Révision e53053ce
Add comments for all the nftable::rules entries
For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules back
to puppet code more obvious. When adding a new rule it should be more
obvious to understand what order to choose.
An example resulting table ends up reading as:
```
HASH Start of fragment order:00 default_in header
chain default_in {
HASH Start of fragment order:50 rulename:default_in-dhcpv6_client
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
HASH Start of fragment order:50 rulename:default_in-ssh
tcp dport {22} accept
HASH Start of fragment order:90 rulename:default_in-drop_broadcasts
meta pkttype broadcast counter drop
HASH Start of fragment order:99 default_in footer
}
```
In addition there is a new test `nftables::rule`. This includes
a pending test since I would assume setting source and content
on a rule should be an error however this currently not the case.
| manifests/chain.pp | ||
|---|---|---|
| 29 | 29 |
target => $concat_name; |
| 30 | 30 |
"${concat_name}-header":
|
| 31 | 31 |
order => '00', |
| 32 |
content => "chain ${chain} {";
|
|
| 32 |
content => "# Start of fragment order:00 ${chain} header\nchain ${chain} {";
|
|
| 33 | 33 |
"${concat_name}-footer":
|
| 34 | 34 |
order => '99', |
| 35 |
content => '}';
|
|
| 35 |
content => "# Start of fragment order:99 ${chain} footer\n}";
|
|
| 36 | 36 |
} |
| 37 | 37 |
|
| 38 | 38 |
if $inject {
|
| manifests/rule.pp | ||
|---|---|---|
| 25 | 25 |
$fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}"
|
| 26 | 26 |
} |
| 27 | 27 |
|
| 28 |
concat::fragment{"${fragment}_header":
|
|
| 29 |
content => "# Start of fragment order:${order} rulename:${rulename}",
|
|
| 30 |
order => "${order}${fragment}a",
|
|
| 31 |
target => "nftables-${table}-chain-${data[0]}",
|
|
| 32 |
} |
|
| 33 |
|
|
| 28 | 34 |
concat::fragment{
|
| 29 | 35 |
$fragment: |
| 30 |
order => $order,
|
|
| 36 |
order => "${order}${fragment}b",
|
|
| 31 | 37 |
target => "nftables-${table}-chain-${data[0]}",
|
| 32 | 38 |
} |
| 33 | 39 |
|
| spec/classes/bridges_spec.rb | ||
|---|---|---|
| 29 | 29 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-bridge_br0_br0').with(
|
| 30 | 30 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 31 | 31 |
content: %r{^ iifname br0 oifname br0 accept$},
|
| 32 |
order: '08', |
|
| 32 |
order: '08nftables-inet-filter-chain-default_fwd-rule-bridge_br0_br0b',
|
|
| 33 | 33 |
) |
| 34 | 34 |
} |
| 35 | 35 |
it {
|
| 36 | 36 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-bridge_br1_br1').with(
|
| 37 | 37 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 38 | 38 |
content: %r{^ iifname br1 oifname br1 accept$},
|
| 39 |
order: '08', |
|
| 39 |
order: '08nftables-inet-filter-chain-default_fwd-rule-bridge_br1_br1b',
|
|
| 40 | 40 |
) |
| 41 | 41 |
} |
| 42 | 42 |
it { is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-bridge_br0_br1') }
|
| spec/classes/dnat4_spec.rb | ||
|---|---|---|
| 70 | 70 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
|
| 71 | 71 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 72 | 72 |
content: %r{^ iifname eth0 oifname eth1 jump ingoing$},
|
| 73 |
order: '20', |
|
| 73 |
order: '20nftables-inet-filter-chain-default_fwd-rule-jump_ingoingb',
|
|
| 74 | 74 |
) |
| 75 | 75 |
} |
| 76 | 76 |
it {
|
| ... | ... | |
| 92 | 92 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
|
| 93 | 93 |
target: 'nftables-inet-filter-chain-ingoing', |
| 94 | 94 |
content: %r{^ ip daddr 192.0.2.2 tcp dport http accept$},
|
| 95 |
order: '10', |
|
| 95 |
order: '10nftables-inet-filter-chain-ingoing-rule-httpb',
|
|
| 96 | 96 |
) |
| 97 | 97 |
} |
| 98 | 98 |
it {
|
| 99 | 99 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
|
| 100 | 100 |
target: 'nftables-inet-filter-chain-ingoing', |
| 101 | 101 |
content: %r{^ ip daddr 192.0.2.2 tcp dport https accept$},
|
| 102 |
order: '10', |
|
| 102 |
order: '10nftables-inet-filter-chain-ingoing-rule-httpsb',
|
|
| 103 | 103 |
) |
| 104 | 104 |
} |
| 105 | 105 |
it {
|
| 106 | 106 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
|
| 107 | 107 |
target: 'nftables-inet-filter-chain-ingoing', |
| 108 | 108 |
content: %r{^ iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},
|
| 109 |
order: '10', |
|
| 109 |
order: '10nftables-inet-filter-chain-ingoing-rule-http_altb',
|
|
| 110 | 110 |
) |
| 111 | 111 |
} |
| 112 | 112 |
it {
|
| 113 | 113 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
|
| 114 | 114 |
target: 'nftables-inet-filter-chain-ingoing', |
| 115 | 115 |
content: %r{^ iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},
|
| 116 |
order: '10', |
|
| 116 |
order: '10nftables-inet-filter-chain-ingoing-rule-wireguardb',
|
|
| 117 | 117 |
) |
| 118 | 118 |
} |
| 119 | 119 |
it {
|
| ... | ... | |
| 144 | 144 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
