From 6cafec4a5a90aef5c44c13697cd21274b1746563 Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Mon, 20 Oct 2014 13:33:36 -0700 Subject: [PATCH] (MODULES-41) Change source for ip6tables provider This will allow purging of ipv6 rules --- lib/puppet/provider/firewall/ip6tables.rb | 2 +- spec/acceptance/purge_spec.rb | 110 +++++++++++++++++++++- 2 files changed, 110 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 2ed90a8fc..bc8004e69 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -1,4 +1,4 @@ -Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :iptables do +Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :ip6tables do @doc = "Ip6tables type provider" has_feature :iptables diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb index c005515c9..e25548933 100644 --- a/spec/acceptance/purge_spec.rb +++ b/spec/acceptance/purge_spec.rb @@ -29,7 +29,10 @@ class { 'firewall': } end end - context('chain purge') do + context('ipv4 chain purge') do + after(:all) do + iptables_flush_all_tables + end before(:each) do iptables_flush_all_tables @@ -127,4 +130,109 @@ class { 'firewall': } expect(shell('iptables-save').stdout).to match(/-A INPUT -s 1\.2\.1\.1(\/32)? -p tcp\s?\n-A INPUT -s 1\.2\.1\.1(\/32)? -p udp/) end end + context('ipv6 chain purge') do + after(:all) do + ip6tables_flush_all_tables + end + before(:each) do + ip6tables_flush_all_tables + + shell('ip6tables -A INPUT -p tcp -s 1::42') + shell('ip6tables -A INPUT -p udp -s 1::42') + shell('ip6tables -A OUTPUT -s 1::50 -m comment --comment "010 output-1::50"') + end + + it 'purges only the specified chain' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'INPUT:filter:IPv6': + purge => true, + } + EOS + + apply_manifest(pp, :expect_changes => true) + + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/010 output-1::50/) + expect(r.stdout).to_not match(/1::42/) + expect(r.stderr).to eq("") + end + end + + it 'ignores managed rules' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'OUTPUT:filter:IPv6': + purge => true, + } + firewall { '010 output-1::50': + chain => 'OUTPUT', + proto => 'all', + source => '1::50', + } + EOS + + unless fact('selinux') == 'true' + apply_manifest(pp, :catch_changes => true) + end + end + + it 'ignores specified rules' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'INPUT:filter:IPv6': + purge => true, + ignore => [ + '-s 1::42', + ], + } + EOS + + if fact('selinux') == 'true' + apply_manifest(pp, :catch_failures => true) + else + apply_manifest(pp, :catch_changes => true) + end + end + + it 'adds managed rules with ignored rules' do + pp = <<-EOS + class { 'firewall': } + firewallchain { 'INPUT:filter:IPv6': + purge => true, + ignore => [ + '-s 1::42', + ], + } + firewall { '014 input-1::46': + chain => 'INPUT', + proto => 'all', + source => '1::46', + provider => 'ip6tables', + } + -> firewall { '013 input-1::45': + chain => 'INPUT', + proto => 'all', + source => '1::45', + provider => 'ip6tables', + } + -> firewall { '012 input-1::44': + chain => 'INPUT', + proto => 'all', + source => '1::44', + provider => 'ip6tables', + } + -> firewall { '011 input-1::43': + chain => 'INPUT', + proto => 'all', + source => '1::43', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + + expect(shell('ip6tables-save').stdout).to match(/-A INPUT -s 1::42(\/128)? -p tcp\s?\n-A INPUT -s 1::42(\/128)? -p udp/) + end + end end