Projet

Général

Profil

Révision e53053ce

IDe53053ce3df771f5fcc24f87dd86f5c49db91b46
Parent 9e5b8bf0
Enfant 61f03b47

Ajouté par Steve Traylen il y a plus de 4 ans

Add comments for all the nftable::rules entries

For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for the rule.

The motivation here is to make the mapping from resulting rules back
to puppet code more obvious. When adding a new rule it should be more
obvious to understand what order to choose.

An example resulting table ends up reading as:

```
HASH Start of fragment order:00 default_in header
chain default_in {
HASH Start of fragment order:50 rulename:default_in-dhcpv6_client
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
HASH Start of fragment order:50 rulename:default_in-ssh
tcp dport {22} accept
HASH Start of fragment order:90 rulename:default_in-drop_broadcasts
meta pkttype broadcast counter drop
HASH Start of fragment order:99 default_in footer
}

```

In addition there is a new test `nftables::rule`. This includes
a pending test since I would assume setting source and content
on a rule should be an error however this currently not the case.

Voir les différences:

spec/classes/dnat4_spec.rb
70 70 
          is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(
71 71 
            target:  'nftables-inet-filter-chain-default_fwd',
72 72 
            content: %r{^  iifname eth0 oifname eth1 jump ingoing$},
73 
            order:   '20',
73 
            order:   '20nftables-inet-filter-chain-default_fwd-rule-jump_ingoingb',
74 74 
          )
75 75 
        }
76 76 
        it {
......
92 92 
          is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(
93 93 
            target:  'nftables-inet-filter-chain-ingoing',
94 94 
            content: %r{^  ip daddr 192.0.2.2 tcp dport http accept$},
95 
            order:   '10',
95 
            order:   '10nftables-inet-filter-chain-ingoing-rule-httpb',
96 96 
          )
97 97 
        }
98 98 
        it {
99 99 
          is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(
100 100 
            target:  'nftables-inet-filter-chain-ingoing',
101 101 
            content: %r{^  ip daddr 192.0.2.2 tcp dport https accept$},
102 
            order:   '10',
102 
            order:   '10nftables-inet-filter-chain-ingoing-rule-httpsb',
103 103 
          )
104 104 
        }
105 105 
        it {
106 106 
          is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(
107 107 
            target:  'nftables-inet-filter-chain-ingoing',
108 108 
            content: %r{^  iifname eth0 ip daddr 192.0.2.2 tcp dport 8000 accept$},
109 
            order:   '10',
109 
            order:   '10nftables-inet-filter-chain-ingoing-rule-http_altb',
110 110 
          )
111 111 
        }
112 112 
        it {
113 113 
          is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(
114 114 
            target:  'nftables-inet-filter-chain-ingoing',
115 115 
            content: %r{^  iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$},
116 
            order:   '10',
116 
            order:   '10nftables-inet-filter-chain-ingoing-rule-wireguardb',
117 117 
          )
118 118 
        }
119 119 
        it {
......
144 144 
          is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-type').with(
145 145 
            target:  'nftables-ip-nat-chain-PREROUTING',
146 146 
            content: %r{^  type nat hook prerouting priority -100$},
147 
            order:   '01',
147 
            order:   '01nftables-ip-nat-chain-PREROUTING-rule-typeb',
148 148 
          )
149 149 
        }
150 150 
        it {
151 151 
          is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-policy').with(
152 152 
            target:  'nftables-ip-nat-chain-PREROUTING',
153 153 
            content: %r{^  policy accept$},
154 
            order:   '02',
154 
            order:   '02nftables-ip-nat-chain-PREROUTING-rule-policyb',
155 155 
          )
156 156 
        }
157 157 
        it {
158 158 
          is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(
159 159 
            target:  'nftables-ip-nat-chain-PREROUTING',
160 160 
            content: %r{^  tcp dport http dnat to 192.0.2.2$},
161 
            order:   '10',
161 
            order:   '10nftables-ip-nat-chain-PREROUTING-rule-httpb',
162 162 
          )
163 163 
        }
164 164 
        it {
165 165 
          is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(
166 166 
            target:  'nftables-ip-nat-chain-PREROUTING',
167 167 
            content: %r{^  tcp dport https dnat to 192.0.2.2$},
168 
            order:   '10',
168 
            order:   '10nftables-ip-nat-chain-PREROUTING-rule-httpsb',
169 169 
          )
170 170 
        }
171 171 
        it {
172 172 
          is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(
173 173 
            target:  'nftables-ip-nat-chain-PREROUTING',
174 174 
            content: %r{^  iifname eth0 tcp dport 8080 dnat to 192.0.2.2:8000$},
175 
            order:   '10',
175 
            order:   '10nftables-ip-nat-chain-PREROUTING-rule-http_altb',
176 176 
          )
177 177 
        }
178 178 
        it {
179 179 
          is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(
180 180 
            target:  'nftables-ip-nat-chain-PREROUTING',
181 181 
            content: %r{^  iifname eth0 udp dport 51820 dnat to 192.0.2.3$},
182 
            order:   '10',
182 
            order:   '10nftables-ip-nat-chain-PREROUTING-rule-wireguardb',
183 183 
          )
184 184 
        }
185 185 
        it {

Formats disponibles : Unified diff