/spec/classes/ip_nat_spec.rb - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / spec / classes / ip_nat_spec.rb @ e499cece

Historique | Voir | Annoter | Télécharger (9,47 ko)

1	c82b960a	Steve Traylen	# frozen_string_literal: true
2
3	422b6851	tr	require 'spec_helper'
4
5			describe 'nftables' do
6			let(:pre_condition) { 'Exec{path => "/bin"}' }
7
8			on_supported_os.each do \|os, os_facts\|
9			context "on #{os}" do
10			let(:facts) { os_facts }
11
12	0b7bcb5d	mh	nft_mode = case os_facts[:os]['family']
13			when 'RedHat'
14			'0600'
15			else
16			'0640'
17			end
18
19	422b6851	tr	it { is_expected.to compile }
20
21	01d8a819	tr	it {
22	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip-nat').with(
23			path: '/etc/nftables/puppet-preflight/ip-nat.nft',
24	e4c32222	Nacho Barrientos	ensure: 'present',
25	c82b960a	Steve Traylen	owner: 'root',
26			group: 'root',
27	0b7bcb5d	mh	mode: nft_mode
28	01d8a819	tr	)
29			}
30	422b6851	tr
31	248ef9d5	tr	it {
32	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-header').with(
33			target: 'nftables-ip-nat',
34	e4c32222	Nacho Barrientos	content: %r{^table ip nat \{$},
35	c82b960a	Steve Traylen	order: '00'
36	e4c32222	Nacho Barrientos	)
37			}
38
39			it {
40	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-body').with(
41			target: 'nftables-ip-nat',
42	fcb1d356	Nacho Barrientos	content: %r{^\s+include "ip-nat-chain-\*\.nft"$},
43	c82b960a	Steve Traylen	order: '98'
44	e4c32222	Nacho Barrientos	)
45			}
46
47			it {
48	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-footer').with(
49			target: 'nftables-ip-nat',
50	e4c32222	Nacho Barrientos	content: %r{^\}$},
51	c82b960a	Steve Traylen	order: '99'
52	e4c32222	Nacho Barrientos	)
53			}
54
55			it {
56	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip6-nat').with(
57			path: '/etc/nftables/puppet-preflight/ip6-nat.nft',
58	e4c32222	Nacho Barrientos	ensure: 'present',
59	c82b960a	Steve Traylen	owner: 'root',
60			group: 'root',
61	0b7bcb5d	mh	mode: nft_mode
62	248ef9d5	tr	)
63			}
64
65	e4c32222	Nacho Barrientos	it {
66	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-header').with(
67			target: 'nftables-ip6-nat',
68	e4c32222	Nacho Barrientos	content: %r{^table ip6 nat \{$},
69	c82b960a	Steve Traylen	order: '00'
70	e4c32222	Nacho Barrientos	)
71			}
72
73			it {
74	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-body').with(
75			target: 'nftables-ip6-nat',
76	fcb1d356	Nacho Barrientos	content: %r{^\s+include "ip6-nat-chain-\*\.nft"$},
77	c82b960a	Steve Traylen	order: '98'
78	e4c32222	Nacho Barrientos	)
79			}
80
81			it {
82	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-footer').with(
83			target: 'nftables-ip6-nat',
84	e4c32222	Nacho Barrientos	content: %r{^\}$},
85	c82b960a	Steve Traylen	order: '99'
86	e4c32222	Nacho Barrientos	)
87			}
88
89	248ef9d5	tr	context 'table ip nat chain prerouting' do
90	01d8a819	tr	it {
91	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
92			path: '/etc/nftables/puppet-preflight/ip-nat-chain-PREROUTING.nft',
93			owner: 'root',
94			group: 'root',
95	0b7bcb5d	mh	mode: nft_mode,
96	fa92e118	Romain Tartière	ensure_newline: true
97	01d8a819	tr	)
98			}
99	c82b960a	Steve Traylen
100	01d8a819	tr	it {
101	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-header').with(
102			target: 'nftables-ip-nat-chain-PREROUTING',
103	01d8a819	tr	content: %r{^chain PREROUTING \{$},
104	c82b960a	Steve Traylen	order: '00'
105	01d8a819	tr	)
106			}
107	c82b960a	Steve Traylen
108	01d8a819	tr	it {
109	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
110			target: 'nftables-ip-nat-chain-PREROUTING',