|
| 145 | 145 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 146 | 146 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 147 |
order: '01', |
|
| 147 |
order: '01nftables-ip-nat-chain-PREROUTING-rule-typeb',
|
|
| 148 | 148 |
) |
| 149 | 149 |
} |
| 150 | 150 |
it {
|
| 151 | 151 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
|
| 152 | 152 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 153 | 153 |
content: %r{^ policy accept$},
|
| 154 |
order: '02', |
|
| 154 |
order: '02nftables-ip-nat-chain-PREROUTING-rule-policyb',
|
|
| 155 | 155 |
) |
| 156 | 156 |
} |
| 157 | 157 |
it {
|
| 158 | 158 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
|
| 159 | 159 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 160 | 160 |
content: %r{^ tcp dport http dnat to 192.0.2.2$},
|
| 161 |
order: '10', |
|
| 161 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-httpb',
|
|
| 162 | 162 |
) |
| 163 | 163 |
} |
| 164 | 164 |
it {
|
| 165 | 165 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
|
| 166 | 166 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 167 | 167 |
content: %r{^ tcp dport https dnat to 192.0.2.2$},
|
| 168 |
order: '10', |
|
| 168 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-httpsb',
|
|
| 169 | 169 |
) |
| 170 | 170 |
} |
| 171 | 171 |
it {
|
| 172 | 172 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
|
| 173 | 173 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 174 | 174 |
content: %r{^ iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},
|
| 175 |
order: '10', |
|
| 175 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-http_altb',
|
|
| 176 | 176 |
) |
| 177 | 177 |
} |
| 178 | 178 |
it {
|
| 179 | 179 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
|
| 180 | 180 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 181 | 181 |
content: %r{^ iifname eth0 udp dport 51820 dnat to 192.0.2.3$},
|
| 182 |
order: '10', |
|
| 182 |
order: '10nftables-ip-nat-chain-PREROUTING-rule-wireguardb',
|
|
| 183 | 183 |
) |
| 184 | 184 |
} |
| 185 | 185 |
it {
|
| spec/classes/inet_filter_spec.rb | ||
|---|---|---|
| 63 | 63 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-type').with(
|
| 64 | 64 |
target: 'nftables-inet-filter-chain-INPUT', |
| 65 | 65 |
content: %r{^ type filter hook input priority 0$},
|
| 66 |
order: '01', |
|
| 66 |
order: '01nftables-inet-filter-chain-INPUT-rule-typeb',
|
|
| 67 | 67 |
) |
| 68 | 68 |
} |
| 69 | 69 |
it {
|
| 70 | 70 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-policy').with(
|
| 71 | 71 |
target: 'nftables-inet-filter-chain-INPUT', |
| 72 | 72 |
content: %r{^ policy drop$},
|
| 73 |
order: '02', |
|
| 73 |
order: '02nftables-inet-filter-chain-INPUT-rule-policyb',
|
|
| 74 | 74 |
) |
| 75 | 75 |
} |
| 76 | 76 |
it {
|
| 77 | 77 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-lo').with(
|
| 78 | 78 |
target: 'nftables-inet-filter-chain-INPUT', |
| 79 | 79 |
content: %r{^ iifname lo accept$},
|
| 80 |
order: '03', |
|
| 80 |
order: '03nftables-inet-filter-chain-INPUT-rule-lob',
|
|
| 81 | 81 |
) |
| 82 | 82 |
} |
| 83 | 83 |
it {
|
| 84 | 84 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_global').with(
|
| 85 | 85 |
target: 'nftables-inet-filter-chain-INPUT', |
| 86 | 86 |
content: %r{^ jump global$},
|
| 87 |
order: '04', |
|
| 87 |
order: '04nftables-inet-filter-chain-INPUT-rule-jump_globalb',
|
|
| 88 | 88 |
) |
| 89 | 89 |
} |
| 90 | 90 |
it {
|
| 91 | 91 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
|
| 92 | 92 |
target: 'nftables-inet-filter-chain-INPUT', |
| 93 | 93 |
content: %r{^ jump default_in$},
|
| 94 |
order: '10', |
|
| 94 |
order: '10nftables-inet-filter-chain-INPUT-rule-jump_default_inb',
|
|
| 95 | 95 |
) |
| 96 | 96 |
} |
| 97 | 97 |
it {
|
| 98 | 98 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 99 | 99 |
target: 'nftables-inet-filter-chain-INPUT', |
| 100 | 100 |
content: %r{^ log prefix \"\[nftables\] INPUT Rejected: \" flags all counter$},
|
| 101 |
order: '97', |
|
| 101 |
order: '97nftables-inet-filter-chain-INPUT-rule-log_discardedb',
|
|
| 102 | 102 |
) |
| 103 | 103 |
} |
| 104 | 104 |
it {
|
| 105 | 105 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
|
| 106 | 106 |
target: 'nftables-inet-filter-chain-INPUT', |
| 107 | 107 |
content: %r{^ reject with icmpx type port-unreachable$},
|
| 108 |
order: '98', |
|
| 108 |
order: '98nftables-inet-filter-chain-INPUT-rule-rejectb',
|
|
| 109 | 109 |
) |
| 110 | 110 |
} |
| 111 | 111 |
it {
|
| ... | ... | |
| 143 | 143 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_in-rule-ssh').with(
|
| 144 | 144 |
target: 'nftables-inet-filter-chain-default_in', |
| 145 | 145 |
content: %r{^ tcp dport \{22\} accept$},
|
| 146 |
order: '50', |
|
| 146 |
order: '50nftables-inet-filter-chain-default_in-rule-sshb',
