Révision e53053ce
Add comments for all the nftable::rules entries
For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules back
to puppet code more obvious. When adding a new rule it should be more
obvious to understand what order to choose.
An example resulting table ends up reading as:
```
HASH Start of fragment order:00 default_in header
chain default_in {
HASH Start of fragment order:50 rulename:default_in-dhcpv6_client
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
HASH Start of fragment order:50 rulename:default_in-ssh
tcp dport {22} accept
HASH Start of fragment order:90 rulename:default_in-drop_broadcasts
meta pkttype broadcast counter drop
HASH Start of fragment order:99 default_in footer
}
```
In addition there is a new test `nftables::rule`. This includes
a pending test since I would assume setting source and content
on a rule should be an error however this currently not the case.
| spec/classes/masquerade_spec.rb | ||
|---|---|---|
| 54 | 54 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 55 | 55 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 56 | 56 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 57 |
order: '01', |
|
| 57 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 58 | 58 |
) |
| 59 | 59 |
} |
| 60 | 60 |
it {
|
| 61 | 61 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 62 | 62 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 63 | 63 |
content: %r{^ policy accept$},
|
| 64 |
order: '02', |
|
| 64 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 65 | 65 |
) |
| 66 | 66 |
} |
| 67 | 67 |
it {
|
| 68 | 68 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0').with(
|
| 69 | 69 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 70 | 70 |
content: %r{^ oifname eth0 masquerade$},
|
| 71 |
order: '70', |
|
| 71 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth0b',
|
|
| 72 | 72 |
) |
| 73 | 73 |
} |
| 74 | 74 |
it {
|
| 75 | 75 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpn').with(
|
| 76 | 76 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 77 | 77 |
content: %r{^ oifname eth1 ip saddr 192\.0\.2\.0\/24 masquerade$},
|
| 78 |
order: '70', |
|
| 78 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_eth1_vpnb',
|
|
| 79 | 79 |
) |
| 80 | 80 |
} |
| 81 | 81 |
it {
|
| 82 | 82 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh').with(
|
| 83 | 83 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 84 | 84 |
content: %r{^ ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
|
| 85 |
order: '70', |
|
| 85 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_sshb',
|
|
| 86 | 86 |
) |
| 87 | 87 |
} |
| 88 | 88 |
it {
|
| 89 | 89 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlab').with(
|
| 90 | 90 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 91 | 91 |
content: %r{^ ip saddr 192\.0\.2\.0\/24 ip daddr 198.51.100.2 tcp dport 22 masquerade$},
|
| 92 |
order: '70', |
|
| 92 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_ssh_gitlabb',
|
|
| 93 | 93 |
) |
| 94 | 94 |
} |
| 95 | 95 |
it {
|
| 96 | 96 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguard').with(
|
| 97 | 97 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 98 | 98 |
content: %r{^ udp dport 51820 masquerade$},
|
| 99 |
order: '70', |
|
| 99 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-masquerade_wireguardb',
|
|
| 100 | 100 |
) |
| 101 | 101 |
} |
| 102 | 102 |
it {
|
Formats disponibles : Unified diff