Révision e53053ce
Add comments for all the nftable::rules entries
For each nftable::rule this adds an extra concat fragment to
add a comment containing the name and order number for the rule.
The motivation here is to make the mapping from resulting rules back
to puppet code more obvious. When adding a new rule it should be more
obvious to understand what order to choose.
An example resulting table ends up reading as:
```
HASH Start of fragment order:00 default_in header
chain default_in {
HASH Start of fragment order:50 rulename:default_in-dhcpv6_client
ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept
HASH Start of fragment order:50 rulename:default_in-ssh
tcp dport {22} accept
HASH Start of fragment order:90 rulename:default_in-drop_broadcasts
meta pkttype broadcast counter drop
HASH Start of fragment order:99 default_in footer
}
```
In addition there is a new test `nftables::rule`. This includes
a pending test since I would assume setting source and content
on a rule should be an error however this currently not the case.
| spec/classes/snat4_spec.rb | ||
|---|---|---|
| 55 | 55 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-type').with(
|
| 56 | 56 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 57 | 57 |
content: %r{^ type nat hook postrouting priority 100$},
|
| 58 |
order: '01', |
|
| 58 |
order: '01nftables-ip-nat-chain-POSTROUTING-rule-typeb',
|
|
| 59 | 59 |
) |
| 60 | 60 |
} |
| 61 | 61 |
it {
|
| 62 | 62 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-policy').with(
|
| 63 | 63 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 64 | 64 |
content: %r{^ policy accept$},
|
| 65 |
order: '02', |
|
| 65 |
order: '02nftables-ip-nat-chain-POSTROUTING-rule-policyb',
|
|
| 66 | 66 |
) |
| 67 | 67 |
} |
| 68 | 68 |
it {
|
| 69 | 69 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-static').with(
|
| 70 | 70 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 71 | 71 |
content: %r{^ oifname eth0 snat 198\.51\.100\.1$},
|
| 72 |
order: '60', |
|
| 72 |
order: '60nftables-ip-nat-chain-POSTROUTING-rule-staticb',
|
|
| 73 | 73 |
) |
| 74 | 74 |
} |
| 75 | 75 |
it {
|
| 76 | 76 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1').with(
|
| 77 | 77 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 78 | 78 |
content: %r{^ oifname eth0 ip saddr 192\.0\.2\.2 snat 198\.51\.100\.3$},
|
| 79 |
order: '61', |
|
| 79 |
order: '61nftables-ip-nat-chain-POSTROUTING-rule-1_1b',
|
|
| 80 | 80 |
) |
| 81 | 81 |
} |
| 82 | 82 |
it {
|
| 83 | 83 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1_smtp').with(
|
| 84 | 84 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 85 | 85 |
content: %r{^ ip saddr 192\.0\.2\.2 tcp dport 25 snat 198\.51\.100\.2$},
|
| 86 |
order: '70', |
|
| 86 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-1_1_smtpb',
|
|
| 87 | 87 |
) |
| 88 | 88 |
} |
| 89 | 89 |
it {
|
| 90 | 90 |
is_expected.to contain_concat__fragment('nftables-ip-nat-chain-POSTROUTING-rule-1_1_wireguard').with(
|
| 91 | 91 |
target: 'nftables-ip-nat-chain-POSTROUTING', |
| 92 | 92 |
content: %r{^ ip saddr 192\.0\.2\.2 udp dport 51820 snat 198\.51\.100\.2$},
|
| 93 |
order: '70', |
|
| 93 |
order: '70nftables-ip-nat-chain-POSTROUTING-rule-1_1_wireguardb',
|
|
| 94 | 94 |
) |
| 95 | 95 |
} |
| 96 | 96 |
it {
|
Formats disponibles : Unified diff