|
|
| 147 | 147 |
) |
| 148 | 148 |
} |
| 149 | 149 |
end |
| ... | ... | |
| 169 | 169 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-type').with(
|
| 170 | 170 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 171 | 171 |
content: %r{^ type filter hook output priority 0$},
|
| 172 |
order: '01', |
|
| 172 |
order: '01nftables-inet-filter-chain-OUTPUT-rule-typeb',
|
|
| 173 | 173 |
) |
| 174 | 174 |
} |
| 175 | 175 |
it {
|
| 176 | 176 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-policy').with(
|
| 177 | 177 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 178 | 178 |
content: %r{^ policy drop$},
|
| 179 |
order: '02', |
|
| 179 |
order: '02nftables-inet-filter-chain-OUTPUT-rule-policyb',
|
|
| 180 | 180 |
) |
| 181 | 181 |
} |
| 182 | 182 |
it {
|
| 183 | 183 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-lo').with(
|
| 184 | 184 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 185 | 185 |
content: %r{^ oifname lo accept$},
|
| 186 |
order: '03', |
|
| 186 |
order: '03nftables-inet-filter-chain-OUTPUT-rule-lob',
|
|
| 187 | 187 |
) |
| 188 | 188 |
} |
| 189 | 189 |
it {
|
| 190 | 190 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_global').with(
|
| 191 | 191 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 192 | 192 |
content: %r{^ jump global$},
|
| 193 |
order: '04', |
|
| 193 |
order: '04nftables-inet-filter-chain-OUTPUT-rule-jump_globalb',
|
|
| 194 | 194 |
) |
| 195 | 195 |
} |
| 196 | 196 |
it {
|
| 197 | 197 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
|
| 198 | 198 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 199 | 199 |
content: %r{^ jump default_out$},
|
| 200 |
order: '10', |
|
| 200 |
order: '10nftables-inet-filter-chain-OUTPUT-rule-jump_default_outb',
|
|
| 201 | 201 |
) |
| 202 | 202 |
} |
| 203 | 203 |
it {
|
| 204 | 204 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 205 | 205 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 206 | 206 |
content: %r{^ log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter$},
|
| 207 |
order: '97', |
|
| 207 |
order: '97nftables-inet-filter-chain-OUTPUT-rule-log_discardedb',
|
|
| 208 | 208 |
) |
| 209 | 209 |
} |
| 210 | 210 |
it {
|
| 211 | 211 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
|
| 212 | 212 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 213 | 213 |
content: %r{^ reject with icmpx type port-unreachable$},
|
| 214 |
order: '98', |
|
| 214 |
order: '98nftables-inet-filter-chain-OUTPUT-rule-rejectb',
|
|
| 215 | 215 |
) |
| 216 | 216 |
} |
| 217 | 217 |
it {
|
| ... | ... | |
| 249 | 249 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
|
| 250 | 250 |
target: 'nftables-inet-filter-chain-default_out', |
| 251 | 251 |
content: %r{^ udp dport 53 accept$},
|
| 252 |
order: '50', |
|
| 252 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudpb',
|
|
| 253 | 253 |
) |
| 254 | 254 |
} |
| 255 | 255 |
it {
|
| 256 | 256 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
|
| 257 | 257 |
target: 'nftables-inet-filter-chain-default_out', |
| 258 | 258 |
content: %r{^ tcp dport 53 accept$},
|
| 259 |
order: '50', |
|
| 259 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcpb',
|
|
| 260 | 260 |
) |
| 261 | 261 |
} |
| 262 | 262 |
it {
|
| 263 | 263 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-chrony').with(
|
| 264 | 264 |
target: 'nftables-inet-filter-chain-default_out', |
| 265 | 265 |
content: %r{^ udp dport 123 accept$},
|
| 266 |
order: '50', |
|
| 266 |
order: '50nftables-inet-filter-chain-default_out-rule-chronyb',
|
|
| 267 | 267 |
) |
| 268 | 268 |
} |
| 269 | 269 |
it {
|
| 270 | 270 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-http').with(
|
| 271 | 271 |
target: 'nftables-inet-filter-chain-default_out', |
| 272 | 272 |
content: %r{^ tcp dport 80 accept$},
|
| 273 |
order: '50', |
|
| 273 |
order: '50nftables-inet-filter-chain-default_out-rule-httpb',
|
|
| 274 | 274 |
) |
| 275 | 275 |
} |
| 276 | 276 |
it {
|
| 277 | 277 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-https').with(
|
| 278 | 278 |
target: 'nftables-inet-filter-chain-default_out', |
| 279 | 279 |
content: %r{^ tcp dport 443 accept$},
|
| 280 |
order: '50', |
|
| 280 |
order: '50nftables-inet-filter-chain-default_out-rule-httpsb',
|
|
| 281 | 281 |
) |
| 282 | 282 |
} |
| 283 | 283 |
end |
| ... | ... | |
| 303 | 303 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-type').with(
|
| 304 | 304 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 305 | 305 |
content: %r{^ type filter hook forward priority 0$},
|
| 306 |
order: '01', |
|
| 306 |
order: '01nftables-inet-filter-chain-FORWARD-rule-typeb',
|
|
| 307 | 307 |
) |
| 308 | 308 |
} |
| 309 | 309 |
it {
|
| 310 | 310 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-policy').with(
|