111	01d8a819	tr	content: %r{^ type nat hook prerouting priority -100$},
112	c82b960a	Steve Traylen	order: '01-nftables-ip-nat-chain-PREROUTING-rule-type-b'
113	01d8a819	tr	)
114			}
115	c82b960a	Steve Traylen
116	01d8a819	tr	it {
117	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
118			target: 'nftables-ip-nat-chain-PREROUTING',
119	01d8a819	tr	content: %r{^ policy accept$},
120	c82b960a	Steve Traylen	order: '02-nftables-ip-nat-chain-PREROUTING-rule-policy-b'
121	01d8a819	tr	)
122			}
123	c82b960a	Steve Traylen
124	01d8a819	tr	it {
125	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(
126			target: 'nftables-ip-nat-chain-PREROUTING',
127	01d8a819	tr	content: %r{^\}$},
128	c82b960a	Steve Traylen	order: '99'
129	01d8a819	tr	)
130			}
131	422b6851	tr	end
132
133	6c2f0f10	Steve Traylen	context 'table ipv4 nat chain postrouting' do
134	01d8a819	tr	it {
135	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
136			path: '/etc/nftables/puppet-preflight/ip-nat-chain-POSTROUTING.nft',
137			owner: 'root',
138			group: 'root',
139	0b7bcb5d	mh	mode: nft_mode,
140	fa92e118	Romain Tartière	ensure_newline: true
141	01d8a819	tr	)
142			}
143	c82b960a	Steve Traylen
144	01d8a819	tr	it {
145	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-header').with(
146			target: 'nftables-ip-nat-chain-POSTROUTING',
147	01d8a819	tr	content: %r{^chain POSTROUTING \{$},
148	c82b960a	Steve Traylen	order: '00'
149	01d8a819	tr	)
150			}
151	c82b960a	Steve Traylen
152	01d8a819	tr	it {
153	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
154			target: 'nftables-ip-nat-chain-POSTROUTING',
155	01d8a819	tr	content: %r{^ type nat hook postrouting priority 100$},
156	c82b960a	Steve Traylen	order: '01-nftables-ip-nat-chain-POSTROUTING-rule-type-b'
157	01d8a819	tr	)
158			}
159	c82b960a	Steve Traylen
160	01d8a819	tr	it {
161	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
162			target: 'nftables-ip-nat-chain-POSTROUTING',
163	01d8a819	tr	content: %r{^ policy accept$},
164	c82b960a	Steve Traylen	order: '02-nftables-ip-nat-chain-POSTROUTING-rule-policy-b'
165	01d8a819	tr	)
166			}
167	c82b960a	Steve Traylen
168	01d8a819	tr	it {
169	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-footer').with(
170			target: 'nftables-ip-nat-chain-POSTROUTING',
171	01d8a819	tr	content: %r{^\}$},
172	c82b960a	Steve Traylen	order: '99'
173	01d8a819	tr	)
174			}
175	422b6851	tr	end
176	248ef9d5	tr
177			context 'table ip6 nat chain prerouting' do
178			it {
179	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip6-nat-chain-PREROUTING6').with(
180			path: '/etc/nftables/puppet-preflight/ip6-nat-chain-PREROUTING6.nft',
181			owner: 'root',
182			group: 'root',
183	0b7bcb5d	mh	mode: nft_mode,
184	fa92e118	Romain Tartière	ensure_newline: true
185	248ef9d5	tr	)
186			}
187	c82b960a	Steve Traylen
188	248ef9d5	tr	it {
189	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-header').with(
190			target: 'nftables-ip6-nat-chain-PREROUTING6',
191	248ef9d5	tr	content: %r{^chain PREROUTING6 \{$},
192	c82b960a	Steve Traylen	order: '00'
193	248ef9d5	tr	)
194			}
195	c82b960a	Steve Traylen
196	248ef9d5	tr	it {
197	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-type').with(
198			target: 'nftables-ip6-nat-chain-PREROUTING6',
199	248ef9d5	tr	content: %r{^ type nat hook prerouting priority -100$},
200	c82b960a	Steve Traylen	order: '01-nftables-ip6-nat-chain-PREROUTING6-rule-type-b'
201	248ef9d5	tr	)
202			}
203	c82b960a	Steve Traylen
204	248ef9d5	tr	it {
205	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-policy').with(
206			target: 'nftables-ip6-nat-chain-PREROUTING6',
