Révision e53053ce
Add comments for all the nftable::rules entries
For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules back
to puppet code more obvious. When adding a new rule it should be more
obvious to understand what order to choose.
An example resulting table ends up reading as:
```
HASH Start of fragment order:00 default_in header
chain default_in {
HASH Start of fragment order:50 rulename:default_in-dhcpv6_client
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
HASH Start of fragment order:50 rulename:default_in-ssh
tcp dport {22} accept
HASH Start of fragment order:90 rulename:default_in-drop_broadcasts
meta pkttype broadcast counter drop
HASH Start of fragment order:99 default_in footer
}
```
In addition there is a new test `nftables::rule`. This includes
a pending test since I would assume setting source and content
on a rule should be an error however this currently not the case.
| spec/classes/rules_out_dns_spec.rb | ||
|---|---|---|
| 18 | 18 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp').with(
|
| 19 | 19 |
target: 'nftables-inet-filter-chain-default_out', |
| 20 | 20 |
content: %r{^ udp dport 53 accept$},
|
| 21 |
order: '50', |
|
| 21 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudpb',
|
|
| 22 | 22 |
) |
| 23 | 23 |
} |
| 24 | 24 |
it {
|
| 25 | 25 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp').with(
|
| 26 | 26 |
target: 'nftables-inet-filter-chain-default_out', |
| 27 | 27 |
content: %r{^ tcp dport 53 accept$},
|
| 28 |
order: '50', |
|
| 28 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcpb',
|
|
| 29 | 29 |
) |
| 30 | 30 |
} |
| 31 | 31 |
end |
| ... | ... | |
| 45 | 45 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp-0').with(
|
| 46 | 46 |
target: 'nftables-inet-filter-chain-default_out', |
| 47 | 47 |
content: %r{^ ip daddr 192.0.2.1 udp dport 53 accept$},
|
| 48 |
order: '50', |
|
| 48 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudp-0b',
|
|
| 49 | 49 |
) |
| 50 | 50 |
} |
| 51 | 51 |
it {
|
| 52 | 52 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp-0').with(
|
| 53 | 53 |
target: 'nftables-inet-filter-chain-default_out', |
| 54 | 54 |
content: %r{^ ip daddr 192.0.2.1 tcp dport 53 accept$},
|
| 55 |
order: '50', |
|
| 55 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcp-0b',
|
|
| 56 | 56 |
) |
| 57 | 57 |
} |
| 58 | 58 |
|
| ... | ... | |
| 60 | 60 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnsudp-1').with(
|
| 61 | 61 |
target: 'nftables-inet-filter-chain-default_out', |
| 62 | 62 |
content: %r{^ ip6 daddr 2001:db8::1 udp dport 53 accept$},
|
| 63 |
order: '50', |
|
| 63 |
order: '50nftables-inet-filter-chain-default_out-rule-dnsudp-1b',
|
|
| 64 | 64 |
) |
| 65 | 65 |
} |
| 66 | 66 |
it {
|
| 67 | 67 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-dnstcp-1').with(
|
| 68 | 68 |
target: 'nftables-inet-filter-chain-default_out', |
| 69 | 69 |
content: %r{^ ip6 daddr 2001:db8::1 tcp dport 53 accept$},
|
| 70 |
order: '50', |
|
| 70 |
order: '50nftables-inet-filter-chain-default_out-rule-dnstcp-1b',
|
|
| 71 | 71 |
) |
| 72 | 72 |
} |
| 73 | 73 |
end |
Formats disponibles : Unified diff