| 311 | 311 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 312 | 312 |
content: %r{^ policy drop$},
|
| 313 |
order: '02', |
|
| 313 |
order: '02nftables-inet-filter-chain-FORWARD-rule-policyb',
|
|
| 314 | 314 |
) |
| 315 | 315 |
} |
| 316 | 316 |
it {
|
| 317 | 317 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_global').with(
|
| 318 | 318 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 319 | 319 |
content: %r{^ jump global$},
|
| 320 |
order: '03', |
|
| 320 |
order: '03nftables-inet-filter-chain-FORWARD-rule-jump_globalb',
|
|
| 321 | 321 |
) |
| 322 | 322 |
} |
| 323 | 323 |
it {
|
| 324 | 324 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd').with(
|
| 325 | 325 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 326 | 326 |
content: %r{^ jump default_fwd$},
|
| 327 |
order: '10', |
|
| 327 |
order: '10nftables-inet-filter-chain-FORWARD-rule-jump_default_fwdb',
|
|
| 328 | 328 |
) |
| 329 | 329 |
} |
| 330 | 330 |
it {
|
| 331 | 331 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 332 | 332 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 333 | 333 |
content: %r{^ log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter$},
|
| 334 |
order: '97', |
|
| 334 |
order: '97nftables-inet-filter-chain-FORWARD-rule-log_discardedb',
|
|
| 335 | 335 |
) |
| 336 | 336 |
} |
| 337 | 337 |
it {
|
| 338 | 338 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
|
| 339 | 339 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 340 | 340 |
content: %r{^ reject with icmpx type port-unreachable$},
|
| 341 |
order: '98', |
|
| 341 |
order: '98nftables-inet-filter-chain-FORWARD-rule-rejectb',
|
|
| 342 | 342 |
) |
| 343 | 343 |
} |
| 344 | 344 |
it {
|
| ... | ... | |
| 375 | 375 |
end |
| 376 | 376 |
|
| 377 | 377 |
context 'custom log prefix without variable substitution' do |
| 378 |
let(:params) do |
|
| 379 |
{
|
|
| 380 |
'log_prefix' => 'test', |
|
| 381 |
} |
|
| 382 |
end |
|
| 378 |
let(:pre_condition) { 'class{\'nftables\': log_prefix => "test "}' }
|
|
| 383 | 379 |
|
| 384 | 380 |
it {
|
| 385 | 381 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 386 | 382 |
target: 'nftables-inet-filter-chain-INPUT', |
| 387 |
content: %r{^ log prefix "test" flags all counter$},
|
|
| 388 |
order: '97', |
|
| 383 |
content: %r{^ log prefix \"test " flags all counter$},
|
|
| 384 |
order: '97nftables-inet-filter-chain-INPUT-rule-log_discardedb',
|
|
| 389 | 385 |
) |
| 390 | 386 |
} |
| 391 | 387 |
it {
|
| 392 | 388 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 393 | 389 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 394 |
content: %r{^ log prefix "test" flags all counter$},
|
|
| 395 |
order: '97', |
|
| 390 |
content: %r{^ log prefix \"test " flags all counter$},
|
|
| 391 |
order: '97nftables-inet-filter-chain-OUTPUT-rule-log_discardedb',
|
|
| 396 | 392 |
) |
| 397 | 393 |
} |
| 398 | 394 |
it {
|
| 399 | 395 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 400 | 396 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 401 |
content: %r{^ log prefix "test" flags all counter$},
|
|
| 402 |
order: '97', |
|
| 397 |
content: %r{^ log prefix \"test " flags all counter$},
|
|
| 398 |
order: '97nftables-inet-filter-chain-FORWARD-rule-log_discardedb',
|
|
| 403 | 399 |
) |
| 404 | 400 |
} |
| 405 | 401 |
end |
| 406 | 402 |
|
| 407 | 403 |
context 'custom log prefix with variable substitution' do |
| 408 |
let(:params) do |
|
| 409 |
{
|
|
| 410 |
'log_prefix' => ' bar [%<chain>s] ', # rubocop:disable Style/FormatStringToken |
|
| 411 |
} |
|
| 412 |
end |
|
| 404 |
let(:pre_condition) { 'class{\'nftables\': log_prefix => " bar [%<chain>s] "}' } # rubocop:disable Style/FormatStringToken
|
|
| 413 | 405 |
|
| 414 | 406 |
it {
|
| 415 | 407 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 416 | 408 |
target: 'nftables-inet-filter-chain-INPUT', |
| 417 |
content: %r{^ log prefix " bar \[INPUT\] " flags all counter$},
|
|
| 418 |
order: '97', |
|
| 409 |
content: %r{^ log prefix \" bar \[INPUT\] " flags all counter$},
|
|
| 410 |
order: '97nftables-inet-filter-chain-INPUT-rule-log_discardedb',
|
|
| 419 | 411 |
) |
| 420 | 412 |
} |
| 421 | 413 |
it {
|
| 422 | 414 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 423 | 415 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 424 |
content: %r{^ log prefix " bar \[OUTPUT\] " flags all counter$},
|
|
| 425 |
order: '97', |
|
| 416 |
content: %r{^ log prefix \" bar \[OUTPUT\] " flags all counter$},
|
|
| 417 |
order: '97nftables-inet-filter-chain-OUTPUT-rule-log_discardedb',
|
|
| 426 | 418 |
) |
| 427 | 419 |
} |
| 428 | 420 |
it {
|
| 429 | 421 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 430 | 422 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 431 |
content: %r{^ log prefix " bar \[FORWARD\] " flags all counter$},
|
|
| 432 |
order: '97', |
|
| 423 |