207	248ef9d5	tr	content: %r{^ policy accept$},
208	c82b960a	Steve Traylen	order: '02-nftables-ip6-nat-chain-PREROUTING6-rule-policy-b'
209	248ef9d5	tr	)
210			}
211	c82b960a	Steve Traylen
212	248ef9d5	tr	it {
213	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-footer').with(
214			target: 'nftables-ip6-nat-chain-PREROUTING6',
215	248ef9d5	tr	content: %r{^\}$},
216	c82b960a	Steve Traylen	order: '99'
217	248ef9d5	tr	)
218			}
219			end
220
221	6c2f0f10	Steve Traylen	context 'table ipv6 nat chain postrouting' do
222	248ef9d5	tr	it {
223	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip6-nat-chain-POSTROUTING6').with(
224			path: '/etc/nftables/puppet-preflight/ip6-nat-chain-POSTROUTING6.nft',
225			owner: 'root',
226			group: 'root',
227	0b7bcb5d	mh	mode: nft_mode,
228	fa92e118	Romain Tartière	ensure_newline: true
229	248ef9d5	tr	)
230			}
231	c82b960a	Steve Traylen
232	248ef9d5	tr	it {
233	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-header').with(
234			target: 'nftables-ip6-nat-chain-POSTROUTING6',
235	248ef9d5	tr	content: %r{^chain POSTROUTING6 \{$},
236	c82b960a	Steve Traylen	order: '00'
237	248ef9d5	tr	)
238			}
239	c82b960a	Steve Traylen
240	248ef9d5	tr	it {
241	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-type').with(
242			target: 'nftables-ip6-nat-chain-POSTROUTING6',
243	248ef9d5	tr	content: %r{^ type nat hook postrouting priority 100$},
244	c82b960a	Steve Traylen	order: '01-nftables-ip6-nat-chain-POSTROUTING6-rule-type-b'
245	248ef9d5	tr	)
246			}
247	c82b960a	Steve Traylen
248	248ef9d5	tr	it {
249	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-policy').with(
250			target: 'nftables-ip6-nat-chain-POSTROUTING6',
251	248ef9d5	tr	content: %r{^ policy accept$},
252	c82b960a	Steve Traylen	order: '02-nftables-ip6-nat-chain-POSTROUTING6-rule-policy-b'
253	248ef9d5	tr	)
254			}
255	c82b960a	Steve Traylen
256	248ef9d5	tr	it {
257	c82b960a	Steve Traylen	expect(subject).to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-footer').with(
258			target: 'nftables-ip6-nat-chain-POSTROUTING6',
259	248ef9d5	tr	content: %r{^\}$},
260	c82b960a	Steve Traylen	order: '99'
261	248ef9d5	tr	)
262			}
263			end
264	82d10659	Nacho Barrientos
265	fcb79d73	Ben Morrice	context 'custom ip nat table name' do
266			let(:params) do
267			{
268			'nat_table_name' => 'mycustomtablename',
269			}
270			end
271
272			it { is_expected.to compile }
273	c82b960a	Steve Traylen
274	fcb79d73	Ben Morrice	it {
275	c82b960a	Steve Traylen	expect(subject).to contain_concat('nftables-ip-mycustomtablename').with(
276			path: '/etc/nftables/puppet-preflight/ip-mycustomtablename.nft',
277	fcb79d73	Ben Morrice	ensure: 'present',
278	c82b960a	Steve Traylen	owner: 'root',
279			group: 'root',
280	0b7bcb5d	mh	mode: nft_mode
281	fcb79d73	Ben Morrice	)
282			}
283			end
284
285	82d10659	Nacho Barrientos	context 'all nat tables disabled' do
286			let(:params) do
287			{
288			'nat' => false,
289			}
290			end
291
292			it { is_expected.not_to contain_class('nftables::ip_nat') }
293			it { is_expected.not_to contain_nftables__config('ip-nat') }
294			it { is_expected.not_to contain_nftables__config('ip6-nat') }
295			it { is_expected.not_to contain_nftables__chain('PREROUTING') }
296			it { is_expected.not_to contain_nftables__chain('POSTROUTING') }
297			it { is_expected.not_to contain_nftables__chain('PREROUTING6') }
298			it { is_expected.not_to contain_nftables__chain('POSTROUTING6') }
299			end
300	422b6851	tr	end
301			end
302			end

Projet

Général

Profil

puppet nftables

root / spec / classes / ip_nat_spec.rb @ e499cece