puppet nftables

# frozen_string_literal: true

require 'spec_helper'

describe 'nftables' do

  let(:pre_condition) { 'Exec{path => "/bin"}' }

  on_supported_os.each do |os, os_facts|

    context "on #{os}" do

      let(:facts) { os_facts }

      nft_mode = case os_facts[:os]['family']

                 when 'RedHat'

                   '0600'

                 else

                   '0640'

                 end

      context 'with dnat' do

        let(:pre_condition) do

          '

          # inet-filter-chain-ingoing

          nftables::chain{ \'ingoing\':

            inject     => \'20-default_fwd\',

            inject_iif => \'eth0\',

            inject_oif => \'eth1\';

          }

          # inet-filter-chain-default_fwd

          nftables::rules::dnat4{

            \'http\':

              order => \'10\',

              chain => \'ingoing\',

              daddr => \'192.0.2.2\',

              port  => \'http\';

            \'https\':

              order => \'10\',

              chain => \'ingoing\',

              daddr => \'192.0.2.2\',

              port  => \'https\';

            \'http_alt\':

              order => \'10\',

              chain => \'ingoing\',

              iif   => \'eth0\',

              daddr => \'192.0.2.2\',

              proto => \'tcp\',

              port  => 8080,

              dport => 8000;

            \'wireguard\':

              order => \'10\',

              chain => \'ingoing\',

              iif   => \'eth0\',

              daddr => \'192.0.2.3\',

              proto => \'udp\',

              port  => \'51820\';

          }

          '

        end

        it { is_expected.to compile }

        it {

          expect(subject).to contain_concat('nftables-inet-filter-chain-default_fwd').with(

            path: '/etc/nftables/puppet-preflight/inet-filter-chain-default_fwd.nft',

            owner: 'root',

            group: 'root',

            mode: nft_mode,

            ensure_newline: true

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-header').with(

            target: 'nftables-inet-filter-chain-default_fwd',

            content: %r{^chain default_fwd \{$},

            order: '00'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(

            target: 'nftables-inet-filter-chain-default_fwd',

            content: %r{^  iifname eth0 oifname eth1 jump ingoing$},

            order: '20-nftables-inet-filter-chain-default_fwd-rule-jump_ingoing-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-footer').with(

            target: 'nftables-inet-filter-chain-default_fwd',

            content: %r{^\}$},

            order: '99'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(

            target: 'nftables-inet-filter-chain-ingoing',

            content: %r{^chain ingoing \{$},

            order: '00'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(

            target: 'nftables-inet-filter-chain-ingoing',

            content: %r{^  ip daddr 192.0.2.2 tcp dport http accept$},

            order: '10-nftables-inet-filter-chain-ingoing-rule-http-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(

            target: 'nftables-inet-filter-chain-ingoing',

            content: %r{^  ip daddr 192.0.2.2 tcp dport https accept$},

            order: '10-nftables-inet-filter-chain-ingoing-rule-https-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(

            target: 'nftables-inet-filter-chain-ingoing',

            content: %r{^  iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},

            order: '10-nftables-inet-filter-chain-ingoing-rule-http_alt-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(

            target: 'nftables-inet-filter-chain-ingoing',

            content: %r{^  iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},

            order: '10-nftables-inet-filter-chain-ingoing-rule-wireguard-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(

            target: 'nftables-inet-filter-chain-ingoing',

            content: %r{^\}$},

            order: '99'

          )

        }

        it {

          expect(subject).to contain_concat('nftables-ip-nat-chain-PREROUTING').with(

            path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',

            owner: 'root',

            group: 'root',

            mode: nft_mode,

            ensure_newline: true

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^chain PREROUTING \{$},

            order: '00'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^  type nat hook prerouting priority -100$},

            order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^  policy accept$},

            order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^  tcp dport http dnat to 192.0.2.2$},

            order: '10-nftables-ip-nat-chain-PREROUTING-rule-http-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^  tcp dport https dnat to 192.0.2.2$},

            order: '10-nftables-ip-nat-chain-PREROUTING-rule-https-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^  iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},

            order: '10-nftables-ip-nat-chain-PREROUTING-rule-http_alt-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^  iifname eth0 udp dport 51820 dnat to 192.0.2.3$},

            order: '10-nftables-ip-nat-chain-PREROUTING-rule-wireguard-b'

          )

        }

        it {

          expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(

            target: 'nftables-ip-nat-chain-PREROUTING',

            content: %r{^\}$},

            order: '99'

          )

        }

      end

    end

  end

end