content: %r{^ log prefix \" bar \[FORWARD\] " flags all counter$},
|
|
| 424 |
order: '97nftables-inet-filter-chain-FORWARD-rule-log_discardedb',
|
|
| 433 | 425 |
) |
| 434 | 426 |
} |
| 435 | 427 |
end |
| ... | ... | |
| 472 | 464 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-reject').with(
|
| 473 | 465 |
target: 'nftables-inet-filter-chain-INPUT', |
| 474 | 466 |
content: %r{^ reject with tcp reset$},
|
| 475 |
order: '98', |
|
| 467 |
order: '98nftables-inet-filter-chain-INPUT-rule-rejectb',
|
|
| 476 | 468 |
) |
| 477 | 469 |
} |
| 478 | 470 |
it {
|
| 479 | 471 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-reject').with(
|
| 480 | 472 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 481 | 473 |
content: %r{^ reject with tcp reset$},
|
| 482 |
order: '98', |
|
| 474 |
order: '98nftables-inet-filter-chain-OUTPUT-rule-rejectb',
|
|
| 483 | 475 |
) |
| 484 | 476 |
} |
| 485 | 477 |
it {
|
| 486 | 478 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-reject').with(
|
| 487 | 479 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 488 | 480 |
content: %r{^ reject with tcp reset$},
|
| 489 |
order: '98', |
|
| 481 |
order: '98nftables-inet-filter-chain-FORWARD-rule-rejectb',
|
|
| 490 | 482 |
) |
| 491 | 483 |
} |
| 492 | 484 |
end |
| spec/classes/ip_nat_spec.rb | ||
|---|---|---|
| 96 | 96 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
|
| 97 | 97 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 98 | 98 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 99 |
order: '01', |
|
| 99 |
order: '01nftables-ip-nat-chain-PREROUTING-rule-typeb',
|
|
| 100 | 100 |
) |
| 101 | 101 |
} |
| 102 | 102 |
it {
|
| 103 | 103 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
|
| 104 | 104 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 105 | 105 |
content: %r{^ policy accept$},
|
| 106 |
order: '02', |
|
| 106 |
order: '02nftables-ip-nat-chain-PREROUTING-rule-policyb',
|
|
| 107 | 107 |
) |
| 108 | 108 |
} |
| 109 | 109 |
it {
|
| ... | ... | |
| 136 | 136 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 137 | 137 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 138 | 138 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 139 |
order: '01', |
|
| 139 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 140 | 140 |
) |
| 141 | 141 |
} |
| 142 | 142 |
it {
|
| 143 | 143 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 144 | 144 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 145 | 145 |
content: %r{^ policy accept$},
|
| 146 |
order: '02', |
|
| 146 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 147 | 147 |
) |
| 148 | 148 |
} |
| 149 | 149 |
it {
|
| ... | ... | |
| 176 | 176 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-type').with(
|
| 177 | 177 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
| 178 | 178 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 179 |
order: '01', |
|
| 179 |
order: '01nftables-ip6-nat-chain-PREROUTING6-rule-typeb',
|
|
| 180 | 180 |
) |
| 181 | 181 |
} |
| 182 | 182 |
it {
|
| 183 | 183 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-policy').with(
|
| 184 | 184 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
| 185 | 185 |
content: %r{^ policy accept$},
|
| 186 |
order: '02', |
|
| 186 |
order: '02nftables-ip6-nat-chain-PREROUTING6-rule-policyb',
|
|
| 187 | 187 |
) |
| 188 | 188 |
} |
| 189 | 189 |
it {
|
| ... | ... | |
| 216 | 216 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-type').with(
|
| 217 | 217 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
| 218 | 218 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 219 |
order: '01', |
|
| 219 |
order: '01nftables-ip6-nat-chain-POSTROUTING6-rule-typeb',
|
|
| 220 | 220 |
) |
| 221 | 221 |
} |
| 222 | 222 |
it {
|
| 223 | 223 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-policy').with(
|
| 224 | 224 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
| 225 | 225 |
content: %r{^ policy accept$},
|
| 226 |
order: '02', |
|
| 226 |
order: '02nftables-ip6-nat-chain-POSTROUTING6-rule-policyb',
|
|
| 227 | 227 |
) |
| 228 | 228 |
} |
| 229 | 229 |
it {
|
| spec/classes/masquerade_spec.rb | ||
|---|---|---|
| 54 | 54 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 55 | 55 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 56 | 56 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 57 |
order: '01', |
|
| 57 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 58 | 58 |
) |
| 59 | 59 |
} |
| 60 | 60 |
it {
|
| 61 | 61 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 62 | 62 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 63 | 63 |
content: %r{^ policy accept$},
|
| 64 |
order: '02', |
|
| 64 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 65 | 65 |
) |
| 66 | 66 |
} |
| 67 | 67 |
it {
|
