root / spec / acceptance / simple_rule_iifname_spec.rb @ master
Historique | Voir | Annoter | Télécharger (2,63 ko)
| 1 | 25b3f3f4 | Tim Meusel | # frozen_string_literal: true
|
|---|---|---|---|
| 2 | |||
| 3 | require 'spec_helper_acceptance'
|
||
| 4 | |||
| 5 | describe 'nftables class' do |
||
| 6 | d7d6d5d3 | Tim Meusel | context 'configure a simple rule with interface' do |
| 7 | 25b3f3f4 | Tim Meusel | it_behaves_like 'an idempotent resource' do |
| 8 | let(:manifest) do |
||
| 9 | <<-EOS |
||
| 10 | # default mask of firewalld service fails if service is not installed.
|
||
| 11 | # https://tickets.puppetlabs.com/browse/PUP-10814
|
||
| 12 | # Disable all default rules and include below explicitly
|
||
| 13 | class { 'nftables':
|
||
| 14 | firewalld_enable => false,
|
||
| 15 | out_ntp => false,
|
||
| 16 | out_http => false,
|
||
| 17 | out_https => false,
|
||
| 18 | out_icmp => false,
|
||
| 19 | in_ssh => false,
|
||
| 20 | in_icmp => false,
|
||
| 21 | }
|
||
| 22 | d7d6d5d3 | Tim Meusel | # just incoming interface
|
| 23 | 25b3f3f4 | Tim Meusel | nftables::simplerule { 'dummyrule_in':
|
| 24 | action => 'accept',
|
||
| 25 | iifname => $facts['networking']['primary'],
|
||
| 26 | comment => 'allow some multicast stuff',
|
||
| 27 | daddr => 'ff02::fb',
|
||
| 28 | }
|
||
| 29 | d7d6d5d3 | Tim Meusel | # just outgoing interface
|
| 30 | nftables::simplerule { 'dummyrule_out':
|
||
| 31 | action => 'accept',
|
||
| 32 | oifname => $facts['networking']['primary'],
|
||
| 33 | comment => 'allow some multicast stuff',
|
||
| 34 | chain => 'default_out',
|
||
| 35 | daddr => 'ff02::fb',
|
||
| 36 | }
|
||
| 37 | # outgoing + incoming interface
|
||
| 38 | nftables::simplerule { 'dummyrule_fwd':
|
||
| 39 | action => 'accept',
|
||
| 40 | iifname => $facts['networking']['primary'],
|
||
| 41 | oifname => 'lo',
|
||
| 42 | comment => 'allow some multicast stuff',
|
||
| 43 | chain => 'default_fwd',
|
||
| 44 | daddr => 'ff02::fb',
|
||
| 45 | }
|
||
| 46 | 25b3f3f4 | Tim Meusel | include nftables::rules::ssh
|
| 47 | include nftables::rules::out::dns
|
||
| 48 | include nftables::rules::out::ssh
|
||
| 49 | $config_path = $facts['os']['family'] ? {
|
||
| 50 | 'Archlinux' => '/etc/nftables.conf',
|
||
| 51 | 'Debian' => '/etc/nftables.conf',
|
||
| 52 | default => '/etc/sysconfig/nftables.conf',
|
||
| 53 | }
|
||
| 54 | $nft_path = $facts['os']['family'] ? {
|
||
| 55 | 'Archlinux' => '/usr/bin/nft',
|
||
| 56 | default => '/usr/sbin/nft',
|
||
| 57 | }
|
||
| 58 | # nftables cannot be started in docker so replace service with a validation only.
|
||
| 59 | systemd::dropin_file{"zzz_docker_nft.conf":
|
||
| 60 | ensure => present,
|
||
| 61 | unit => "nftables.service",
|
||
| 62 | content => [
|
||
| 63 | "[Service]",
|
||
| 64 | "ExecStart=",
|
||
| 65 | "ExecStart=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
||
| 66 | "ExecReload=",
|
||
| 67 | "ExecReload=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
||
| 68 | "",
|
||
| 69 | ].join("\n"),
|
||
| 70 | notify => Service["nftables"],
|
||
| 71 | }
|
||
| 72 | EOS
|
||
| 73 | end
|
||
| 74 | end
|
||
| 75 | end
|
||
| 76 | end |