From 54b81df86a489a6f9b4dd99c2c4a9e7072a7f95d Mon Sep 17 00:00:00 2001 From: Morgan Haskel Date: Wed, 14 Jan 2015 11:12:02 -0800 Subject: [PATCH] MODULES-1612 - add tests and README updates for syncing mask --- README.markdown | 4 ++-- spec/acceptance/firewall_spec.rb | 31 +++++++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/README.markdown b/README.markdown index 2f694eb6d..5e60325f8 100644 --- a/README.markdown +++ b/README.markdown @@ -339,12 +339,12 @@ This type enables you to manage firewall rules within Puppet. * `ip6tables`: Ip6tables type provider * Required binaries: `ip6tables-save`, `ip6tables`. - * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. * `iptables`: Iptables type provider * Required binaries: `iptables-save`, `iptables`. * Default for `kernel` == `linux`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`. **Autorequires:** diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 803b22db0..305fb6ca2 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1449,7 +1449,7 @@ class { '::firewall': } end end - #ip6tables only supports ipset on a limited set of platforms + #ip6tables only supports ipset, addrtype, and mask on a limited set of platforms if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/ describe 'ipset' do it 'applies' do @@ -1486,10 +1486,33 @@ class { '::firewall': } end end end - end - # ip6tables only support addrtype on a limited set of platforms - if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/ + describe 'mask' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '613 - test': + recent => 'update', + rseconds => 60, + rsource => true, + rname => 'test', + action => 'drop', + chain => 'FORWARD', + mask => 'ffff::', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A FORWARD -p tcp -m comment --comment "613 - test" -m recent --update --seconds 60 --name test --mask ffff:: --rsource -j DROP/) + end + end + end + ['dst_type', 'src_type'].each do |type| describe "#{type}" do context 'MULTICAST' do