| 68 | 68 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0').with(
|
| 69 | 69 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 70 | 70 |
content: %r{^ oifname eth0 masquerade$},
|
| 71 |
order: '70', |
|
| 71 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0b',
|
|
| 72 | 72 |
) |
| 73 | 73 |
} |
| 74 | 74 |
it {
|
| 75 | 75 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpn').with(
|
| 76 | 76 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 77 | 77 |
content: %r{^ oifname eth1 ip saddr 192\.0\.2\.0\/24 masquerade$},
|
| 78 |
order: '70', |
|
| 78 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpnb',
|
|
| 79 | 79 |
) |
| 80 | 80 |
} |
| 81 | 81 |
it {
|
| 82 | 82 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh').with(
|
| 83 | 83 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 84 | 84 |
content: %r{^ ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
|
| 85 |
order: '70', |
|
| 85 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_sshb',
|
|
| 86 | 86 |
) |
| 87 | 87 |
} |
| 88 | 88 |
it {
|
| 89 | 89 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlab').with(
|
| 90 | 90 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 91 | 91 |
content: %r{^ ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
|
| 92 |
order: '70', |
|
| 92 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlabb',
|
|
| 93 | 93 |
) |
| 94 | 94 |
} |
| 95 | 95 |
it {
|
| 96 | 96 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguard').with(
|
| 97 | 97 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 98 | 98 |
content: %r{^ udp dport 51820 masquerade$},
|
| 99 |
order: '70', |
|
| 99 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguardb',
|
|
| 100 | 100 |
) |
| 101 | 101 |
} |
| 102 | 102 |
it {
|
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 85 | 85 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-web_accept').with(
|
| 86 | 86 |
target: 'nftables-inet-filter-chain-INPUT', |
| 87 | 87 |
content: %r{^ iifname eth0 tcp dport \{ 80, 443 \} accept$},
|
| 88 |
order: '50', |
|
| 88 |
order: '50nftables-inet-filter-chain-INPUT-rule-web_acceptb',
|
|
| 89 | 89 |
) |
| 90 | 90 |
} |
| 91 | 91 |
end |
| spec/classes/router_spec.rb | ||
|---|---|---|
| 50 | 50 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-out').with(
|
| 51 | 51 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 52 | 52 |
content: %r{^ iifname eth1 oifname eth0 accept$},
|
| 53 |
order: '20', |
|
| 53 |
order: '20nftables-inet-filter-chain-default_fwd-rule-outb',
|
|
| 54 | 54 |
) |
| 55 | 55 |
} |
| 56 | 56 |
it {
|
| 57 | 57 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-drop').with(
|
| 58 | 58 |
target: 'nftables-inet-filter-chain-default_fwd', |
| 59 | 59 |
content: %r{^ iifname eth0 drop$},
|
| 60 |
order: '90', |
|
| 60 |
order: '90nftables-inet-filter-chain-default_fwd-rule-dropb',
|
|
| 61 | 61 |
) |
| 62 | 62 |
} |
| 63 | 63 |
it {
|
| ... | ... | |
| 88 | 88 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
|
| 89 | 89 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 90 | 90 |
content: %r{^ type nat hook prerouting priority -100$},
|
| 91 |
order: '01', |
|
| 91 |
order: '01nftables-ip-nat-chain-PREROUTING-rule-typeb',
|
|
| 92 | 92 |
) |
| 93 | 93 |
} |
| 94 | 94 |
it {
|
| 95 | 95 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
|
| 96 | 96 |
target: 'nftables-ip-nat-chain-PREROUTING', |
| 97 | 97 |
content: %r{^ policy accept$},
|
| 98 |
order: '02', |
|
| 98 |
order: '02nftables-ip-nat-chain-PREROUTING-rule-policyb',
|
|
| 99 | 99 |
) |
| 100 | 100 |
} |
| 101 | 101 |
it {
|
| ... | ... | |
| 126 | 126 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 127 | 127 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 128 | 128 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 129 |
order: '01', |
|
| 129 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 130 | 130 |
) |
| 131 | 131 |
} |
| 132 | 132 |
it {
|
| 133 | 133 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 134 | 134 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 135 | 135 |
content: %r{^ policy accept$},
|
| 136 |
order: '02', |
|
| 136 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 137 | 137 |
) |
| 138 | 138 |
} |
| 139 | 139 |
it {
|
| 140 | 140 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade').with(
|
| 141 | 141 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 142 | 142 |
content: %r{^ oifname eth0 masquerade$},
|
| 143 |
order: '20', |
|
| 143 |
order: '20nftables-ip-nat-chain-POSTROUTING-rule-masqueradeb',
|
|
| 144 | 144 |
) |
| 145 | 145 |
} |
| 146 | 146 |
it {
|
| spec/classes/rules_out_dns_spec.rb | ||
|---|---|---|
| 18 | 18 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
|
| 19 | 19 |
target: 'nftables-inet-filter-chain-default_out', |
| 20 | 20 |
content: %r{^ udp dport 53 accept$},
|
