |
it {
|
| 75 |
is_expected.to contain_systemd__dropin_file('puppet_nft.conf').with(
|
|
| 77 |
expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
|
|
| 76 | 78 |
content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$}
|
| 77 | 79 |
) |
| 78 | 80 |
} |
| 79 | 81 |
|
| 80 | 82 |
it {
|
| 81 |
is_expected.to contain_service('firewalld').with(
|
|
| 83 |
expect(subject).to contain_service('firewalld').with(
|
|
| 82 | 84 |
ensure: 'stopped', |
| 83 | 85 |
enable: 'mask' |
| 84 | 86 |
) |
| 85 | 87 |
} |
| 88 |
|
|
| 86 | 89 |
it { is_expected.to contain_class('nftables::inet_filter') }
|
| 87 | 90 |
it { is_expected.to contain_class('nftables::ip_nat') }
|
| 88 | 91 |
it { is_expected.to contain_class('nftables::rules::out::http') }
|
| ... | ... | |
| 121 | 124 |
end |
| 122 | 125 |
|
| 123 | 126 |
it {
|
| 124 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-web_accept').with(
|
|
| 125 |
target: 'nftables-inet-filter-chain-INPUT',
|
|
| 127 |
expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-web_accept').with(
|
|
| 128 |
target: 'nftables-inet-filter-chain-INPUT', |
|
| 126 | 129 |
content: %r{^ iifname eth0 tcp dport \{ 80, 443 \} accept$},
|
| 127 |
order: '50-nftables-inet-filter-chain-INPUT-rule-web_accept-b'
|
|
| 130 |
order: '50-nftables-inet-filter-chain-INPUT-rule-web_accept-b' |
|
| 128 | 131 |
) |
| 129 | 132 |
} |
| 130 | 133 |
end |
| ... | ... | |
| 146 | 149 |
end |
| 147 | 150 |
|
| 148 | 151 |
it {
|
| 149 |
is_expected.to contain_nftables__set('testset1').with(
|
|
| 152 |
expect(subject).to contain_nftables__set('testset1').with(
|
|
| 150 | 153 |
type: 'ipv4_addr', |
| 151 | 154 |
gc_interval: 2, |
| 152 | 155 |
table: 'inet-filter' |
| 153 | 156 |
) |
| 154 | 157 |
} |
| 158 |
|
|
| 155 | 159 |
it {
|
| 156 |
is_expected.to contain_nftables__set('testset2').with(
|
|
| 160 |
expect(subject).to contain_nftables__set('testset2').with(
|
|
| 157 | 161 |
type: 'ipv6_addr', |
| 158 | 162 |
elements: ['2a02:62:c601::dead:beef'], |
| 159 | 163 |
table: 'inet-filter' |
| ... | ... | |
| 169 | 173 |
end |
| 170 | 174 |
|
| 171 | 175 |
it {
|
| 172 |
is_expected.to contain_service('firewalld').with(
|
|
| 176 |
expect(subject).to contain_service('firewalld').with(
|
|
| 173 | 177 |
ensure: 'stopped', |
| 174 | 178 |
enable: false |
| 175 | 179 |
) |
| ... | ... | |
| 216 | 220 |
|
| 217 | 221 |
context 'with nftables fact matching' do |
| 218 | 222 |
let(:facts) do |
| 219 |
super().merge(nftables: { tables: ['inet-abc', 'inet-f2b-table'] })
|
|
| 223 |
super().merge(nftables: { tables: %w[inet-abc inet-f2b-table] })
|
|
| 220 | 224 |
end |
| 221 | 225 |
|
| 222 | 226 |
it {
|
| 223 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 227 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 224 | 228 |
with_content(%r{^table inet abc \{\}$})
|
| 225 | 229 |
} |
| 230 |
|
|
| 226 | 231 |
it {
|
| 227 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 232 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 228 | 233 |
with_content(%r{^flush table inet abc$})
|
| 229 | 234 |
} |
| 230 | 235 |
end |
| 236 |
|
|
| 231 | 237 |
context 'with nftables fact not matching' do |
| 232 | 238 |
let(:facts) do |
| 233 |
super().merge(nftables: { tables: ['inet-abc', 'inet-ijk'] })
|
|
| 239 |
super().merge(nftables: { tables: %w[inet-abc inet-ijk] })
|
|
| 234 | 240 |
end |
| 235 | 241 |
|
| 236 | 242 |
it {
|
| 237 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 243 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 238 | 244 |
with_content(%r{^table inet abc \{\}$})
|
| 239 | 245 |
} |
| 246 |
|
|
| 240 | 247 |
it {
|
| 241 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 248 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 242 | 249 |
with_content(%r{^flush table inet abc$})
|
| 243 | 250 |
} |
| 251 |
|
|
| 244 | 252 |
it {
|
| 245 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 253 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 246 | 254 |
with_content(%r{^table inet ijk \{\}$})
|
| 247 | 255 |
} |
| 256 |
|
|
| 248 | 257 |
it {
|
| 249 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 258 |
expect(subject).to contain_file('/etc/nftables/puppet-preflight.nft').
|
|
| 250 | 259 |
with_content(%r{^flush table inet ijk$})
|
| 251 | 260 |
} |
| 252 | 261 |
end |
Formats disponibles : Unified diff