| 21 |
order: '50', |
|
| 21 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudpb',
|
|
| 22 | 22 |
) |
| 23 | 23 |
} |
| 24 | 24 |
it {
|
| 25 | 25 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
|
| 26 | 26 |
target: 'nftables-inet-filter-chain-default_out', |
| 27 | 27 |
content: %r{^ tcp dport 53 accept$},
|
| 28 |
order: '50', |
|
| 28 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcpb',
|
|
| 29 | 29 |
) |
| 30 | 30 |
} |
| 31 | 31 |
end |
| ... | ... | |
| 45 | 45 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp-0').with(
|
| 46 | 46 |
target: 'nftables-inet-filter-chain-default_out', |
| 47 | 47 |
content: %r{^ ip daddr 192.0.2.1 udp dport 53 accept$},
|
| 48 |
order: '50', |
|
| 48 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudp-0b',
|
|
| 49 | 49 |
) |
| 50 | 50 |
} |
| 51 | 51 |
it {
|
| 52 | 52 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp-0').with(
|
| 53 | 53 |
target: 'nftables-inet-filter-chain-default_out', |
| 54 | 54 |
content: %r{^ ip daddr 192.0.2.1 tcp dport 53 accept$},
|
| 55 |
order: '50', |
|
| 55 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcp-0b',
|
|
| 56 | 56 |
) |
| 57 | 57 |
} |
| 58 | 58 |
|
| ... | ... | |
| 60 | 60 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp-1').with(
|
| 61 | 61 |
target: 'nftables-inet-filter-chain-default_out', |
| 62 | 62 |
content: %r{^ ip6 daddr 2001:db8::1 udp dport 53 accept$},
|
| 63 |
order: '50', |
|
| 63 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudp-1b',
|
|
| 64 | 64 |
) |
| 65 | 65 |
} |
| 66 | 66 |
it {
|
| 67 | 67 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp-1').with(
|
| 68 | 68 |
target: 'nftables-inet-filter-chain-default_out', |
| 69 | 69 |
content: %r{^ ip6 daddr 2001:db8::1 tcp dport 53 accept$},
|
| 70 |
order: '50', |
|
| 70 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcp-1b',
|
|
| 71 | 71 |
) |
| 72 | 72 |
} |
| 73 | 73 |
end |
| spec/classes/snat4_spec.rb | ||
|---|---|---|
| 55 | 55 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 56 | 56 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 57 | 57 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 58 |
order: '01', |
|
| 58 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 59 | 59 |
) |
| 60 | 60 |
} |
| 61 | 61 |
it {
|
| 62 | 62 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 63 | 63 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 64 | 64 |
content: %r{^ policy accept$},
|
| 65 |
order: '02', |
|
| 65 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 66 | 66 |
) |
| 67 | 67 |
} |
| 68 | 68 |
it {
|
| 69 | 69 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-static').with(
|
| 70 | 70 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 71 | 71 |
content: %r{^ oifname eth0 snat 198\.51\.100\.1$},
|
| 72 |
order: '60', |
|
| 72 |
order: '60nftables-ip-nat-chain-POSTROUTING-rule-staticb',
|
|
| 73 | 73 |
) |
| 74 | 74 |
} |
| 75 | 75 |
it {
|
| 76 | 76 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1').with(
|
| 77 | 77 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 78 | 78 |
content: %r{^ oifname eth0 ip saddr 192\.0\.2\.2 snat 198\.51\.100\.3$},
|
| 79 |
order: '61', |
|
| 79 |
order: '61nftables-ip-nat-chain-POSTROUTING-rule-1_1b',
|
|
| 80 | 80 |
) |
| 81 | 81 |
} |
| 82 | 82 |
it {
|
| 83 | 83 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1_smtp').with(
|
| 84 | 84 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 85 | 85 |
content: %r{^ ip saddr 192\.0\.2\.2 tcp dport 25 snat 198\.51\.100\.2$},
|
| 86 |
order: '70', |
|
| 86 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-1_1_smtpb',
|
|
| 87 | 87 |
) |
| 88 | 88 |
} |
| 89 | 89 |
it {
|
| 90 | 90 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1_wireguard').with(
|
| 91 | 91 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 92 | 92 |
content: %r{^ ip saddr 192\.0\.2\.2 udp dport 51820 snat 198\.51\.100\.2$},
|
| 93 |
order: '70', |
|
| 93 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-1_1_wireguardb',
|
|
| 94 | 94 |
) |
| 95 | 95 |
} |
| 96 | 96 |
it {
|
| spec/defines/rule_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rule' do |
|
| 4 |
let(:title) { 'out-foo' }
|
|
| 5 |
|
|
| 6 |
on_supported_os.each do |os, facts| |
|
| 7 |
context "on #{os}" do
|
|
| 8 |
let(:facts) do |
|
| 9 |
facts |
|
| 10 |
end |
|
| 11 |
|
|
| 12 |
context 'with title set to <CHAIN_NAME>-<RULE>' do |
|
| 13 |
let(:title) { 'CHAIN_NAME-RULE' }
|
|
| 14 |
|
|
| 15 |
context 'with source and content both unset' do |
|
| 16 |
it { is_expected.not_to compile }
|
|
| 17 |
end |
|
| 18 |
context 'with source and content both set' do |
|
| 19 |
let(:params) do |
|
| 20 |
{
|
|
| 21 |
source: 'foo', |
|
| 22 |
content: 'puppet:///modules/foo/bar', |
|
| 23 |
} |
|
| 24 |
end |
|
| 25 |
|
|
| 26 |
it {
|
|
| 27 |
pending('Setting source and content should be made to fail')
|
|
| 28 |
is_expected.not_to compile |
|
| 29 |
} |
|
| 30 |
end |
|
| 31 |
|
|
| 32 |
context 'with content parameter set' do |
|
| 33 |
let(:params) do |
|
| 34 |
{
|
|
| 35 |
content: 'port 22 allow', |
|
| 36 |
} |
|
| 37 |
end |
|
| 38 |
|
|
| 39 |
it { is_expected.to compile.with_all_deps }
|
|
| 40 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE') }
|
|
| 41 |
it {
|
|
| 42 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 43 |
{
|
|
| 44 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEa', |
|
| 45 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
|
| 46 |
content: %r{^#.*$},
|
|
| 47 |
} |
|
| 48 |
} |
|
| 49 |
it {
|
|
| 50 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE').with
|
|
| 51 |
{
|
|
| 52 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEb', |
|
| 53 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
|
| 54 |
content: ' port 22 allow', |
|
| 55 |
} |
|
| 56 |
} |
|
| 57 |
context 'with optional parameters set' do |
|
| 58 |
let(:params) do |
|
| 59 |
super().merge(order: '85', |
|
| 60 |
table: 'TABLE') |
|
| 61 |
end |
|
| 62 |
|
|
| 63 |
it {
|
|
| 64 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 65 |
{
|
|
| 66 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEa', |
|
| 67 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
|
| 68 |
content: %r{^#.*$},
|
|
| 69 |
} |
|
| 70 |
} |
|
| 71 |
it { is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE') }
|
|
| 72 |
it {
|
|
| 73 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE').with
|
|
| 74 |
{
|
|
| 75 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEb', |
|
| 76 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
|
| 77 |
content: ' port 22 allow', |
|
| 78 |
} |
|
| 79 |
} |
|
| 80 |
end |
|
| 81 |
end |
|
| 82 |
|
|
| 83 |
context 'with source parameter set' do |
|
| 84 |
let(:params) do |
|
| 85 |
{
|
|
| 86 |
source: 'puppet:///modules/foo/bar', |
|
| 87 |
} |
|
| 88 |
end |
|
| 89 |
|
|
| 90 |
it { is_expected.to compile.with_all_deps }
|
|
| 91 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE') }
|
|
| 92 |
it {
|
|
| 93 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 94 |
{
|
|
| 95 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEa', |
|
| 96 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
|
| 97 |
content: %r{^#.*$},
|
|
| 98 |
} |
|
| 99 |
} |
|
| 100 |
it {
|
|
| 101 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE').with
|
|
| 102 |
{
|
|
| 103 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULEb', |
|
| 104 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
|
| 105 |
source: 'puppet:///modules/foo/bar', |
|
| 106 |
} |
|
| 107 |
} |
|
| 108 |
context 'with optional parameters set' do |
|
| 109 |
let(:params) do |
|
| 110 |
super().merge(order: '85', |
|
| 111 |
table: 'TABLE') |
|
| 112 |
end |
|
| 113 |
|
|
| 114 |
it {
|
|
| 115 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE_header').with
|
|
| 116 |
{
|
|
| 117 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEa', |
|
| 118 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
|
| 119 |
content: %r{^#.*$},
|
|
| 120 |
} |
|
| 121 |
} |
|
| 122 |
it { is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE') }
|
|
| 123 |
it {
|
|
| 124 |
is_expected.to contain_concat__fragment('nftables-TABLE-chain-CHAIN_NAME-rule-RULE').with
|
|
| 125 |
{
|
|
| 126 |
order: '85nftables-TABLE-chain-CHAIN_NAME-rule-RULEb', |
|
| 127 |
target: 'nftables-TABLE-chain-CHAIN_NAME', |
|
| 128 |
source: 'puppet:///modules/foo/bar', |
|
| 129 |
} |
|
| 130 |
} |
|
| 131 |
end |
|
| 132 |
end |
|
| 133 |
end |
|
| 134 |
|
|
| 135 |
context 'with title set to <CHAIN_NAME>-<RULE>-22' do |
|
| 136 |
let(:title) { 'CHAIN_NAME-RULE-22' }
|
|
| 137 |
|
|
| 138 |
context 'with content parameter set' do |
|
| 139 |
let(:params) do |
|
| 140 |
{
|
|
| 141 |
content: 'port 22 allow', |
|
| 142 |
} |
|
| 143 |
end |
|
| 144 |
|
|
| 145 |
it { is_expected.to compile.with_all_deps }
|
|
| 146 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22') }
|
|
| 147 |
it {
|
|
| 148 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22_header').with
|
|
| 149 |
{
|
|
| 150 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22a', |
|
| 151 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
|
| 152 |
content: %r{^#.*$},
|
|
| 153 |
} |
|
| 154 |
} |
|
| 155 |
it {
|
|
| 156 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22').with
|
|
| 157 |
{
|
|
| 158 |
order: '50nftables-inet-filter-chain-CHAIN_NAME-rule-RULE-22b', |
|
| 159 |
target: 'nftables-inet-filter-chain-CHAIN_NAME', |
|
| 160 |
content: ' port 22 allow', |
|
| 161 |
} |
|
| 162 |
} |
|
| 163 |
end |
|
| 164 |
end |
|
| 165 |
end |
|
| 166 |
end |
|
| 167 |
end |
|
Formats disponibles : Unified diff